XF 1.1 1.1.4: Anti-Spam Improvements for Registration

1.1.4 includes some additional anti-spam options for the registration form. These are small enough improvements that they can be done for a 1.1.x release. You will see some deeper integration of additional tools (such as the previously-shown StopForumSpam) in 1.2. As always, targeted attacks may potentially be able to mitigate some anti-spam techniques.

Built-in Registration Timer
A registration timer system is now built-in to the registration form. For a valid user, they simply cannot submit the form until the time is up. If a person submits the form without waiting long enough, they will need to wait again until to submit the registration.

ss-2013-03-11_16-39-03.webp


This can be configured in the admin control panel:

ss-2013-03-11_16-39-57.webp


Unique Registration Key
This ensures that the registration form must be displayed before any registration can take place, making more work for bots. Each key can only be used once. (This is not a particularly strong protection on its own, but every little bit helps.)

Integration with DNSBLs
There are several DNS Blackhole Lists (DNSBLs) that track spam or malicious IPs (Spamhaus and Tornevall, in particular). These can be queried on registration and if the requesting IP address is found on them, an action can be taken.

ss-2013-03-11_16-43-57.webp


In case you're wondering, we've made it much easier to see if there are users pending admin approval as well:

ss-2013-03-11_16-44-51.webp


Expect more in the future... :)
 
Click to expand...
So... how long before all the bots just request the registration page, then wait 90 seconds before submitting the response?
 
Awesome stuff Mike! looking forward to the bright future of Xenforo as becoming the king forum software and taking over the world one forum at a time! mwahahaha! :D
 
Cool! The timer stops (edited) slows down both bots and human spammers.
Pereira said:
Love the "Users awaiting approval" in the admin bar. It was a pain having to go into the admin panel to check, especially with all the bots.
Click to expand...
You should have used a tough Q/A, :D (eg. answer is a color from your logo or something, and the person has to spell the color backwards).
 
M@rc said:
Cool! The timer stops both bots and human spammers.

You should have used a tough Q/A, :D (eg. answer is a color from your logo or something, and the person has to spell the color backwards).
Click to expand...

I had that plus admin approval because they were still getting through. :)
 
M@rc said:
Cool! The timer stops both bots and human spammers.
Click to expand...

How? A human spammer just waits until the expiration is set, then clicks submit. Same as anyone that's legitimately trying to register.

I'm not opposed to the idea of a timer -- I use one already, and it clearly works. But it's also blocked legitimate users (usually on the long end, they wander off, then come back a few minutes later to finish the registration). I'm also unsure how widespread use of timers will work long-term. The scripts should be able to work around them.

Seems like a multi-layer approach would be better. Get good Q/A questions. If the spammer is able to bypass the Q/A, put the other tools into play (check form time, check against StopForumSpam, etc), and if they fail at the second tier, log which Q/A question they solved so that you as an admin know which one to replace with a stronger question.
 
shawn said:
Seems like a multi-layer approach would be better. Get good Q/A questions. If the spammer is able to bypass the Q/A, put the other tools into play (check form time, check against StopForumSpam, etc), and if they fail at the second tier, log which Q/A question they solved so that you as an admin know which one to replace with a stronger question.
Click to expand...


I like that idea.
 
shawn said:
How? A human spammer just waits until the expiration is set, then clicks submit. Same as anyone that's legitimately trying to register.

I'm not opposed to the idea of a timer -- I use one already, and it clearly works. But it's also blocked legitimate users (usually on the long end, they wander off, then come back a few minutes later to finish the registration). I'm also unsure how widespread use of timers will work long-term. The scripts should be able to work around them.

Seems like a multi-layer approach would be better. Get good Q/A questions. If the spammer is able to bypass the Q/A, put the other tools into play (check form time, check against StopForumSpam, etc), and if they fail at the second tier, log which Q/A question they solved so that you as an admin know which one to replace with a stronger question.
Click to expand...

You'll be replacing them on a regular basis then. The latest bot software contains a file of answers to Q&A login requirements. Once you change it, the new answer will eventually end up in the bot software.
 
Ernest L. Defoe said:
I like that idea.
Click to expand...

I'm using XenUtiles with the template edit Jaxel posted so that his add-on works this way.

His script caught thousands and thousands of spam registrations. Some hit the form timer, some were posted on one of the blacklist sites, etc. But I did the template change and noticed that some were still getting through to the XenUtiles checks (and failing there).

Without any real way of knowing which questions were the problematic ones, I had to do some guessing as to which ones I thought were machine-solvable. I replaced those and haven't had a spammer get past Q/A since then. That was on Feb 18.
 
Biker said:
You'll be replacing them on a regular basis then. The latest bot software contains a file of answers to Q&A login requirements. Once you change it, the new answer will eventually end up in the bot software.
Click to expand...

And that's fine -- because the power dynamic remains firmly on the side of the admins. If you come up with 20 decent Q/A questions, they've got to cycle through your list, solve them, and then add them to the database. If your logs show they've solved a question, it's trivial to reword it and change the answer.

Not only that, but they're likely still failing at the second tier, where you're checking against the spam databases, form timers, etc, etc.
 
Is there a feature for users who delays their account confirmation? Sometimes user would just register wait for a month and finalize their registration. An option to maybe automatically delete an account if fails to confirm their account for X day(s) XenUtiles has an option for that...
 
yavuz said:
Is there a feature for users who delays their account confirmation? Sometimes user would just register wait for a month and finalize their registration. An option to maybe automatically delete an account if fails to confirm their account for X day(s) XenUtiles has an option for that...
Click to expand...

I would LOVE this, especially since there's no easy way to mass manage users in the ACP.
 
Good to see more measures against spam. If possible XF could come with http://www.solvemedia.com (make a deal?) It seems to block most of the bots at our forums and the admin can make some money with it as well (the CAPTCHA's are advertisements).
 
Top Bottom