How do you deal with your SPAM woes?
I doubt I'm the only person experiencing this, as I've seen the same pattern on several Vanilla-powered forums: an automated-looking spammer coming in and posting about a dozen comments and discussions of crap, usually long lists of links to golf clubs or purses. The volume isn't huge (yet) usually just one spammer every two or three days, but very annoying as the problems are severalfold:
The anti-spam plugins don't work. Or, rather, the blacklist plugin seems to auto-ban a few spammers but the rest get through. And the Askimet plugin will detect the spam but not delete it, even though the "Delete" box is checked. Which is probably a good thing, because it has detected several egregious false positives, strange because I've never seen false positive using Askimet for Wordpress.
The moderator controls aren't honed enough. It's easy enough for me to delete all of the day's spam by purging one user and all of his content, but my moderators have to delete each comment individually, which gets tiring fast. I do trust my moderators, but it seems foolhardy to give out permissions to anyone but myself to delete user records and associated content entirely bypassing edit the edit logs and any opportunity for oversight or recourse. What about a permission that would allow mods to hide all spammer content, but with possibility for reversion?
When I do delete a spammer, the forum is left a mess, with many threads last edited by [Deleted user], and even more problematic, the last updated timestamp isn't reverted to the last real edit. So historical threads are dredged up and float to the top for no reason. It might be worthwhile update to the Vanilla core to revert the "last edited" fields when a user is deleted.
My members are increasingly responding like the ship is sinking every time a wave of spam comes in, even if I reliably remove it within a day. I really wish there was either (a) a more reliable automated solution, or (b) I could safely empower other members to easily bulk-delete spam.
Sorry, I'm not much of a PHP dev, and I hope this plea isn't taken as arrogant with "fix it yourself" sorta replies. I'm just wondering how others may have successfully addressed their spam problems, or whether someone could point out what I'm likely overlooking regarding the problems listed above. Thanks 
Comments
i've only seen a handful of spammers get past the recaptcha and e-mail verification steps.
if you aren't using e-mail verification AND recaptcha, i'd start there.
Vanilla Wiki, Tastes Great! 31,000 viewers can't be wrong. || Plugin Development Explained
I'm using the captcha and the email confirmation (oddly I had to define my own Confirm Email role with the latest install of Vanilla).
It's definitely not a huge number of spammers coming through, but it is annoying, and they all seem to operate similarly...
Does it seem to come from a certain ip octet - you could just block that.
I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.
manual spammer. tend to be malls. you could block post containing their web address name. yes they can change it but it is pain for them.
Also some forums don't allow linking for a x amount of posts. it makes it a real drag for spammers.
Make sure when you delete spammers like this you complete remove all for their post, that is the best way to win.
grep is your friend.
Spam prevention is something that I've been working on a fair amount lately. It seems as though the spam bots have discovered our software and some of the bigger forums we host are getting a lot of spam.
I just uploaded our Akismet plugin to the addons site which is what I use. It can use Akismet or Typad's free anti-spam service.
I'm not sure how this plugin integrates into 2.0.18, but I can help clear up any issues it may have with the current release branch.
Other than that we do the following:
Email verification is very important.
The Stop Forum Spam plugin is always used. We've started lowering its default thresholds to log any registration that has an IP address reported twice.
We wildcard ban blocks of IP addresses if there is a particular problem from a region. This just helps keep spam out of the spam log though.
Manual spam is the issue he is talking about I think. Spam baiting tacks can help.
grep is your friend.
Thanks for all the thoughtful advice, everyone.
@peregrine -- I hadn't thought to log IPs, and I can't look at back-data because entirely purging spammer was the best option... I'll have to start keeping track of that.
@x00 -- Seems that many different domains are linked between different spammers. Not allowing links for a certain number of days might be a good preventative...
@Todd -- Good suggestions, and I'm happy to be trying out your Askimet plugin. How does your plugin automatically delete recognized spam? Does it log deletions? I am concerned about false positives, as several very human and useful posts were marked spam by the other Askimet plugin (Vanilla Anti Spam).
You can install bad-behavior (http://bad-behavior.ioerror.us/) for your client. It helps to block spam and request from bad ip via Project Honey Pot (http://www.projecthoneypot.org/). I am not sure if Vanilla Forum already included this in their forum but they should if they have not.
My forum has been hit previously but it has been easy enough to delete a user and associated posts. However today I was hit for the first time with what appears to be bulk private messages within the forum...which then sends email notification to recipient users. Is it possible to monitor for this or adjust settings so that identical PMs can't be sent more than x number of times? As it stands I'm unaware of this until notified by a user...or in this case many users.
I know this is stating the obvious, but the problem with Open Source and Spam Bots is that there is no barrier between evil Spammer developers (may you all burn) and the common source code running across thousands of sites. Captcha's and Askismet are good services, until the Spammers crack them, then the Spam comes flooding in until those services patch.
To create a Spam Bot, the spammer just has to know the location of the registration page and the form fields. Scripting a "browser" to fill out the form is almost trivial, especially if the get their hands on tools to crack Askismet and Captcha.
One strategy I'm considering (which I've seen done for WordPress), is disabling the standard registration pages and form fields and replacing them with "randomly" named registration page good only for that session and randomized form fields that expire once a registration session is complete.
This trick is the initial link to the registration form: it would have to be "obfuscated" to prevent the bot from just following a registration link like and end user, but the link would have to be readable by humans without any difficulty.
The most effective anti-spam technique I've used for an industry forums is a registration form that includes a question about current industry events with a single-word write-in answer, i.e. QUESTION: "What is the last name of the former head of the FAA who was recently cleared of DWI charges?". This question reduced SPAM to zero percent on my forum.
When the question is cracked, I change it, which I don't mind doing: if a Spammer takes the time to customize his Bot to Spam my forum, it must mean my forum is doing well enough to deserve special attention!
Once the Spammers get in, Vanilla's rate limiting is one of the most effective anti Spam techniques I've seen. Spam may get in, but you can catch it quickly and keep from getting flooded.