XF 1.4 Anti-spam Improvements

As with many of our previous releases, XenForo 1.4 is adding more options to help prevent spam from being posted on your forum. Our focus here is mostly directed towards preventing automated bot registrations.

Additional CAPTCHA Types
Out of the box, we now support a number of additional CAPTCHA providers:

Text CAPTCHA -- this is a service that provides Q&A style CAPTCHAs like "Which of 47, sixty two, 18 or 59 is the smallest?". Essentially, this isn't really different from the built-in Q&A CAPTCHA system, except this system has a large number of questions built already -- over 180 million. Q&As are potentially easier to solve for humans and have fewer accessibility issues, but the trade off is that they can possibly be machine read and analyzed (if targeted). Nonetheless, this gives another option in the fight against spam.

Solve Media -- Solve Media offers standard image-based CAPTCHAs at varying difficult levels:

ss-2014-07-23_14-19-12.webp
ss-2014-07-23_14-19-29.webp

They also offers revenue generation options through your CAPTCHA if that's something you're interested in. You can have a look at more of their CAPTCHAs on their demo page.

KeyCAPTCHA -- KeyCAPTCHA uses a puzzle-solving approach to implement a CAPTCHA. When I say a puzzle, I mean that literally:
ss-2014-07-23_14-27-57.webp

KeyCAPTCHA has a few different offerings and variations on this theme which you can enable on their site.

All of these new options require you to obtain API keys from the service, so they will need to be explicitly enabled.

IP Checks Against Banned Users
If a user registers with an IP address that was used by a banned user recently, you now have the option to manually approve that registration.
ss-2014-07-23_14-32-06.webp

While this option can catch people re-registering after a ban, it is mostly targeted at spammers. It is not uncommon to see a spammer use the same IP to register multiple times. If they have already registered before you clean their spam, the spam cleaner's IP check can detect the other accounts. This approach can catch those additional accounts right as they register.

Registration Form Modifications
No images for this part as nothing should be visually different! :)

The registration form now includes several approaches to interfere with bot registrations, including:
  • Invisible honeypot fields that legitimate users won't see but that bots will (usually) see and fill in. If a value is entered, we know the user is a bot.
  • The honeypot fields are also inserted randomly in multiple places, which can cause the valid fields to be in different positions (internally; visually they are the same). This can interfere with some bot implementations.
  • Field name randomization. Each time the form is viewed, the name of the fields that are submitted to the server varies and thus cannot be predicted by a bot.
Combined, these features will hopefully help prevent bot registrations.

I should note that the best option can be to make your registration form unique. Spam software gets quite a bit of benefit by targeting XenForo as a software: if they're successful, they have something that works on many sites. As such, bot mitigations that we implement in the core become worth defeating for both authors. However, if you make customizations to your site, bots need to be adapted specifically to meet your site's requirements and this isn't necessarily worthwhile for a bot author.

The exact form of these customizations could vary (possibly a custom field with specific requirements or maybe an anti-spam add-on), but the key is to invalidate the assumptions/validity checks of the bots.



Until next time...

Just a reminder: Please do not post suggestions in this thread (even if you feel they are related). Use the dedicated suggestion forum so they can be tracked.
 
That's good to know.

I think it's easy to get stuck on perceptions which, no matter how accurate they were at the time, may become outdated quite quickly.

This is not aimed at anyone in particular, but it does seem sometimes that people are still judging XF by what it was; not what it is now.
 
Sorry if I missed this, but are we going to be able to have more than one anti-spam method active at a time? For instance, Key Captcha plus Solve Media or text? Or even one of the default plus an add-on?
 
Why would more than one be necessary? What difference would it make?

All it would do is annoy your visitors. Most people hate ONE captcha, let alone two, or more.
 
Sorry if I missed this, but are we going to be able to have more than one anti-spam method active at a time? For instance, Key Captcha plus Solve Media or text? Or even one of the default plus an add-on?
No, unless someone wants to write an add-on to do it.
 
Really liking this news. I am concerned on the core implementation versus FoolBotHoneyPot. Tenant's plugin has served us so well, literally no other anti spam is needed to keep spam down to a managable few a year versus dozens per hour. Very happy to see this method in the core and hope to see it spread and stay effective against the heavier automated spam coming from... wait is it bad i can't remember what the most popular one is... YAY lol.

Also nice to see a puzzle captcha natively supported. I like not having to use anything at all with FBHP, but having a core method is nice for the day we find we have to turn it back on.
 
Anything to make it harder for the army of Bangladeshi children/spam bots.

The honeypot should take care of most of your automated bots. Based on FBHP's logs most of the ones that get through are your little slaves doing it by hand. For that even a keycaptcha isn't going to help much for example. I am honestly excited for all the sites that don't run FBHP to have this available in the core. Though sites like yours might end up still trying to make it harder even when they "might" not have to.
 
Why would more than one be necessary? What difference would it make?

All it would do is annoy your visitors. Most people hate ONE captcha, let alone two, or more.
Really?
You should not (can't) enable more than one, but you can choose between defferent on your personal choice.
 
You know, I have seen so many weird things on the internet ... I remember a streaming website in which you have to tweet the CM in order to validate your account, and there is sooo many users on it. I like my board to be accessible without email confirm. I would pay to do so with twitter instead =D
Isn't logging into Twitter by XenForo enough?

(getting off-topic... PM?)
 
How does the KeyCAPTCHA work on a mobile device?
Keycapthca works normally allowing you to put the pieces in, HOWEVER; you can actually buy the mobile version which uses a simply touch button that when dragged, it slides two pieces around. Basically, you slide the button until the two pieces line up in their slots, then release. I have the paid version for ease of use for my users... like $24 a year or something like that for touch screen ease of use.

Using my mobile, screenshot examples...

IMG_0415.webp


IMG_0416.webp
 
Back
Top Bottom