XF 1.1 1.1.4: Anti-Spam Improvements for Registration

1.1.4 includes some additional anti-spam options for the registration form. These are small enough improvements that they can be done for a 1.1.x release. You will see some deeper integration of additional tools (such as the previously-shown StopForumSpam) in 1.2. As always, targeted attacks may potentially be able to mitigate some anti-spam techniques.

Built-in Registration Timer
A registration timer system is now built-in to the registration form. For a valid user, they simply cannot submit the form until the time is up. If a person submits the form without waiting long enough, they will need to wait again until to submit the registration.

ss-2013-03-11_16-39-03.webp


This can be configured in the admin control panel:

ss-2013-03-11_16-39-57.webp


Unique Registration Key
This ensures that the registration form must be displayed before any registration can take place, making more work for bots. Each key can only be used once. (This is not a particularly strong protection on its own, but every little bit helps.)

Integration with DNSBLs
There are several DNS Blackhole Lists (DNSBLs) that track spam or malicious IPs (Spamhaus and Tornevall, in particular). These can be queried on registration and if the requesting IP address is found on them, an action can be taken.

ss-2013-03-11_16-43-57.webp


In case you're wondering, we've made it much easier to see if there are users pending admin approval as well:

ss-2013-03-11_16-44-51.webp


Expect more in the future... :)
 
Now that 1.1.4 has been around for a while, is there anyone (1) who was flooded with spam last Aug. when Xrumer came out with their update to "support" :rolleyes: XenForo, and (2) who now has very little or no spam in the same forums using only the anti-spam measures in the vanilla 1.1.4 release? And if the answer is "very little", can you quantify that?

What finally checked the spammers for me in 1.1.2 & 1.1.3 was replacing ReCaptcha & challenge questions with KeyCaptcha, but I'm getting legitmate complaints (some from folks I already know) who can't get KeyCaptcha to work. KeyCaptcha is effective, but perhaps too effective.

I have three sites on 1.1.4, but they are all sites with low day-to-day activity. I did observe one apparent spammer try to register unsuccessfully on a newly created site over the weekend. So far I've had zero spam & zero spammers on the 1.1.4 sites, but they're not a fair evaluation.

I'm tempted to update everything to 1.1.4 & ditch KeyCaptcha this summer, but at 11 sites & counting I can't deal with any significant quantitiy of garbagenous registrations.
 
The blacklist that 1.1.4 can query includes Stopforumspam, which is very effective in my experience. The list is big and updated quickly from what I've seen over the years, and since it's blocking by IP in 1.1.4 it stops bots and human spammers. 1.1.4 also adds a registration timer which can be very effective against bots.

A good captcha will add an additional layer of protection against bots, and is needed in case the blacklist becomes temporarily unavailable. Human spammers that can solve your captcha and happen to have a clean IP can still get through, but they are a minority.

Whether you upgrade to 1.1.4 or not, adding a blacklist to your registration page is highly recommended.
 
But that wasn't my question. I know what's in 1.1.4 -- I have three copies of it running.

And it does NOT include StopForumSpam. It does check a SpamHaus blocklist which is very similar.

I want to know how 1.1.4 is actually working for people who were previously hit be large amounts of spam who are running a vanilla copy of 1.1.4 with no other anti-spam addons.
 
And the spammers have found the new forum. :( But they are not registering! :)

In forums that discuss social issues, I get a lot of valuable posts from "guests" (non-registered users). On a 1.1.3 board dealing w/ perverted teachers & sexual abuse, I haven't had any spam (registered user or guest post) for ages. That forum is protected by StopForumSpam & others through the XenUtiles & Deny Country addons, plus KeyCaptcha.

On the new 1.1.4 board (Bakersfield beatdown) I'm getting lots of spam from guest users. I'd suggest adding an option for guest posting to check the DNSBL as well as using Captcha.

My hunch (don't have enough usage to h usage to say for sure yet) is that either DNSBL or KeyCaptcha would block most guest spam.
 
The spam posts have increased to 20+ a day, which I have to delete twice: Once when I moderate them (soft delete) and again when I read the real posts in the threads (hard delete).

I'm encouraged that no real spammers have actually registered in the my 1.1.4 boards, but I won't be updating any more to 1.1.4 that need to allow guest posting. I simply don't like to spend my time on this stuff.
 
Scratch that part about no real spammers registering ...

For those who claim they've had no spam relying on 1.1.4's spam checks, have you been inspecting newly registered users for profile spam?

Since I created my latest forum on May 10, it's had just over 4.3K pageviews according to Google Analytics but I've already deleted two instances of registration spam & reported them to StopForumSpam. That's one instance of registration spam per 2,163 pageviews or per 363 unique visitors. That's on top of the 20+ instances of guest spam daily.

Both registration spams occurred over this weekend, i.e. they finally found me. :eek:

There's no denying that this is a LOT better than what we experienced with unprotected forums last August, but there's still a problem.
 
Scratch that part about no real spammers registering ...

For those who claim they've had no spam relying on 1.1.4's spam checks, have you been inspecting newly registered users for profile spam?

Since I created my latest forum on May 10, it's had just over 4.3K pageviews according to Google Analytics but I've already deleted two instances of registration spam & reported them to StopForumSpam. That's one instance of registration spam per 2,163 pageviews or per 363 unique visitors. That's on top of the 20+ instances of guest spam daily.

Both registration spams occurred over this weekend, i.e. they finally found me. :eek:

There's no denying that this is a LOT better than what we experienced with unprotected forums last August, but there's still a problem.

What CAPTCHA do you use?
 
Standard ReCaptcha + DNSBL + timer

Might have to revert to KeyCaptcha even though it seems to be discouraging legitimate people registering.
 
Please ad Bad Behavior as well, so that bots are blocked based upon user agent, IP and combinations. I'm pretty sure that Michael would be open to the idea of expanding to XF: http://bad-behavior.ioerror.us/
Contact him.

Will XenForo sites report spammers back to the blacklists? It's very beneficial if there is spammer information feedback, so XenForo spammers are quickly blocked accross the board.

+1 for Bad Behavior - it does wonders for one of my vb sites.
 
Remove the edit profile permission for new members and allow it using a user group promotion after x posts, etc.
 
Top Bottom