XF 1.4 Anti-spam Improvements

As with many of our previous releases, XenForo 1.4 is adding more options to help prevent spam from being posted on your forum. Our focus here is mostly directed towards preventing automated bot registrations.

Additional CAPTCHA Types
Out of the box, we now support a number of additional CAPTCHA providers:

Text CAPTCHA -- this is a service that provides Q&A style CAPTCHAs like "Which of 47, sixty two, 18 or 59 is the smallest?". Essentially, this isn't really different from the built-in Q&A CAPTCHA system, except this system has a large number of questions built already -- over 180 million. Q&As are potentially easier to solve for humans and have fewer accessibility issues, but the trade off is that they can possibly be machine read and analyzed (if targeted). Nonetheless, this gives another option in the fight against spam.

Solve Media -- Solve Media offers standard image-based CAPTCHAs at varying difficult levels:

ss-2014-07-23_14-19-12.webp
ss-2014-07-23_14-19-29.webp

They also offers revenue generation options through your CAPTCHA if that's something you're interested in. You can have a look at more of their CAPTCHAs on their demo page.

KeyCAPTCHA -- KeyCAPTCHA uses a puzzle-solving approach to implement a CAPTCHA. When I say a puzzle, I mean that literally:
ss-2014-07-23_14-27-57.webp

KeyCAPTCHA has a few different offerings and variations on this theme which you can enable on their site.

All of these new options require you to obtain API keys from the service, so they will need to be explicitly enabled.

IP Checks Against Banned Users
If a user registers with an IP address that was used by a banned user recently, you now have the option to manually approve that registration.
ss-2014-07-23_14-32-06.webp

While this option can catch people re-registering after a ban, it is mostly targeted at spammers. It is not uncommon to see a spammer use the same IP to register multiple times. If they have already registered before you clean their spam, the spam cleaner's IP check can detect the other accounts. This approach can catch those additional accounts right as they register.

Registration Form Modifications
No images for this part as nothing should be visually different! :)

The registration form now includes several approaches to interfere with bot registrations, including:
  • Invisible honeypot fields that legitimate users won't see but that bots will (usually) see and fill in. If a value is entered, we know the user is a bot.
  • The honeypot fields are also inserted randomly in multiple places, which can cause the valid fields to be in different positions (internally; visually they are the same). This can interfere with some bot implementations.
  • Field name randomization. Each time the form is viewed, the name of the fields that are submitted to the server varies and thus cannot be predicted by a bot.
Combined, these features will hopefully help prevent bot registrations.

I should note that the best option can be to make your registration form unique. Spam software gets quite a bit of benefit by targeting XenForo as a software: if they're successful, they have something that works on many sites. As such, bot mitigations that we implement in the core become worth defeating for both authors. However, if you make customizations to your site, bots need to be adapted specifically to meet your site's requirements and this isn't necessarily worthwhile for a bot author.

The exact form of these customizations could vary (possibly a custom field with specific requirements or maybe an anti-spam add-on), but the key is to invalidate the assumptions/validity checks of the bots.



Until next time...

Just a reminder: Please do not post suggestions in this thread (even if you feel they are related). Use the dedicated suggestion forum so they can be tracked.
 
I use customimgcaprcha too. It is indeed effective and I like the reporting it has.

But bear in mind the new solutions are also considered to be just as effective by the people who currently use them so I dont see anything to be disappointed about here.
 
Since previous updates against spam, I don't use the mail validation anymore. I guess that with this improvement, I won't worry about spammers at all :o
 
The forgot password process relies on email, though. That's the confirmation process that it is a valid user requesting the password reset. If their email address is wrong, and they don't remember their password, and they never receive the password reset request then they'll have no way of continuing to use your site.
 
You know, I have seen so many weird things on the internet ... I remember a streaming website in which you have to tweet the CM in order to validate your account, and there is sooo many users on it. I like my board to be accessible without email confirm. I would pay to do so with twitter instead =D
 
I see KeyCAPTCHA must have improved. I tried it when it first came along, and it was so "broken" that my registrations on a couple of my forums dropped substantially.

We use custom questions to weed out some automated spam. We manually approve all new memberships, checking IP and the StopForumSpam flag if needed. And all early posts are held in moderation. Very rare if spam would ever get through. These new features will give us more options for our spam-elimination recipe. :thumbsup:
 
It's nice to see people finally accepting that XenForo is no longer lagging behind and is more "complete
The momentum XenForo has seen since version 1.2 is outstanding. Congratulations XenForo. You're doing it right :)

I am one of those people(and often most critical at that<3) but even i am quite impressed tbh :P

I especially like the IP checks against banned user. Very impressed by this tbh
 
Back
Top Bottom