XF 1.2 Advice on dealing with spammers


Well-known member
Hello everyone,

I need some advice from some of more experienced users who deal on a regular basis with spammers.
Personally, I think XF 1.2 has amazing improvements. So far, I did the following things:
1) Stop Forum Spam: Reject registrations when 1 warning flag is detected
2) Enabled DNSBL honeypot API key and blocked the registration
3) Enabled Akismet

Thank you for letting me know what other steps I should take and if you think is appropriate the 1 warning flag for SFS. I would also like to know if there is a way to automatically mark a properly registered user as spammer and report it. You can spot easy those users, they have weird nicknames and email addresses (i.e. GiuseppeMqrf etherealtroupe493z20@outlook.com).
Last edited:


Well-known member
What I do is use captcha phrases. A simple one. They will eventually guess it, you clean up spam and update your captcha phrase to something different. That should keep them out for a week or two.


Well-known member
Hi Mike,

I'm pretty sure you got a fair amount of common phrases. Could you post few examples, especially regular expressions? Thanks.


Well-known member
What happens if the addon is not developed anymore or simply abandoned?
I prefer to stick with supported solutions only.
It's already been abounded as you can see. However, members of the software are fixing it since they use it themselves. As long as it works for me, I would fix it for future releases if anybody else wouldn't do it before me.

I've just found that all the "supported" solutions are either an hassle for users or just don't work. I was really skeptical about xf-qaptcha, but this add-on is just brilliant by any means in regards to spammers.


Well-known member
Add mandatory custom profile fields that require new users to fill in why they want to join your website and ask various tidbits relating to the forum topic. For example if you have a forum about cars, ask what their favorite cars are.
This will allow you to easily identify real users. Especially if you manually approve accounts.

There is a lot of benefit to manually approve accounts, because it stops almost everything at the door instead of creating a lot of work from spammers having running wild.

Ban all temporary / fake email domains.

I swear by Bad Behavior, but currently this is not supported yet.


Well-known member
I have some good news. So far, rejecting registrations when 1 warning flag is detected combined with DNSBL honeypot and Akismet produced 100% spam free results. I did not have a single spam registration for last 2 days. I used to get on a daily basis at least 50 spam accounts.

After upgrading to 1.2, I deleted over 7,000 spam accounts awaiting validation.


Well-known member
Quick question: If I batch update users, select the Ban option and click on Delete at the bottom, will this actually report the users? My goal is to automate the reporting of spammers, while deleting their accounts at the same time.


Well-known member
I'm going to rephrase the question, as is probably not clear.
If I batch update users, first by banning them permanently then delete them, will they be reported?


Well-known member
No. They will only be reported via the spam cleaner.
But what if they don't create any spam posts? How do I spam clean them? I still get daily registrations like:
AdelineCa tastefulfinancetjd2@outlook.com

I want to report and delete those users. What is the proper way to do it?
The reporting method has to be made easy as is the only way we can report spammers.
Last edited: