XF 1.4 Anti-spam Improvements

Tracy Perry

Well-known member
Yes, you can...
Have you successfully gotten this to work on an https site? I was going to go to it from the custom image captcha from tenants and when I did I get this
Screen Shot 2014-08-21 at 6.21.01 PM.png

The URL is correct (they don't allow you to specify anything other than http - saying it will detect for both). Using nginx and doing a forced rewrite of all inbound http to https.


Appears to be a pagespeed/memcached/php-fpm/nginx issue. The Debian server it worked fine on (stopped the centOS VPS and started the Debian one up to test). Once I restarted the centOS VPS up it worked.
Last edited:

Anthony Parsons

Well-known member
would that mean i can remove the TAC anti spam add on i have then?
Not if that is the human spam one that you're talking about. There are still plenty of human spammers who register and then go nuts posting. Having that additional anti-spam for the first x posts stops them registering, plugging in their bot, then sending it loose... or some hired hack replicating it until banned, then starting over with another account they registered prior.

Multi-leveled anti-spam is your best approach... never putting all your eggs in one basket.

I use honeypot, keycaptcha and human anti-spam for those once registered. I view the logs and have spammers daily register manually, then get caught at the human anti-spam, so they give-up and go elsewhere. I also run a DDOS protection which catches a couple per day, both registered and unregistered, trying to load my forum with false page scraping and such. Bans them within 10 pages, gone.


Well-known member
Honestly, for captchas I think plain text, reCAPTCHA and http://areyouahuman.com/ is enough. I'm disappointed that http://areyouahuman.com/ wasn't added, and I hope it is before a stable 1.4.0 release because it's user friendly and pretty hard for bots as well imo.
o...m...g...are you human is easily the most annoying thing I've seen on a website in ages. I just checked them out and if I ever went to a site that used it, I would leave that site and not ever come back. Don't ask me to drag another Bacardi mixer to a bottle while some obnoxious song won't stop playing. It's easily more for advertising than it is for spam battles...two thumbs down for them.

recaptcha wasn't very helpful to me in years past, but seems like they've changed up their display. to anyone using it now, how's it holding up against the bots?

Tracy Perry

Well-known member
It's easily more for advertising than it is for spam battles...two thumbs down for them.
recaptcha wasn't very helpful to me in years past, but seems like they've changed up their display. to anyone using it now, how's it holding up against the bots?
Like the Solve Media one isn't? :p

I'll just stick to @tenants captcha add-on myself.


Well-known member
Time for a new captcha, recaptcha has finally been defeated by robots :cry:

Some browser based bots do already pass googles nocaptcha recaptcha (many have done since it was first introduced). No robotic hand needed.
Xrumer doesn't yet, but they have recently started looking into it

xenforos "more options to help prevent spam" makes these options a greater target. Xenforos best updates for antispam have been the introduction of APIs and custom fields + custom honey pots. These are far less easy to target.

Putting the honeypots in the core, as I said would happen, has now rendered certain types of honeypots ineffective, we may see this over the next few months as people pick up the latest version of xrumer, and the impact it will have on xenforo spam
Last edited:


Well-known member
The best? What does that mean, there are many different types working in different ways, are you asking what's the best captcha for the core maybe?
ReCaptcha NoCaptcha is still pretty good for most non browser based bots (there is only a small handful that bypass this, although xrumer is looking at it), and it provides a better experiance for humans
- bare in mind, if you use a Captcha that many others use, it is a target, and when broken, it will let in floods of spam

Or are you asking about non captcha methods:
From the core? Apis -> make sure they are on, get keys where needed (this will reduce a flood to a trickle, for quite some time)
From your self? Customisation (customised the registration page)
From Mods? Well, I am biased.

CUSTOMISATION is key, do something that can't be targeted, the core will always be targeted, they should only be doing things that can't easily be targeted (such as API's), I have recommended they add customImgCaptcha to the core (once they start noticing the core honeypots are dead).

CustomImgaeCaptach is free, and since it's your own image (please make sure you upload your own image), then it's very customised (if they made a video version of this too, it would hold back the tied that little bit longer)

Customise your hidden field honeypots, although there is not a huge point in this now, you'll have to come up with some very original ideas, hidden fields of any type seem to be getting attacked., zindex, off page, opacity, are all being bypassed.
There are other types of honeypots that are not getting attacked (but these are not your classical hidden fields)