XF 2.0 Functionality loophole renders anti-spam measures ineffective

[Stuart Wright]

This applies to Xenforo 1 also and it's an issue on AVForums.
We have our anti-spam settings like this:

So the first 5 messages are checked for spam and if they match a spam phrase, go into the moderation queue. We don't want to reject them outright because they may not be spam. (Note that we block bit.ly and amzn.to because all URL shorteners are against our rules since that would be a stealth method of posting spam links).
Presumably increasing the number of messages to check for spam from 5 to, say, 999999 would put extra processing load on all new messages for the sake of a tiny amount of spam.

So the problem is that recently we've had chinese spammers using fake IPs (so Stopforumspam fails to get them) who manually post a ton of spam. They know when their posts go into the moderation queue, so they post 5 non-spam messages and then post 60 spam messages in a very short time.

We added a common Chinese character to the spam phrase list (you can see it at the bottom in the screen capture above) but Xenforo's anti-spam system fails to stop them because they post non-spam for the first 5 messages.
When I upped the number of messages to check from 5 to 9 (more of an unpredictable number), they posted 5 non-spam messages, three spam messages which they saw get moderated, then 6 non spam messages and then 60 spam messages, all of which got through, of course.

What we need is an extra measure on top of what we have now.
For example, if any message from a member gets put into the moderation queue then all subsequent messages are checked. I.e. when a member posts a new message, if they have any messages in the moderation queue, then check the new message.
When all the messages in the queue have been checked and approved so no messages from that member are in the queue, then the Maximum Messages to Check for Spam number is obeyed.
Would that put too much extra load on the process of posting a message? I guess a new query to check the moderation queue for messages by that member?

Alternatively, if a member's message is put into the moderation queue, we could change their user state to Awaiting Approval so they can't post anything else until their message has been looked at and their account manually approved or banned. The system would need to inform them of that situation adequately.

Would either of those suggestions be a good idea/hard to implement?

 

[Stuart Wright]

Anyone?

 

[Chris D]

One tactic here is to make use of the “Bypass spam check” permission.

So you could increase the number of messages to check, but then use user group promotions to promote users into a group which has the bypass permission based on other criteria.

So say the spam users generally get their 5 messages out of the way over the course of a week, you could promote any user who has been registered for over a week into a group that bypasses the spam check.

Or maybe the content they create isn’t particularly good quality so it doesn’t get any likes, you could promote any user who has received X likes to a group that bypasses spam checks.

Obviously you can use any combination of criteria there that you feel will work better for you. Basically the idea is that most of your users would end up getting promoted to a group that doesn’t do the spam check, even if they haven’t yet made enough messages to take them out of that minimum messages criteria.

Hopefully that makes sense.

 

[Stuart Wright]

One tactic here is to make use of the “Bypass spam check” permission.

So you could increase the number of messages to check, but then use user group promotions to promote users into a group which has the bypass permission based on other criteria.

So say the spam users generally get their 5 messages out of the way over the course of a week, you could promote any user who has been registered for over a week into a group that bypasses the spam check.

Or maybe the content they create isn’t particularly good quality so it doesn’t get any likes, you could promote any user who has received X likes to a group that bypasses spam checks.

Obviously you can use any combination of criteria there that you feel will work better for you. Basically the idea is that most of your users would end up getting promoted to a group that doesn’t do the spam check, even if they haven’t yet made enough messages to take them out of that minimum messages criteria.

Hopefully that makes sense.

Thanks Chris. Our novice members (default member group) have to have a combination of 1 day since registration, so many posts, so many likes before they get promoted to standard member. We've just implemented bypass on standard members. Thanks

 

[alex2k5]

I know this is an older thread, and I understand the suggestions on addressing. I want to clarify I am having the same exact issue.

I would like to suggest an option to run the spam rules against new members for 24 hours from their first post. So a user registers, we run the rules against them for 10 posts or whatever is chosen, as it is now. It also runs them against all posts made by members for 24 hours starting with post #1. If post 1 is at 12:00 AM, 2 weeks after registering, then it will stop checking at 11:59 PM, 2 weeks and 1 day after registering.

So no matter what, you get 24 hours of checking. And then, if you don't reach 10 in that time frame, it continues on as normal.

This will stop day one, register and spam bomb type situations. It will also give us a window to review and nuke obvious spammers based on username and profile field choices, since many are nonsensical, if they don't immediately post.

Even if they know this, they have to make at least 1 post that bypasses spam to trigger that 24 hour clock. If their goal is to do that, then wait 24 hours, then make 10 bypass posts, then start the spam bombing, it gives us time to catch the first generic clock trigger post.

 

[Chris D]

My post above suggests the recommended solution.

 

[alex2k5]

I hear you, I'm just giving feedback that what is suggested doesn't work in this case. Our spammers are coming on, dropping x posts of

Title: ASDF
Content: FHGTY2

(etc) to hit our Maximum Messages to Check for Spam limit.

Nothing to trigger spam rules. Once they hit our number to bypass spam checking, they drop 100+ posts. All instantly and usually over night when staff is inactive.

If I create a promotion that moves from newbie to regular user 24 hours after registering, then they will just wait one day and do the above. Same if I set it to 24 hours + 10 posts.

If we had option to trigger spam check for 24 hours from first post, regardless of registration time, it would give us a significantly better chance at nuking them. IMO.

 

[Sim]

Sounds like a spambot problem - Try looking for other identifiable patterns amongst the spambots and block/moderate new users based on that.

Are they coming from a specific country? Are they using proxy/VPN servers? Try geo-blocking/geo-moderating users based on various criteria (will require extra development work - or take a look at various addons which can do this for you - eg GeoIP, although this one can't identify proxy/VPN servers yet)

 

[alex2k5]

Hi Sim,

Thanks for the feedback. It is a spambot, I don't think it's a human doing each post. The spam is in Chinese. Blocked those characters, but spam check only works for first x posts. They've gotten around this by posting short english based posts with no real words or links at first, then they go into the real spam. Very difficult or impossible to pull a pattern from those initial posts, or usernames.

The IPs are non linear and worldwide, never used twice.

Moderating new users or increasing spam check length to x days from reg and/or more posts is the last resort. I find that harms our long term growth tho, every time I've done that our new user retention has gone down. They come in, get frustrated because they can't post links or images (90% of why they are there), have random non-url based posts blocked due to keywords flags they don't know or understand, and then leave. Or, due to staff availability, have to wait to post at all and then never come back. People need to be able to jump in and go when they feel it.

 

[Sim]

I wonder if they are targeting you specifically or if it's a general spambot that's been written to get through XenForo anti-spambot measures?

If they are targeting you, you're going to have a difficult time no matter what.

If it's a general thing (in which case we all need to take note), then you may be able to minimise issues by implementing a simple Q&A based captcha for registration - if they're not targeting you, they won't have a database of answers that match your questions.

Is your audience global or primarily from a specific geographic area? If from a specific area you could look at what we do and have an approved list of countries for registration and everyone else get blocked or put in moderation - that creates more work for you, and it won't stop the spambots from registering using an IP in an approved country, but it might slow them down.

Either way - the worst kind of bots are those which use a combination of meat-spammers to defeat signup checks (strangely enough, captcha doesn't defeat human spammers! ) along with automated bots to do the mass-posting once the account is in the clear.

 

[alex2k5]

I can't say if it's me personally or not, but it seems similar to what the OP above is going through. I also believe, though not confirmed, that there is probably a human somewhere down the chain seeing failure reports, researching why, changing methods, and redeploying.

I've done QnA, they get the answers after a bit and continue on. Another reason to believe there is a human eventually reviewing things, but not immediately. Currently using slide Captcha.

Audience, global tho mostly English speaking countries. And spam IPs come from multiple countries, none Chinese that I can see.

 

[Sim]

There was an off-the-shelf spambot tool operating a few years back targeting vBulletin based forums. Can't recall what it was called.

There was a network of users and they would share Q&A data into a pooled database which was then made available to people who purchased the software.

It comes to mind because the behaviour was exactly like you described - changing your Q&A would stop them for a while, but then the spam would start up again.

Social media for spammers

It was actually the reason I implemented my Geoblocking solution - because my sites were being flooded with spambots.

It might be worth looking into what Cloudflare can do to identify and block spambots? Not sure it would help, but it's a start.

That being said - I kind of get what the OP is getting at. Having a way to check all posts for certain users (eg users not in some kind of "premium" usergroup) against a spam list and moderating posts which match - would be a useful tool. It would need to be a bit more subtle than any registration level checks to minimise the chance of annoying valid users with false-positives.

My own meat spam experience recently has started me thinking that I need a way of vetting all outbound links from my sites - these people were very careful about staying under the radar and the links themselves were actually on topic to the point where some other sites may well not consider them to be spam (we're pretty strict on this stuff though).

 

[Paul B]

That software is still going and is way more powerful and widely used than back then.

 

[Mouth]

off-the-shelf spambot tool

For the purposes of know thy enemy ... https://en.wikipedia.org/wiki/XRumer