Cloudflare Turnstile for spam?

Jon12345

Jon12345

Well-known member
I am getting a ton of spam registrations from Vietnam recently so I have revisited my spam prevention methods. I've got Spaminator install, and I am using hCaptcha enabled for guests.

Should I use Turnstile instead?

Important to note, I am not using Cloudflare for anything on my site, if that makes any difference. For example, I use BunnyCDN for my CDN.
 
Turnstile is going to be much nicer for your human visitors. Hcaptcha is absolutely painful to deal with imo as a user.

And you can use it without using any other cloudflare product. You would need an account with them though.
 
Just open your site in incognito mode and try to register. Very important to check if it's working otherwise no one would be able to register!
 
It shows visitor solve rate and API solve rate. I get the visitor bit, but what is the API solve rate?
 
stopforumspam integration catches a LOT of bad players, too. I have that country blocked, and several others, with one of Andy's add-ons.
 
I installed turnstile to stop having so many deletions to do that were caught by stopforum spam :-) It was getting to be about 20 a day manual deletions that stopforum spam was flagging. So turnstile has stopped me getting so many - none so far.
 
If you don't get many legitimate users registering from a specific country - you could try blocking anyone from that country from registering - I have an addon which helps there:

Geoblock Registration Sim

Geoblock Registration

Ban or moderate users from specific countries when registering using Maxmind's GeoLite2 Database

Unlike a Cloudflare level block which blocks access to the entire site - this only operates at registration, so people can still view the site from blocked countries.

You can either force new registrations from that country into moderation, or block them entirely.

Either way, I also use Turnstile on all of my sites.
 
I notice the Vietnamese spammer is using IP's from other countries now and not just Vietnam. But, they always have "From Vietnam" in their profile page. Here is an example of one that is using an IP address from India. So, I cannot just block based on country.

1739358671366.webp

In my search, I came across this plugin:

[cXF] Remove Location, Website and About you field BassMan

[cXF] Remove Location, Website and About you field

... from member profile and account details page.

My question is, can I use something like this plugin to remove location and website fields just for new users, letting existing users keep their location and website fields? What would I have to do, have them immediately join another user group which does not allow these fields?
 
If the spammer is dumb enough to fill in those fields, wouldn’t you want them to do that so you can easily identify them and kick them to the curb?
 
Ozzy47 said:
If the spammer is dumb enough to fill in those fields, wouldn’t you want them to do that so you can easily identify them and kick them to the curb?
Click to expand...
Good point. Although I am not sure if the bots can detect if they cannot post urls in a field, and so to save resources they abort these sites.

How can I identify what they put in those fields?
 
Yes, definitely leave the location field there - it's one of the signals I use to filter out likely spammers. If the location field does not match their IP address location, then I'll investigate further before allowing them to register (I have a small pre-approved list of countries where registrations go through automatically - everything else is held for moderation).

I have another addon which makes this a bit easier too:

Approval Queue Plus Sim

Approval Queue Plus

Adds extra information to the Approval Queue

Check the IP address to see if it corresponds to a VPN or a Datacentre. If a datacentre - I'll reject the registration immediately. If a VPN, I'll wait a few days to see whether the user comes back - if there's been no activity since registration, it was likely a bot.

If someone emails me asking to be approved, I'll ask them to clarify their location (remove any IP addresses from the email reply first), which is a good way of catching people out if they are lying, but 99% of the time if they take the trouble to ask for assistance, they are legit.

It's easier for my site PropertyChat which is about 95% Australian - but we do get quite a few expats registering. They will usually put an Australian city in their location even though they are from another country. If they explain that - I'll let them through. The people who never bother to check with me just get rejected after a week of no further activity on the site.
 
I notice that the spammer keeps changing the Vietnam name to things like Viet Nam, Việt Nam etc. i.e. their location keeps changing.

Is there a way to hide the Website field when doing a registration? I have existing members who use it, but I mean for when someone signs up.

Does any of the existing spam checking functionality within Xenforo check the Location field for spam phrases?
 
Sim said:
If you don't get many legitimate users registering from a specific country - you could try blocking anyone from that country from registering - I have an addon which helps there:

Geoblock Registration Sim

Geoblock Registration

Ban or moderate users from specific countries when registering using Maxmind's GeoLite2 Database

Unlike a Cloudflare level block which blocks access to the entire site - this only operates at registration, so people can still view the site from blocked countries.

You can either force new registrations from that country into moderation, or block them entirely.

Either way, I also use Turnstile on all of my sites.
Click to expand...
I've installed your addon and blocked VN, UA and IN. Not ideal, but at least in the short term it will wipe out some of the spam. Thanks for the recommendation.
 
  • Like
Reactions: Sim
Just an update on turnstile for me. No spam in the spam filter for the first few days - now they're back again! Not as many as before but a couple a day. I think I need something else as well as turnstile.
 
Alvin63 said:
Just an update on turnstile for me. No spam in the spam filter for the first few days - now they're back again! Not as many as before but a couple a day. I think I need something else as well as turnstile.
Click to expand...
Meat spammers?
 
You must log in or register to reply here.

Similar threads

E
  • Question Question
Cloudflare Turnstile - Bots spam - is it effective ?
Replies
4
Views
147
Ricsca
Ricsca
A
  • Question Question
XF 2.3 Add Cloudflare Turnstile on XF page
Replies
0
Views
44
Andy.N
A
NealC
Cloudflare Turnstile vs hCaptcha
Replies
8
Views
3K
BassMan
BassMan
C
  • Question Question
XF 2.2 Cloudflare Turnstile, any code to insert ?
Replies
2
Views
591
cjwinternet
C
V
Getting an API-Key for Cloudflare Turnstile
Replies
4
Views
903
digitalpoint
digitalpoint
Back
Top Bottom