Prevent profile spam on your Moodle site

Prevent profile spam on your Moodle site

by Martin Dougiamas -
Number of replies: 4
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
One of the most common security issues that we see in Moodle sites is profile spam.

Profile spam is primarily a problem on sites with the combination of these two settings:
  1. email authentication is enabled, allowing people to self-create an account on the site
  2. the admin setting forceloginforprofiles is disabled, allowing anyone to see and link to user profiles
Some older versions of Moodle had these as default.

The problems with these settings is that spammers can create a page on the Moodle site which they can fill with links and pictures of porn and other nasty stuff. This in turn comes up in Google searches for those things, and is used to boost ratings to porn sites or hacking sites designed to take over your personal computer. Note that this content is designed for people using search engines, and is usually not available from within the Moodle site itself (since spammers don't join any courses) so users and admins are usually not even aware their site is having this problem.

Please pass the word to all Moodle admins that you know to check these Moodle site settings and make sure their sites are not vulnerable to profile spam. Email authentication should be disabled if not needed, and if it can't then forceloginforprofiles should definitely be enabled.

Please also use our spam-cleaning tool to scan your site to find affected profiles and delete them. This page in the docs has more details: Reducing_spam_in_Moodle or ask for help here.
Average of ratings: Useful (3)
In reply to Martin Dougiamas

Re: Prevent profile spam on your Moodle site

by Leadership 101 -

Wonderful information. This is a great forum. Thank you so much for creating it to keep us informed of these very important matters. For more informaiton to help with this very important matter, see the following article.

http://www.tes.co.uk/article.aspx?storycode=6007883 

Average of ratings: -
In reply to Leadership 101

Re: Prevent profile spam on your Moodle site

by Ulrike Montgomery -
A lot of our schools still have version 1.9.3 (for at least for another week) - does activation of recaptcha prevent profile spam?

Thanks for the info,

Ulrike
Average of ratings: -
In reply to Ulrike Montgomery

Re: Prevent profile spam on your Moodle site

by Mauno Korpelainen -

Not alone. "ReCAPTCHA is quite effective against most automated spambots, but will not foil human spammers at all". ( http://docs.moodle.org/en/Reducing_spam_in_Moodle )

Those settings that Martin mentioned are most effective. Still even if your site needs to have email-based self-registration enabled setting forceloginforprofiles on and activating recaptcha make "normal" profile spam almost impossible - or at least useless.

Average of ratings: -
In reply to Mauno Korpelainen

Re: Prevent profile spam on your Moodle site

by Marcus Green -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
One way to test if your site has been the target of profile spammers is to use Google (or the search engine of your choice) to do a site specific search on your own site for the likely words, i.e. t e e n, v 1 agr a etc etc). I ended up changing the size of one of the profile fields to 1 character so they could poke in whatever they wanted but it got silently thrown away. It gave me a certain bizzarre pleasure in the idea of these folks putting up their lurid links, clicking save and the system silently just discarded it.
Average of ratings: -