XF 1.1 1.1.4: Anti-Spam Improvements for Registration

1.1.4 includes some additional anti-spam options for the registration form. These are small enough improvements that they can be done for a 1.1.x release. You will see some deeper integration of additional tools (such as the previously-shown StopForumSpam) in 1.2. As always, targeted attacks may potentially be able to mitigate some anti-spam techniques.

Built-in Registration Timer
A registration timer system is now built-in to the registration form. For a valid user, they simply cannot submit the form until the time is up. If a person submits the form without waiting long enough, they will need to wait again until to submit the registration.

ss-2013-03-11_16-39-03.webp


This can be configured in the admin control panel:

ss-2013-03-11_16-39-57.webp


Unique Registration Key
This ensures that the registration form must be displayed before any registration can take place, making more work for bots. Each key can only be used once. (This is not a particularly strong protection on its own, but every little bit helps.)

Integration with DNSBLs
There are several DNS Blackhole Lists (DNSBLs) that track spam or malicious IPs (Spamhaus and Tornevall, in particular). These can be queried on registration and if the requesting IP address is found on them, an action can be taken.

ss-2013-03-11_16-43-57.webp


In case you're wondering, we've made it much easier to see if there are users pending admin approval as well:

ss-2013-03-11_16-44-51.webp


Expect more in the future... :)
 
Click to expand...
usergroup promotion is a good idea.
However - given the volume of spam we're all facing - I believe we could safely add as a stock feature that the first X messages have all their links with "rel=nofollow". Just a suggestion. People not interested with that simply put "0" in that setting...
 
Weppa333 said:
usergroup promotion is a good idea.
However - given the volume of spam we're all facing - I believe we could safely add as a stock feature that the first X messages have all their links with "rel=nofollow". Just a suggestion. People not interested with that simply put "0" in that setting...
Click to expand...

Why not simply make it a usergroup option - so it could be applied to ANY usergroup; maybe you have someone who's spamming a little bit but is otherwise a useful asset to your site - you could put them in a No Follow group and enable this option. Win - win. (y)

[EDIT: I've made it a proper suggestion - click here and like it.]
 
On my installs, the main problem I've got is not really spam, it's people registering just to create backlinks to their onlineshop, and more and more ; SEO/SEM companies registering just to create a single backlink to their customers.

These are humans so the captchas and all don't help. And it's very frustrating because just an hour of online presence is usually all they're asking for (the time for google bot to see their ****)... For what I cans ee, having all outgoing links "nofollowed" doesn't help because the people creating those links are just students hired to do just that, they don't "view source" on each and every forum/blog they post just to see if it's nofollowing or not...

I hate those companies because they simply steal visibility with fake posts, pretending to be interested in the rest of your content and posting fake questions/feedback with their linked keywords in the middle of the text... They make me sick :) :)

Moderation of the first X posts, as Brogan suggested, is brilliant...
But a hassle ; it means moderating 99% of legit posts for those 1% of SEO companies registering...
 
Clickfinity said:
Why not simply make it a usergroup option - so it could be applied to ANY usergroup; maybe you have someone who's spamming a little bit but is otherwise a useful asset to your site - you could put them in a No Follow group and enable this option. Win - win. (y)

[EDIT: I've made it a proper suggestion - click here and like it.]
Click to expand...

I have one cure for spammers, useful or not.

ban-hammer.jpg
 
Weppa333 said:
usergroup promotion is a good idea.
However - given the volume of spam we're all facing - I believe we could safely add as a stock feature that the first X messages have all their links with "rel=nofollow". Just a suggestion. People not interested with that simply put "0" in that setting...
Click to expand...

All XenForo links posted by non-admins already have nofollow baked into the A tag.
 
Yes I know but it doesn't stop SEO/SEM agencies from registering because they don't have a clue, and they actually don't care ( I'm sure google takes their link into account as an additionnal link, nofollow simply means it shouldn't be followed)
 
Integration with DNSBLs

I do this manually right now: check the IPs of the registrant to see if they are known spammers or spam bots, so I am able to keep them out. What I would like to see developed along with this is something else I do manually: I verify the registrant's email address against spam databases out there like Stop Forum Spam and plain old Google search results.

On a side note, I also contracted with Waindigo to create an International Captcha Statement Q&A that allows my non-English speaking registrants to read the Captcha Q&A. Using Q&A statements has really cut down on the amount of spam requests we get, but I also want to be registrant-friendly for those who are legit but unable to read English; the Internet is international, after all. (y)
 
This looks good!

Can't wait.

Personally, since converting to XF i have actually seen a slight increase of spam in the past 24 hours than previously with my IPboard installation
 
1.1.4 installed fine (it'll be a while before we configure RM for one of our forums). But, with Safari, your Download button in the customer service area remains on screen even after the file is downloaded. :(
 
Despair said:
Do you think the reg timer text needs the JsOnly class? Users who try to register with JS disabled will see "Please wait 10 seconds" forever. The average person would just submit the form anyways, but yeah... Although with the JsOnly class you'd just to check that registering to quickly also generates an error message for the user? If by the chance you have JS disabled and use some sort of browser auto fill, the user might not have any idea why they couldn't register.
Click to expand...
I guess this didn't make it in, well no big deal...

Is it possible to have the count down continue from a previously failed registration instead of restarting. If someone tries to register with an invalid field they now have to wait the full time again. Usually on their second attempt they would likely just need a few seconds to fix a field or two. I imagine the really impatient might just end up saying never mind, I won't register then.
 
Awesome guys, Thank you :)

Ive had my site up: http://expertpixels.com for a few days and 80% of the registrations have been "Known Forum Spammers" was really worried about how / why my site was a target so quickly considering i am still developing it... I do need to find more "Spam Prevention" tips & guides on XF for this.. but was shocked to see my site targeted so quickly.

Keep up the good work guys.. now XF is over all the law suit crap.. I'll be getting stuck into XF and will start contributing / helping our other members around here when i can.. XF is awesome and to know you guys are really producing solid updates / new features is a great to know makes us "Customers" that much more at ease to know XF is only going to get better and better.

Regards, Darren
 
nekregjt said:
Integration with DNSBLs

I do this manually right now: check the IPs of the registrant to see if they are known spammers or spam bots, so I am able to keep them out. What I would like to see developed along with this is something else I do manually: I verify the registrant's email address against spam databases out there like Stop Forum Spam and plain old Google search results.
Click to expand...
I'm having a serious problem with this right now.

I made registration manual so new users can no longer post spam. However, I'm now getting 50-100 new users registering every day when I check the "users awaiting approval" list. I'm starting to ban IP's but it's a lot of work to check that many e-mail or IP addresses every day only to find out 99% of them are spam.

I'm wondering if I should just block all of Russia/Ukraine/similar since this is where they are coming from. This is even more frustrating since my board isn't really fully operational and only has a few users while I finish working on it. If I was a large board with lots of traffic I could see them having an interest, but I get hardly any traffic right now.
 
Top Bottom