Spam prevention help?

Adam Howard said:
Spam? What is this spam you speak of? We're allowing guest to post on Socially Uncensored and we've been spam free. :D
Spam? Bring on the bots.
Click to expand...

It's that last item on your list that's probably put the coup de grace on guest spammers. KeyCaptcha did the same for me when I re-introduced it on my 1.1.4 & 1.1.5 sites.

I might have to try XF-QapTcha instead of KeyCapthca. Personally I find KeyCaptcha easier easier for a human to solve than ReCaptcha, but newbies encountering it for the first time are sometimes intimidated.

I'm waiting first to see how 1.2 does out of the box (w/ SFS & Akismet keys) before I tack on anything else.
 
DarkGizmo said:
Hey guys, i'm using the customIMGcaptcha at the moment but it seems like bots are still getting through it, I'm also using Xenutilities and the RegFormTimer, but it seems like these aren't preventing bots from coming through....unless these are human-registered bots, what's the best way to keep these bots at bay?
Click to expand...

If you use FoolBotHoneyPot you will know if the users that are getting passed your ImageCaptcha are bots or not, for instance you will have stats on each image ...

This is why they integrate well together

Brogan said:
If the bots are getting through your Q&A then they aren't written very well.
Click to expand...
petertdavis said:
Have a look at my Q&A on Partisan Lines and then look at the status update spam I'm getting, and explain that to me. I just deleted a few hundred spams from the last week, but there's loads more in there.
Click to expand...

QA or customImageCapthca will all be beaten at some time (regardless of how well written they are). Once a bot user fails the CAPTCHA, the bot user will often go back to some of the sites, and manually answer the CAPTCHA, they then store the answer in a local text file (textcapctha.txt)... this is then shared centrally on database for all bot users to use (so you see, there is no such thing as a well written QA ... all will be beaten eventually, QA alone is like playing a game of Russian Roulette). A QA is a ticking time bomb, but that time bomb has already been lit. QA can work at stopping 100% of bots until the bot user manually store the answers (as long as you don't use QA that can be easily solved with logic, or QA's that have been used before). They work really well, and then all of a sudden they let almost 100% bots through, knowing when this happens is important!

Knowing when to replace these QAs or images is important, so FoolBotHoneyPot Helps you here, it tells you the % of bot users / human user that fail the CAPTCHA:


dontChange.webp


And for another site here:

botsPass.webp

On the second site you'll notice 2 things

1) A few humans fail the CAPTCHA (this is because it attracts more users from around the world, which do not all understand the CAPTCHA in English). So, if you do not want to block these users, make sure your CAPTCHA is applicable to your target audience
2) A couple of bots have passed it... this is not abnormal. All this means is that a user has been detected as a bot, gone back and re-attempted it as a human. On re-attempting, their IP had been recently detected as a bot, so although as a human they solve the CAPTCHA, they are detected as a bot (their IP has recently been used for botting), but their bot attempts still fail (it is not uncommon to detect a few bots via human users that have previously been botting... bot users do go back to your site to figure out why they have failed.. this is often when the handful of bot users pass the CAPTHCA)

When you get a high number of bots passing a particular CAPTCHA... this is when you need to change that CAPTCHA
This will happen often with the core QA, XenForo QA has been targeted, so it is easy to store the answers for the CAPTHCA.
However, CustomImgCapthca has not yet been target and it is much harder to store the answer for each image, since there are many thousand versions of an image per question, and the image location is never the same..

So...
1) CustomImgCapthca still stands strong at stopping bots, but like QA, you may need to change it (unlike QA, if you use FBHP you will know exactly when this happens)
2) FoolBotHoneyBot can back up your data and tell you exactly when you need to change your CAPTCHA (and still stop 100% of bots even if your CustomImgCapthca is broken)
3) If your CAPTHCA is still strong against bots, yet you still have spammers, it sounds like your spam users are human spammers ... have you tried a) StopCountrySpam (if applicable) b) StopHumanSpam

All of these are available to try as Free addons in the TAC Pack:
Free version: http://xenforo.com/community/resources/tac-tenants-anti-spam-collection-anti-spam-free-version.1474/
Paid version: http://xenforo.com/community/resour...ollection-anti-spam-complete-collection.1469/

FoolBotHoneyPot currently stop 100% of bots, confirms results with CustomImgCaptcha, can be used with AnyApi... try it from the free pack to see what is happening, if these are human spammers, then you might find that your CustomImgCaptcha is still working fine at preventing bots, so you need to concentrate on human spammers (StopHumanSpam and StopCountrySpam are also available in the TAC packs above)

All I can do is create plugins that stop 100% of bots, or prevent human spam.. it is up to you to
1) Try them (for spam, they are all available to try for free)
2) Figure out what the results mean / read the documentations... The documentation does tell you that it is a good idea to use FBHP and CIC together (since they work hand in hand)
 
Last edited:
King Kovifor said:
I've heard Q&A does wonders.
Click to expand...
o_OFor XRumer users, I couldn't agree more
... It has been beaten for a while now, if yours hasn't, then it is only a matter of time for a bot user to manually solve it, then store it for all bot users to pass (Russian Roulette, see above)

MikeMpls said:
Personally I find KeyCaptcha easier easier for a human to solve than ReCaptcha,
Click to expand...
With CustomImgCaptcha you can tell exactly how hard humans find it, since the stats are available. (see above).
It's up to you to customise the images and make it as easy for humans as you can

And just using FoolBotHoenyPot alone, this doesn't get in the way of users at all ... it was designed from the ground up to be "undetactable" by humans, but still stop 100% of bots (until the time it is beaten)
There are no APIs slowing down registration, or giving false positives, and there are no anoying CAPTCHA to fill (but I have witten AnyAPI so, you can add any API you want, but the core provides many of these now)
FoolBotHoneyPot uses many graceful mechanisms at detecting bots (such as customising you registration page, and using many hidden fields). Human users will not even notice the change, but bots will find it incredibly hard to Automate against

Source:
... I use to work in corporate Automation and Security, so I don't just deal with one automation application (such as XRumer), I understand the principles of them all, and I understand how it's possible to make life hard for automation (read here to see how FoolBotHoneyPotWorks)
... I've tested many of the Automation tools
... I have written many anti-spam plugins
... I own the StopBotters API which over the last few months has stopped over 3 million bots and had 0 false positives reported
 
Last edited:
DarkGizmo said:
Well I was using Q&A but the problem with Q&A is if you ask a question that has a general answer, it doesn't stop the bot from getting through. I'm surprised the customIMGcaptcha was cracked because that's what I use along with Xenutils and i'm still hit with 1 to 4 bots per day unless they are being registered by a human, I might get the stopcountryspam add-on and just start denying full countries access....
Click to expand...

CustomImageCaptcha has not been broken, but as above, it will not stop human spammers / paid posters
I agree, it sounds like 1-4 spammers are human spammers... when bots solve something, they hit you in floods (as we have seen in the past, example: ReCapthaa)
Human spam still exists, I use AnyApi with the StopForumSpam API option to stop many of these, but soon (1.2) you will be able to use this from the core
- If you have the option, StopCountrySpam can stop a large % of human spammers (but don't block countries you don't want to block, if you forum is globally applicable, StopCountrySpam is not an option you should think of using)
- StopHumanSpam can help (without blocking countries)... you can try it from the TAC collection too (link in signature)
 
Tracy Perry said:
Uh... maybe because that is a fairly easy one to answer, and is probably in xRumers database. You want something like
On a 2012 Chevrolet Corvette, what was the largest optional engine you could purchase.
That would require a little more digging and most bot's would not have that in their database.
Click to expand...

Hmm, hard for humans and eventually that will be broken and stored (as will all QA questions), did you know with some bots, it's even possible to automate a Google query for questions, and then use the answers as a hit list (XRumer doesn't need to do this, they simply get the bot users to go back and manually answer the QA questions, they then store the questions in a local textcapctha.txt, the answers are then stored on a central database for all bot users to use)

A far better question is :
Answer the question above

(See what I did there), every text QA of CustomImgCaptcha is the same, the real question is stored in the image... the question in the image can just be arrows pointing to things (so even public OCRs / ANNs can't solve object related questions)

For CustomImgCaptcha,
  • For every image you upload, there are many thousand versions of that image (varying in shade and quality combinations), so if the bot user stores an image and an answer together (which they haven't started doing yet), it is very unlikely they will ever see exactly the same image again (so the bot user can not easily associate an answer with a binary)
  • Every Image you upload, the public images always have a unique URL, this URL has a life time, this URL contains a UUID which changes every time the CAPTCHA is refreshed (so the bot user can not associate a URL with an answer)
  • You can make the Custom Images very easy for humans to answer (yet still very hard for bots). I always use Text Hints in the image question, and these text hints always lead to a very large set of data. But I never show the answer directly in the image, since I am on the paranoid side when it comes to automation (since I know what I can do with automation)
  • You can have stats (when you use it with FoolBotHoneyPot) of exactly how many humans pass it vs fail it (so, regardless of what you may think, you can see how easy you CAPTCHA is for humans to solve)
  • More importantly (when you use it with FoolBotHoneyPot), you can have stats of how many bot users pass it compared to human users (when this day finally happens, ... which it hasn't for any of my images yet, you will know by looking at your stats that you need to change your CAPTCHA image)
 
Last edited:
I think Q/A is the best choice if you have english speaking forum. You can even type the answer in the question field, bots wont catch it.
 
You must log in or register to reply here.

Similar threads

biafraland
  • Question Question
Where can I buy an add-on with these specific link spam prevention features
Replies
6
Views
1K
squirrel
squirrel
surfsup
Who can help prevent spam signups and some slight design changes when needed?
Replies
3
Views
359
Claudio
Claudio
M
SEO help (serious spam and optimal site structure)
Replies
0
Views
441
MHB
M
PaulB
  • Suggestion Suggestion
Implemented Better support for StopForumSpam "toxic" entries
Replies
2
Views
3K
Chris D
Chris D
Your Ski Advisor
  • Question Question
XF 1.5 Approving Members (to control spammers)
Replies
3
Views
901
Paul B
Paul B
Top Bottom