• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.4 Anti-spam Improvements

Mike

XenForo developer
Staff member
#1
As with many of our previous releases, XenForo 1.4 is adding more options to help prevent spam from being posted on your forum. Our focus here is mostly directed towards preventing automated bot registrations.

Additional CAPTCHA Types
Out of the box, we now support a number of additional CAPTCHA providers:

Text CAPTCHA -- this is a service that provides Q&A style CAPTCHAs like "Which of 47, sixty two, 18 or 59 is the smallest?". Essentially, this isn't really different from the built-in Q&A CAPTCHA system, except this system has a large number of questions built already -- over 180 million. Q&As are potentially easier to solve for humans and have fewer accessibility issues, but the trade off is that they can possibly be machine read and analyzed (if targeted). Nonetheless, this gives another option in the fight against spam.

Solve Media -- Solve Media offers standard image-based CAPTCHAs at varying difficult levels:

ss-2014-07-23_14-19-12.png
ss-2014-07-23_14-19-29.png

They also offers revenue generation options through your CAPTCHA if that's something you're interested in. You can have a look at more of their CAPTCHAs on their demo page.

KeyCAPTCHA -- KeyCAPTCHA uses a puzzle-solving approach to implement a CAPTCHA. When I say a puzzle, I mean that literally:
ss-2014-07-23_14-27-57.png

KeyCAPTCHA has a few different offerings and variations on this theme which you can enable on their site.

All of these new options require you to obtain API keys from the service, so they will need to be explicitly enabled.

IP Checks Against Banned Users
If a user registers with an IP address that was used by a banned user recently, you now have the option to manually approve that registration.
ss-2014-07-23_14-32-06.png

While this option can catch people re-registering after a ban, it is mostly targeted at spammers. It is not uncommon to see a spammer use the same IP to register multiple times. If they have already registered before you clean their spam, the spam cleaner's IP check can detect the other accounts. This approach can catch those additional accounts right as they register.

Registration Form Modifications
No images for this part as nothing should be visually different! :)

The registration form now includes several approaches to interfere with bot registrations, including:
  • Invisible honeypot fields that legitimate users won't see but that bots will (usually) see and fill in. If a value is entered, we know the user is a bot.
  • The honeypot fields are also inserted randomly in multiple places, which can cause the valid fields to be in different positions (internally; visually they are the same). This can interfere with some bot implementations.
  • Field name randomization. Each time the form is viewed, the name of the fields that are submitted to the server varies and thus cannot be predicted by a bot.
Combined, these features will hopefully help prevent bot registrations.

I should note that the best option can be to make your registration form unique. Spam software gets quite a bit of benefit by targeting XenForo as a software: if they're successful, they have something that works on many sites. As such, bot mitigations that we implement in the core become worth defeating for both authors. However, if you make customizations to your site, bots need to be adapted specifically to meet your site's requirements and this isn't necessarily worthwhile for a bot author.

The exact form of these customizations could vary (possibly a custom field with specific requirements or maybe an anti-spam add-on), but the key is to invalidate the assumptions/validity checks of the bots.



Until next time...

Just a reminder: Please do not post suggestions in this thread (even if you feel they are related). Use the dedicated suggestion forum so they can be tracked.
 

mjda

Active member
#4
This is great! While I don't get too many spam bots as it is, it's good to know you guys are constantly looking to improve that part of the software.
 

Chris D

XenForo developer
Staff member
#11
I'm certain it will.

Anywhere the CAPTCHA currently appears should display the CAPTCHA you have configured. Guest posts, lost password, contact form, etc.
 

nodle

Well-known member
#14
1.4 is getting everything I ever wanted in the original Xenforo. It's really gonna be a complete core package now. So excited!:D
 

Chris D

XenForo developer
Staff member
#16
It's nice to see people finally accepting that XenForo is no longer lagging behind and is more "complete".

I think it's fair to say that XenForo 1.0 was a relatively small release compared to some of the existing software available at the time. By which, I mean, I am comparing the forum software like-for-like and not including things like Blogs, Galleries and Content systems.

The momentum XenForo has seen since version 1.2 is outstanding. Congratulations XenForo. You're doing it right :)
 

Pereira

Well-known member
#17
The registration form now includes several approaches to interfere with bot registrations, including:
  • Invisible honeypot fields that legitimate users won't see but that bots will (usually) see and fill in. If a value is entered, we know the user is a bot.
  • The honeypot fields are also inserted randomly in multiple places, which can cause the valid fields to be in different positions (internally; visually they are the same). This can interfere with some bot implementations.
  • Field name randomization. Each time the form is viewed, the name of the fields that are submitted to the server varies and thus cannot be predicted by a bot.
Combined, these features will hopefully help prevent bot registrations.
This seems pretty cool. Over time, won't bots be able to work out a pattern or is it very difficult to do?

Is it possible to enable both the Q&A and one of the other CAPTCHA simultaneously?