XF Spam Mitigation

[CarlosX360]

I've posted this before, and I'll do it again:

What I did was:

- Turned on the StopForumSpam mitigation (with code as pictured above)
- Turned on the HoneyPot mitigation (with code as pictured above)
- Turned on the Askimet mitigation (with code as pictured above)

So, even if the spam or human spam gets through the first 3 walls, I either ban the account or delete the account. But first, I IP ban, and discourage the user so the user does not come back.

Sometimes, I ban the IP range of certain countries, like pakistan, India, and whatnot. (xxx.*)

I then e-mail ban the e-mail wildcard (*@example.com for example - and yes, there was a user with "@example.com" on it)

I have not seen that many spam in months or years now. Now it's all down to the users whether they really want to post or not.

I never blacklist words because some spammers do jewelery, some spammers do drugs, some spammers do website scam, etc. Hard to keep up with, so I just manually take care of things as they come.

All of this works on both XF1 and XF2.

 

[we_are_borg]

Chris D spam fighting is never one solution fits all. For one QA works for others not so, but more automation is needed like i said above. Has XF looked into the system IPS uses its very good i think people would welcome a system like that.

 

[eva2000]

Our spam cleaner is configured to move spam threads to a special private forum we have, so we can review the contents from time to time, look for patterns, and adjust spam phrases accordingly.

would love to use TPU Spam Detect addon features added to native XF 2.0 I also use an addon which forces new members to only be able to post in one specific forum first (Intro forum) before they can post else where and XF 1.5 native spam mitigation works when spammers try to post. In 4+ yrs only had 2 or 3 spam posts make it through TPU Spam Detect + forced 1st post combo where the actual spam post were visible to members !

https://xenforo.com/community/resources/tpu-detect-and-block-spam-registrations.2973/

 

[Mouth]

If you have any suggestions for effective questions

As is probably applicable to any site, anything that is publicly available on the site. Eg.

• How much is a Xenforo License?
• Is a free demo available?
• How many days is the free demo available for?
• What is the minimum version number of PHP supported by Xenforo?
• What is the name of 1 of the 3 XenForo official add-ons?
• etc ...

 

[Slavik]

As is probably applicable to any site, anything that is publicly available on the site. Eg.

• How much is a Xenforo License?
• Is a free demo available?
• How many days is the free demo available for?
• What is the minimum version number of PHP supported by Xenforo?
• What is the name of 1 of the 3 XenForo official add-ons?
• etc ...

Those sort of questions would get solved in a day, max. Being the provider of the software, we are monitored by the devs of the spambots to see what measures we implement etc, the moment a bot didnt get past the Q+A on xf.com the spambot devs would be looking at why and submitting the answer results back to their Q+A database.

 

[Mouth]

Those sort of questions would get solved in a day, max. Being the provider of the software, we are monitored by the devs of the spambots to see what measures we implement etc, the moment a bot didnt get past the Q+A on xf.com the spambot devs would be looking at why and submitting the answer results back to their Q+A database.

Or, you change it once you're alerted or realise that it's been circumvented (refer), and after a week or so the cat n mouse game is finished because they realise it's not worth it anymore.

 

[Russ]

I mean this seems like a human spammer so QnA wouldn't do much good.

https://prnt.sc/kd7mip looks like they missed their ctrl-v (paste)?

How about if the account is newer than X days and posts more than X times in a period of X minutes all their posts are sent into mod q?

 

[djbaxter]

I mean this seems like a human spammer so QnA wouldn't do much good.

https://prnt.sc/kd7mip looks like they missed their ctrl-v (paste)?

How about if the account is newer than X days and posts more than X times in a period of X minutes all their posts are sent into mod q?

That's the point I've tried to make a few times.

There may be many options, some better than others, for dealing with bot spam. But for human spammers, if they're not already listed in anti-spam databases, it really doesn't matter whether you use reCaptcha. noCaptcha, Q&A, or any other method: they will get through and you'll have to catch them after the fact. That's what admins and moderators are for.

It doesn't make sense to me to make registration or posting more of a chore for non-spammers in some heroic effort to try to catch human spammers before they post. The last thing we want to do these days is discourage legitimate members on any forum.

 

[Chris D]

Just to give you guys an update, Kier, Mike and I have done quite an in-depth analysis today of the recent increase of spam and we've observed a few things.

The first one to note is that the spam absolutely does appear to be from human spammers, so, unfortunately, changing our captcha method is only going to serve to annoy genuine users more than slowing down any automated spammers.

The second is that we've identified a bug in XF2 which meant that some spam checks were not being performed as we expected. This is now fixed and rolled out at XF.com so expect to see a reduction in visible spam tomorrow.

The third is that we've identified an opportunity to implement an optional, additional flood timer that applies specifically to the creation of new threads. This will mean that instead of the default flood limit timer of 30 seconds, we could have a much higher value for thread creation, therefore slowing their ability to create new threads. This is in development now and will be available to everyone with the release of XF 2.0.10.

Finally, we're going to implement something specific to XF.com (for now). It may progress into a fully fledged feature (perhaps XF 2.1) depending on how effective it is. It's not really anything that has been mentioned here but it might be a way to reduce the amount of "damage" a spammer can do.

 

[we_are_borg]

Chris D it will always be a battle every measure that XF takes can be defeated. Its good that you are looking into it and address the issues head on.

 

[zappaDPJ]

It doesn't make sense to me to make registration or posting more of a chore for non-spammers in some heroic effort to try to catch human spammers before they post. The last thing we want to do these days is discourage legitimate members on any forum.

I agree. I've encountered many sites that make it really hard to register and post. I've even seen one that had it lock up so tight it was impossible. The owner admitted he had started to wonder why he'd had no new registrations during the last two+ years...

 

[Alpha1]

If you have an information oriented site then it can make sense to ask users to fill out their profile fully. The users unwilling to do so are unlikely to put effort in posting quality.

Once you have filled in custom & default profile fields you can do automatic analysis and flag accounts that meet suspect criteria. I have a custom addon that does this for me. I'm pretty happy with the functionality as it has a very high rate of blocking spammers.

 

[djbaxter]

I do use a couple of custom profile fields that are required on registration.

One is location, which you can match against IP.

One of the things this does is help check for bot registrations or people who don't have the English language level to participate in your forum. If you get nonsense or gibberish or simply inappropriate information in the custom fields, that helps to raise a flag.

But I moderate all new registrations. If you don't do that, it probably wouldn't help a lot until after the fact.

 

[Alpha1]

But I moderate all new registrations. If you don't do that, it probably wouldn't help a lot until after the fact.

We used to moderate all new registrations, until we found out that problematic accounts almost always meet certain criteria. These are sent to moderation. So instead of moderation hundreds of accounts a day, we now moderate only a small number.

IMHO what XF needs is advanced criteria for sending new registrations to the moderation queue.

 

[Shawn Gossman]

In all honesty, I think manual approval is the way to go. Require that they fill out a textarea explaining why they want to join. I betcya, you will catch most spammers before they can infiltrate the forum. And manual approval may sound scary but it really isn't if you are visiting your forum on a day to day basis. It is easy for one person to manage for a smaller community. If you have a bigger and much more active forum, that is where dedicated staff members come into play to help you with manual membership needs.

Manual membership is even better than security questions

 

[CarlosX360]

Ya know, I don't know why people overlook that in xenForo, there are other CAPTCHA options in ACP > User Registration. There's reCAPTCHA, QnA CAPTCHA, textCAPTCHA, Solve Media, and KeyCAPTCHA. I use Solve Media because it has more options than just regular CAPTCHA. It doubles as an ad, so every time you type in, you get a commission for impressions or key-type-ins. In fact, there's a revolving door of CAPTCHA's that not every Spammer or Human Spammer will 'get.'

With Solve Media, the "ads" also take time to show you the answer or ask the question that relates to the CAPTCHA, so therefore, there's that "coldown" or delay.

 

[haqzore]

In all honesty, I think manual approval is the way to go. Require that they fill out a textarea explaining why they want to join. I betcya, you will catch most spammers before they can infiltrate the forum. And manual approval may sound scary but it really isn't if you are visiting your forum on a day to day basis. It is easy for one person to manage for a smaller community. If you have a bigger and much more active forum, that is where dedicated staff members come into play to help you with manual membership needs.

Manual membership is even better than security questions

First - glad to see you posting again. Been meaning to say that but never got around to it.

As for manual approval - I think it's a mistake in today's environment. Whether we admins love or hate it - instant gratification (access) is assumed an expected nowadays.

You'd have to wait for applications 24/7 and be ready to approve within moments to meet expectations, and that's impossible. So when the inevitable happens and folks have to wait for hours (day+?) for access, I'm willing to bet you'll lose as many as you keep.

The cost (personal headache + people lost) comes nowhere near outweighing the benefit here, IMO.

 

[Shawn Gossman]

I always figure this on manual approval. If you really want to be on a forum, you'll wait. If not, by all means, create your own and 24/7 fight spam until you hate forum admining lol.

Many banks (banks that wish to be legit) require a credit check that takes time before they approve a credit card to the requestee. I look at that notion as I look at forums, you want to be a member? Enjoy the wait while we check you out first If you don't like it, go with another forum that approves everyone and usually even if by mistake, approves a few 100-poster spam bots as well haha

 

[Banxix]

Aside from reCaptcha and Q&A, I limit email domains which they can use, only allow popular email domains. I create a thread where members can report spammers to staffs. Ban and delete spammers' posts are much faster and easier.

 

[haqzore]

I create a thread where members can report spammers to staffs.

Do you get any benefits from this that you wouldn't have from just using built-in 'report' functions?