Forums » SEPHP Help and Tips

Is Social Engine 2019 Ready?

    • 626 posts
    November 3, 2018 5:26 PM EDT

    Hi everyone,

    I hope all is well with you.

    The one thing that drew me away from Social Engine, the only thing I'd consider a deal breaker, is the constant bombardment of spam bots. The reason why I ask if Social Engine is ready in 2019 is due to there being no plugin currently capable of checking IP addresses prior to making a wasted ID in our databases.

    I've briefly switched to the competition, PHPFox, Dolphin Pro, IPBoard, VBulletin etc to see if they offer these types of services for their products. Finding out that they do indeed have this, I still believe in terms of core functionality Social engine has the backend of a saint in comparison to that of an ancient and outdated software. I'm telling you if it wasn't for cloud services, the competition wouldn't have a leg to stand on. Social Engine is that good.

    Despite the front end appeal of certain platforms, I keep coming back to a more stable foundation with SE. The only chink in the armor that I see, is the lack of implementation from anybody concerning IP verification tools for SE members. Even if it's a core update, I'll install it. I'm currently facing a community crossroads. Without spam protection on the IP level, or disposable email address detection, I can't say I will be using SE until this happens. It's an absolute must to block spam bots before they join. Especially people using proxy servers, not so much VPN's but people who hide behind an IP known for disruption at the time of a blacklist check in the past 7 days. There's tons of services out there which provide this. Integrating a few of them directly into SE core needs to be a top priority for someone to do. Otherwise, web admins will be spending too much time online manually deleting individual posts left over in the forums when a spam bot comes on to post bomb the site every 5 minutes.

    We shouldn't need to approve accounts just to manually check for disposable email addresses or IP addresses. Not when we have enough IP checking to do for sign in attempts in our login history. If you don't think those don't add up, they do. And we need automatic log management for IP controls built in to the software to be able to get a handle on things like this for 2019. I wonder if it's possible to do something like that without resorting to a DNS service to offload Http and Https traffic requests directly to Social Engine. As this will significantly delay legitimate people who frequently browse our sites.

    Other than that, good to see people still come here and post. I pop in and say hi every so often. Welcome to the new folks. And it's nice to see you returning folks again.

    • Moderator
    • 5919 posts
    November 4, 2018 3:34 AM EST

    The SE script comes with Google recaptcha integrated. It's one of the best ways to filter spam but there are other tools as well. You can use project honeypot (there's a certified plugin), cloudflare and other tools for now. I use project honeypot (my own integration) and cloudflare on my sites. 

    We do have anti-spam improvements coming though. 

    However your requests are not in the correct format or forum section if you have specific anti-spam feature requests.

    • 626 posts
    November 10, 2018 9:17 AM EST

    Thanks for the info. I appreciate it. And I didn't really know Honeypot existed and was backed by Cloudflare either. I thought it was just another partially formed spambot database like stop forum spam, Akismet, etc. As I don't know what ones to trust and what ones not to, as they all do the same thing, I don't see a lot of information online in terms of which ones cover the most ground in terms of bot eliminations. All I know is that even the SE demo site is getting bombed. That's how bad it is. And I don't want to deal with that. Nor do I want to put up with having to make sure my social Engine third party spam detection software is up to date. Like I know Hire Experts made a  Honey Pot plugin and they don't update very often. Knock on wood they're now reposting certified apps in the marketplace now, which is awesome, and more than I can say for Radcodes. I just hope we get a core update soon. We need this so badly.

    I'll consider putting in a feature request also. There's a few other things I wish at some point could be built into core and so this is one of several, but it is at the very top of my list.

    Speaking of members, I'm still waiting for an official newsletter from SE delivered to my email. Tag me if you think of it :). I'll come back when you call me.

    • Moderator
    • 5919 posts
    November 11, 2018 5:02 AM EST

    The SE demo is not getting bombed. I see 3 spam posts. That hardly qualifies as bombed. Note that it doesn't even have recaptcha enabled so it's hard to compare that one to anything. I don't get bombed with spam at my SE site. We do need to have other antispam options though.

    Official newsletter? You aren't getting the newsletters when they go out? Or, are you looking for a different notice perhaps? Let me know please. :)

    • 626 posts
    November 11, 2018 6:06 AM EST

    I get what you're saying about the bombing. but on a example configuration, I was proving that it can happen. I wouldn't normally classify 3 as a bomb, but I would classify 1 as a proof of concept.

    That proof of concept will run rampant on sites that don't have active administration tending to profiles. You can see it on this network. And that one has admins loggin in every day. I've seen it gone so bad I wouldn't even post there for awhile. Truthfully I haven't because their implementation of modules and SE is so basic, it kind of makes Ning admins look experienced. I feel guilty because I was the one who got them on to SE from dolphin pro, previously word press, previously drupal. A script which, actually is fremium and has implementations to block this stuff completely already built in. I see that basically especially since 2017, this problem has just gotten way more intense and it effects SE core globally.

    You want to know how I'm aware of that? the second a domain becomes popular, it gets crawled by third party services. Some spam bots regularly crawl third party services for links to new sites. If you have generally speaking a third party listing for your domain on other sites, that traffic goes with the domain. And so, even if you change website configurations and scripts, you still get the automated page views. On the one hand, I like it that bots can access the site because of the IP addresses which regularly visit from the different countries making the content more visible. On the other hand, I don't want said bots to have read write access, just read only. They can do whatever they want with public content in my opinion. I just don't want to see Chinese elevator ads in blogs so poorly put together, they used 15 different languages filtered through Microsoft Translator to then be put through an article spinner and sent out to the internet. Word Press has become so rampant with spam bots, they have their won special kind of bots that pretend to act as real users to comment on blogs, and then spam them. When I say pretend to be real users, I mean the types of comments where they say this post is so cool there's nothing else like it on the net, love your site and here's mine. So, my point being, is that because word press is a free product, I expect their systems to be sold as is. One of the things of a paid product I appreciate, is people being able to leave that stuff behind when you start forking out money for a professional site. It should, in theory, come with the professional method of spam bot detection to go with it. Unfortunately, I can't say that any of the competition is doing any better. PHPFox still has this problem, and because the first page on a PHPFox installation is always the sign up form, it gets post bombed as well. Social Engine, because the first links are sign up and sign in, has less of that but still they get in even when captcha is enabled. Disabling it just brings them on all the more. And you can see that they hit every form they can, by using some code function to try to look for them. Join form, contact form, login form, good god don't get me started on the 200000 requests in a month I got from my own site just for failed login requests from random Spam Bot proxies.

    I thought by migrating to PHPFox that until SE came up with core functionality to handle this issue, I'd be safe. Nope. I wasn't. Then I upgraded to a dedicated server. then I hadn't counted on the server costing as much as it did and since I only got paid once a month, they canceled it due to my billing date being out of sync. So I'm starting over completely from scratch, again, with a new system and my requirement with SE at this point, is that things just work. The first thing I notice when I do a fresh install, is that music and groups packages fail to completely extract, the latest versions of which in the admin dashboard. The more pressing matter, is that of the default install. the second I redirected my domain, I couldn't get to the join form to enable captcha fast enough and they still kept spamming the contact form with it enabled. the page views were great, but the consequence of great page views, is a site which just promotes spam and people who get annoyed with having to sift through fake posts to find real ones in the activity feed. Since PHPFox already failed me with their cache system, I decided that what I was going to do, is go to TMD hosting, cancel my Name Cheap account, start over with a script that I can import a .csv file of my member accounts into and hopefully until SE core releases automatic spam bot and proxy IP detection, find a script that works for people but not for bots to post to so easily. That's my only issue right now. My goal is to have the next SE version out sooner rather than later. I've already purchased the module to import people via PHPFox. It's just a hop skip and a jump away to migrate back to SE from there. I know that other third parties offer .CSV imports but I don't want to pay twice for the same product as I'm already flat broke after paying for an additional 3 dedicated servers, plus one refund from oVH, and an on-going one with Name cheap. Essentially, this isn't your fault, but it's your product and I need a bit of team effort to fix this particular concern of mine since it is a fresh start on a platform that, when I started my community, never had the spam bot issue it does today.

    Hope that helps explain the situation.

    • 626 posts
    November 11, 2018 6:11 AM EST

    As for the newsletters, I'm not getting anything. I have to view the blog to see any news.

    • Moderator
    • 5919 posts
    November 12, 2018 5:03 AM EST

    I only get one or two spammers at my site which is a very low rate. Nothing will be 100% spam free unless it's invite only. 

    For newsletters, if you marked to unsubscribe from any site notifications in the email itself, that's from Sendgrid and would have unsubscribed you from everything. If you didn't do that or if you still get notifications from here, then perhaps your newsletter subscription needs to be renewed. Try signing up for it again.

    • 626 posts
    November 12, 2018 5:25 AM EST

    That's a good idea. I'll sign up again and see if it solves the issue. I didn't know they were regularly sent out.

    Invite Only would work but the invite tool is so basic, that it can't even detect address books or choose what email the invitation comes from. I wish this was a thing. The 10 email address limit works for smaller sites though, and if invited members had a special process to follow that wasn't as long as the regular new member sign up process, this would also help matters. IMO

    You're right in that no site can be spam free. But if you take a look at the ones that bots regularly visit, it's because their IP isn't detected as a proxy or blacklisted by a third party database automatically that checks for spam bot usage.

    I'll take another good look at Honey pot. It may be just what I need. If only it were a mixture of databases though, that would be even better.

    • Moderator
    • 5919 posts
    November 12, 2018 5:29 AM EST

    Stopforumspam is another good integration. It also doesn't work to block them all though but at my ScriptTechs' forum which uses vanillaforums as I don't need a community there, it works and shows me reports. Maybe get an expert to make a plugin for that if there isn't one in the certified mp already. I don't see a feature request to add that. 

    • 626 posts
    November 12, 2018 7:46 AM EST

    Worst case scenario, I make a custom DB plugin that gets data from another database and so when people sign up for the third party database, the spam bot plugin checks that system as well. I need a barrier between bots and real people, something a computer program will recognize as a checking tool of sorts.

    I'll send in the feature request for ip blacklist, stop forum spam, akismet,, anti hacker alliance, and others. Perhaps social Engine Add Ons can just simply make one social auth plugin and have them be included in it.

    • 71 posts
    November 26, 2018 3:34 AM EST

    Hey Elshara. Sorry I've missed your initial post

    Like I know Hire Experts made a  Honey Pot plugin and they don't update very often.

    Honeypot is actually our plugin (WebHive). It is not being updated because it just works. We use it with every custom project because it saves lots of moderation time. 


    Please note there is no magic solution that will save you against all spammers or abusers online. But this plugin does save from the majority of automated spam signups (which are 95%-100% case in the projects I see). It does not work on IP level neither it uses any external databases or services.

    The trick is on signup it changes the standard fields. Majority of spam bots scan forms and fill out everything that looks like mandatory fields ('email', 'name', etc). This plugin changes the names of required fields to some random names, but keeps dummy input fields with names that appear to be required for bots.

    We generate ~20+ of such fields, which are hidden for real users using 3 different techniques. So regular users don't see a thing and don't need to bother with complicated captcha.

    The plugin uses the same technique for the contact form. It's a default plugin we install for every client we work for. We even had other 3rd party developers purchasing it for their demo setups. As it's cheaper to purchase it than to build a custom solution.