XF 1.1 1.1.4: Anti-Spam Improvements for Registration

1.1.4 includes some additional anti-spam options for the registration form. These are small enough improvements that they can be done for a 1.1.x release. You will see some deeper integration of additional tools (such as the previously-shown StopForumSpam) in 1.2. As always, targeted attacks may potentially be able to mitigate some anti-spam techniques.

Built-in Registration Timer
A registration timer system is now built-in to the registration form. For a valid user, they simply cannot submit the form until the time is up. If a person submits the form without waiting long enough, they will need to wait again until to submit the registration.

This can be configured in the admin control panel:

Unique Registration Key
This ensures that the registration form must be displayed before any registration can take place, making more work for bots. Each key can only be used once. (This is not a particularly strong protection on its own, but every little bit helps.)

Integration with DNSBLs
There are several DNS Blackhole Lists (DNSBLs) that track spam or malicious IPs (Spamhaus and Tornevall, in particular). These can be queried on registration and if the requesting IP address is found on them, an action can be taken.

In case you're wondering, we've made it much easier to see if there are users pending admin approval as well:

Expect more in the future...

 

[oman]

Down to ~ 1 spammer a day.

That's a great sign!

 

[MYstIC G]

Integration with DNSBLs
There are several DNS Blackhole Lists (DNSBLs) that track spam or malicious IPs (Spamhaus and Tornevall, in particular). These can be queried on registration and if the requesting IP address is found on them, an action can be taken.

This is brilliant news and I'm very glad to see spam prevention being integrated into the core code. I know we're not doing feature suggestions but if you guys are looking at this then it might be worth looking at Http:BL as well.

On a side note it's great to see these posts again

 

[WoodiE]

Just received the email today from XF that mentions this thread in the new coming fixes and additions to 1.1.4 XF.

I understand the lawsuit put a hamper on things but it really makes me happy to see progress being made and emails once again being sent out. Really looking forward to the future of XF and hoping in time I'll finally be able to move my 3.8 vBulletin forums to XF.

 

[Stuart Wright]

For the attention of Mike and for reference, please see http://xenforo.com/community/threads/have-reduced-our-spam-to-virtually-nil.44319/

 

[shawn]

Well... that didn't last long.

Edit: You also must wait 30 seconds between reporting posts as spam. Might help to reduce that number.

 

[Luxus]

Sadly there are no real ways to prevent human spam.

 

[SeaDog]

I use a registration timer that is set to a very low value, so that it does not block legitimate users. IMHO its not needed to display a registration timer in such case. It only bothers legitimate users.
It would be nice if displaying the timer would be an option that admins can choose to set.

Agreed - an option to make the timer visible (linked to the submit button) as well as hidden (based on duration between load and submit) would seem a good compromise

 

[tyteen4a03]

"Hi, this is not Kier from XenForo..."

Speaking that sentence out loud would actually yield: "Hi, this is Nokia from XenForo..."

 

[Marc M.]

One simple wait to avoid bots signing up is to simply use a password protected folder with either Nginx or Apache. It's a rather simplistic approach but effective at times.

 

[Anthony Parsons]

I have beaten human spam to better levels than < 1 per day. I'm lucky to see one per month. FoolbotHoneyPot type bot protection at registration, proxy detection that spammers use (not affecting corporate networks), KeyCaptcha image captcha protection, removing ability for new members to post url anywhere until x posts and an additional dual terms and conditions notice prior to being able to post anywhere, with an answer contained in the rules itself on how to continue, forcing a spammer to read.

When you read that, you may think... would a member bother! In essence, the member only see's the image captcha and has to go through the dual terms and conditions process. Legitimate members simply can't post links until x posts, otherwise they only have two methods to pass. No links is the spammers deterrent, because that is what they're all about, cut and paste spam linking to some nonsense.

Spammers have given up... it is more the random blogger who is extremely dedicated in wanting to tell members about their blog... who make it through everything and resort to telling members to Google x, only to be caught by moderators and members directly, the last line of defence.

IMHO, forum software everywhere need to step-up their game on core spam protection options available for admin selection and deployment, as deemed required.

Smaller forums can get away with less. The bigger your forum, the more a target you become.

 

[Luxus]

When you read that, you may think... would a member bother!

Hm.. this is somewhat a two-sided sword. You can also ask yourself, would legit users bother to register if they have to fight through a defense line first?

 

[Anthony Parsons]

Most people nowadays are quite used to some type of captcha... so that is a given.

My only anomaly is a second confirmation to my terms and conditions prior to posting. URL limitation doesn't stop posting... just people trying to post links. It hasn't stopped legitimate users so far.

 

[Paul B]

I use Q+A (changed once every few weeks) and the first five posts are pre-moderated.

It doesn't stop all the spammers but even for the ones that do get through, their posts never make it past moderation so the members never see any spam.

 

[Gladius]

On most of the sites I run or manage, Q&A has been completely useless. Manual spammers solve all of them in a day or two every time and there are only so many questions you can use that won't be too hard for legitimate users to solve. The more interesting your site is to spammers, the more likely it is they'll quickly solve every Q&A set you put up so that they can proceed with bots.

 

[diego222]

Thanks, I'm waiting to 1.1.4 version impaciently

This way I won't have to install free or paid (I don't mind) mods.

 

[swatme]

please add a CUSTOM IMAGE CAPTCHA what we can use.

example if the forum is a car forum.
the admin can add picture of ferrari
then the registrant will tell what kind of car is it,.

 

[Melvin Garcia]

Great news

 

[oman]

I use Q+A (changed once every few weeks) and the first five posts are pre-moderated.

It doesn't stop all the spammers but even for the ones that do get through, their posts never make it past moderation so the members never see any spam.

I gather you set up some type of usergroup promotion thing for it?

 

[Paul B]

Yes.

It's explained in the manual: http://xenforo.com/help/user-group-promotions/

 

[oman]

Yes.

It's explained in the manual: http://xenforo.com/help/user-group-promotions/

Yeah, I currently use a promotion for something else.