XF 1.1 1.1.4: Anti-Spam Improvements for Registration

1.1.4 includes some additional anti-spam options for the registration form. These are small enough improvements that they can be done for a 1.1.x release. You will see some deeper integration of additional tools (such as the previously-shown StopForumSpam) in 1.2. As always, targeted attacks may potentially be able to mitigate some anti-spam techniques.

Built-in Registration Timer
A registration timer system is now built-in to the registration form. For a valid user, they simply cannot submit the form until the time is up. If a person submits the form without waiting long enough, they will need to wait again until to submit the registration.

ss-2013-03-11_16-39-03.webp


This can be configured in the admin control panel:

ss-2013-03-11_16-39-57.webp


Unique Registration Key
This ensures that the registration form must be displayed before any registration can take place, making more work for bots. Each key can only be used once. (This is not a particularly strong protection on its own, but every little bit helps.)

Integration with DNSBLs
There are several DNS Blackhole Lists (DNSBLs) that track spam or malicious IPs (Spamhaus and Tornevall, in particular). These can be queried on registration and if the requesting IP address is found on them, an action can be taken.

ss-2013-03-11_16-43-57.webp


In case you're wondering, we've made it much easier to see if there are users pending admin approval as well:

ss-2013-03-11_16-44-51.webp


Expect more in the future... :)
 
Please ad Bad Behavior as well, so that bots are blocked based upon user agent, IP and combinations. I'm pretty sure that Michael would be open to the idea of expanding to XF: http://bad-behavior.ioerror.us/
Contact him.

Will XenForo sites report spammers back to the blacklists? It's very beneficial if there is spammer information feedback, so XenForo spammers are quickly blocked accross the board.
 
A registration timer system is now built-in to the registration form. For a valid user, they simply cannot submit the form until the time is up. If a person submits the form without waiting long enough, they will need to wait again until to submit the registration.
Do you think the reg timer text needs the JsOnly class? Users who try to register with JS disabled will see "Please wait 10 seconds" forever. The average person would just submit the form anyways, but yeah... Although with the JsOnly class you'd just to check that registering to quickly also generates an error message for the user? If by the chance you have JS disabled and use some sort of browser auto fill, the user might not have any idea why they couldn't register.
 
Built-in Registration Timer
A registration timer system is now built-in to the registration form. For a valid user, they simply cannot submit the form until the time is up. If a person submits the form without waiting long enough, they will need to wait again until to submit the registration.

View attachment 41583
This may stop spammers from trying to register frequently! :) AWESOME!

And I'm lovin' the other features, too!
 
So... how long before all the bots just request the registration page, then wait 90 seconds before submitting the response?

This depends on whether all the other forum software has the same features. If there is some easy picking elsewhere, the writers of the sw are likely to stay lazy for awhile. Plus, the folks that buy that sw may not want to update, etc.

My sense is that most don't care when reg. fails - as long as they harvest some others! So maybe the final solution would be a bunch of easily crackable "chaff" boards out on the new which they can think they have broken into!

Until then, there are probably tens of thousands installing free forums every month...that they can target!
;)

And, when they do step through one hoop, the good guys will come up with something else.

Craig
(winning the war on spam since 1995)
 
My sense is that most don't care when reg. fails - as long as they harvest some others! So maybe the final solution would be a bunch of easily crackable "chaff" boards out on the new which they can think they have broken into!
That's why I'm happy about the timer. I get many registration requests on CODForums on a daily basis, sometimes in a large chunk of quantity.
 
Excellent anti-spam methods, proven to work with existing add-ons here.

Nice to see any update from XF - thanks Mike!
 
No, you misunderstand. He didn't mean that this functionality of xf 1.1.4 works among other spam addons, but simply states that addons already can do what 1.1.4 can do and that well.
Oh. :notworthy:

I was not aware that there are add-ons that have some of these features, so my bad. :oops:
 
@Mike (or someone in the 'know'): Is there a timeout setting for checking the blacklists? You don't want the registration to hang if they're having server issues.

Also wouldn't a neater solution to the timer simply be to reject the registration if completed with X seconds? This way the average use won't notice a timer even exists
 
Also wouldn't a neater solution to the timer simply be to reject the registration if completed with X seconds? This way the average use won't notice a timer even exists
That would potentially confuse people signing up as they wouldn't understand why the Sign Up button was greyed out.
 
Top Bottom