I do think it would be appropriate to limit the number of posts any user can submit in a short period of time, both across threads and in any single thread. Looking at the many spam messages that have been hitting the system lately, they seem to come in batches, with many messages posted a little more than a minute apart before a lull and then seeing the pattern again. While adding logic to combat the spammers may inconvenience, at times, legitimate users of the site, I believe most would give up a little convenience for the sake of getting rid of the spam schlock.

The following ideas are presented as a launching point for a discussion/consideration of options. They are not a be all/end all list. However, the first one may really be the best.

Ideas:

• Prevent any new user from posting unless they have a valid, populated Inventory. It could be as simple as one card, or could require that a set number of cards be listed.
• Limit the number of posts any user can submit in a set timeframe (e.g., not more than one every two minute, not more than three in five minutes).
• Impose CAPTCHA verification on multiple posts in a set amount of time.
• Impose CAPTCHA verification on all posts.
• Start requiring more interactive steps before accounts are considered active and eligible for posting messages.
• Send an email message requiring user action if a threshold number of posts is made in a set period of time.
• Develop a user flagging system for spam posts. If a threshold number of spam flags are submitted against a single user account in a defined window of time, the system automatically blocks the account and flags existing posts for review. Alternatively, if enough spam reports are recorded, the system could delete all content under that user's account.

The second and last options seem like the best in my opinion. The first option just seems like it would be more of an annoyance than anything to spammers. All they have to do is correct the issue and add a seemingly legitimate inventory, before continuing their mayhem.

Most spammers use automated tools to register for accounts and to send messages. Throw in any sort of manual process, and it stops the lion's share.

Which is why I suggested before to adding a CAPTCHA in the registration form.

I've seen option 2 work elsewhere, but 2 minutes is too long. 1 minute seems to be the standard from what I've seen. Option 1 is also a great idea. Using both will probably get rid of the majority of the spam issues...spambots won't make it past the second option, and any human spammers will just move on if they have to wait a minute between posts.

I really like option 1. For now, we've banned some user patterns, and it seems under control. If it flares again, we'll look into this idea.

Captchas are very annoying and don't always work. We've added them on the "Email user" page after someone made a script that emailed users with spam messages, and it worked exactly 1 day :). Granted, it was a simple captcha plugin, not powered by reCaptcha or the other bigger ones, but still... I have the feeling that it just annoys users with little non-guaranteed benefit.