XF 1.4 Anti-spam Improvements

As with many of our previous releases, XenForo 1.4 is adding more options to help prevent spam from being posted on your forum. Our focus here is mostly directed towards preventing automated bot registrations.

Additional CAPTCHA Types
Out of the box, we now support a number of additional CAPTCHA providers:

Text CAPTCHA -- this is a service that provides Q&A style CAPTCHAs like "Which of 47, sixty two, 18 or 59 is the smallest?". Essentially, this isn't really different from the built-in Q&A CAPTCHA system, except this system has a large number of questions built already -- over 180 million. Q&As are potentially easier to solve for humans and have fewer accessibility issues, but the trade off is that they can possibly be machine read and analyzed (if targeted). Nonetheless, this gives another option in the fight against spam.

Solve Media -- Solve Media offers standard image-based CAPTCHAs at varying difficult levels:

ss-2014-07-23_14-19-12.webp
ss-2014-07-23_14-19-29.webp

They also offers revenue generation options through your CAPTCHA if that's something you're interested in. You can have a look at more of their CAPTCHAs on their demo page.

KeyCAPTCHA -- KeyCAPTCHA uses a puzzle-solving approach to implement a CAPTCHA. When I say a puzzle, I mean that literally:
ss-2014-07-23_14-27-57.webp

KeyCAPTCHA has a few different offerings and variations on this theme which you can enable on their site.

All of these new options require you to obtain API keys from the service, so they will need to be explicitly enabled.

IP Checks Against Banned Users
If a user registers with an IP address that was used by a banned user recently, you now have the option to manually approve that registration.
ss-2014-07-23_14-32-06.webp

While this option can catch people re-registering after a ban, it is mostly targeted at spammers. It is not uncommon to see a spammer use the same IP to register multiple times. If they have already registered before you clean their spam, the spam cleaner's IP check can detect the other accounts. This approach can catch those additional accounts right as they register.

Registration Form Modifications
No images for this part as nothing should be visually different! :)

The registration form now includes several approaches to interfere with bot registrations, including:
  • Invisible honeypot fields that legitimate users won't see but that bots will (usually) see and fill in. If a value is entered, we know the user is a bot.
  • The honeypot fields are also inserted randomly in multiple places, which can cause the valid fields to be in different positions (internally; visually they are the same). This can interfere with some bot implementations.
  • Field name randomization. Each time the form is viewed, the name of the fields that are submitted to the server varies and thus cannot be predicted by a bot.
Combined, these features will hopefully help prevent bot registrations.

I should note that the best option can be to make your registration form unique. Spam software gets quite a bit of benefit by targeting XenForo as a software: if they're successful, they have something that works on many sites. As such, bot mitigations that we implement in the core become worth defeating for both authors. However, if you make customizations to your site, bots need to be adapted specifically to meet your site's requirements and this isn't necessarily worthwhile for a bot author.

The exact form of these customizations could vary (possibly a custom field with specific requirements or maybe an anti-spam add-on), but the key is to invalidate the assumptions/validity checks of the bots.



Until next time...

Just a reminder: Please do not post suggestions in this thread (even if you feel they are related). Use the dedicated suggestion forum so they can be tracked.
 
Yes, you can...
Have you successfully gotten this to work on an https site? I was going to go to it from the custom image captcha from tenants and when I did I get this
Screen Shot 2014-08-21 at 6.21.01 PM.webp


The URL is correct (they don't allow you to specify anything other than http - saying it will detect for both). Using nginx and doing a forced rewrite of all inbound http to https.

EDIT:

Appears to be a pagespeed/memcached/php-fpm/nginx issue. The Debian server it worked fine on (stopped the centOS VPS and started the Debian one up to test). Once I restarted the centOS VPS up it worked.
 
Last edited:
would that mean i can remove the TAC anti spam add on i have then?
Not if that is the human spam one that you're talking about. There are still plenty of human spammers who register and then go nuts posting. Having that additional anti-spam for the first x posts stops them registering, plugging in their bot, then sending it loose... or some hired hack replicating it until banned, then starting over with another account they registered prior.

Multi-leveled anti-spam is your best approach... never putting all your eggs in one basket.

I use honeypot, keycaptcha and human anti-spam for those once registered. I view the logs and have spammers daily register manually, then get caught at the human anti-spam, so they give-up and go elsewhere. I also run a DDOS protection which catches a couple per day, both registered and unregistered, trying to load my forum with false page scraping and such. Bans them within 10 pages, gone.
 
Honestly, for captchas I think plain text, reCAPTCHA and http://areyouahuman.com/ is enough. I'm disappointed that http://areyouahuman.com/ wasn't added, and I hope it is before a stable 1.4.0 release because it's user friendly and pretty hard for bots as well imo.

o...m...g...are you human is easily the most annoying thing I've seen on a website in ages. I just checked them out and if I ever went to a site that used it, I would leave that site and not ever come back. Don't ask me to drag another Bacardi mixer to a bottle while some obnoxious song won't stop playing. It's easily more for advertising than it is for spam battles...two thumbs down for them.

recaptcha wasn't very helpful to me in years past, but seems like they've changed up their display. to anyone using it now, how's it holding up against the bots?
 
It's easily more for advertising than it is for spam battles...two thumbs down for them.
recaptcha wasn't very helpful to me in years past, but seems like they've changed up their display. to anyone using it now, how's it holding up against the bots?
Like the Solve Media one isn't? :p

I'll just stick to @tenants captcha add-on myself.
 
Time for a new captcha, recaptcha has finally been defeated by robots :cry:

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Some browser based bots do already pass googles nocaptcha recaptcha (many have done since it was first introduced). No robotic hand needed.
Xrumer doesn't yet, but they have recently started looking into it

xenforos "more options to help prevent spam" makes these options a greater target. Xenforos best updates for antispam have been the introduction of APIs and custom fields + custom honey pots. These are far less easy to target.

Putting the honeypots in the core, as I said would happen, has now rendered certain types of honeypots ineffective, we may see this over the next few months as people pick up the latest version of xrumer, and the impact it will have on xenforo spam
 
Last edited:
The best? What does that mean, there are many different types working in different ways, are you asking what's the best captcha for the core maybe?
ReCaptcha NoCaptcha is still pretty good for most non browser based bots (there is only a small handful that bypass this, although xrumer is looking at it), and it provides a better experiance for humans
- bare in mind, if you use a Captcha that many others use, it is a target, and when broken, it will let in floods of spam

Or are you asking about non captcha methods:
From the core? Apis -> make sure they are on, get keys where needed (this will reduce a flood to a trickle, for quite some time)
From your self? Customisation (customised the registration page)
From Mods? Well, I am biased.


CUSTOMISATION is key, do something that can't be targeted, the core will always be targeted, they should only be doing things that can't easily be targeted (such as API's), I have recommended they add customImgCaptcha to the core (once they start noticing the core honeypots are dead).

CustomImgaeCaptach is free, and since it's your own image (please make sure you upload your own image), then it's very customised (if they made a video version of this too, it would hold back the tied that little bit longer)

Customise your hidden field honeypots, although there is not a huge point in this now, you'll have to come up with some very original ideas, hidden fields of any type seem to be getting attacked., zindex, off page, opacity, are all being bypassed.
There are other types of honeypots that are not getting attacked (but these are not your classical hidden fields)
 
Back
Top Bottom