High volume of spam registrations even with multiple spam prevention measures enabled

[Peretz]

So the good news is that our current setup (Stop Forum Spam, reCAPTCHA v2, DNS Block List, and Project Honey Pot all enabled and configured) prevents spam accounts from making visible posts, but it still results in a high volume of spam registrations (I'd estimate 50-100 per day) on our forums.

I'd prefer not to make our CAPTCHA even more difficult because I don't want to annoy real humans trying to create accounts to join the community, but I admit it's bothersome to have to sift through so many spam registrations.

What tools and resources have you all found to be successful to combat spam registrations?

 

[Deleted member 184953]

Cloudflare turnstile?

 

[philmckrackon]

Cloudflare turnstile?

 

[Suzanne O]

You need to use @Xon sign up and abuse add on and his standard library add on.
Use cloudlflare turnstile as well

 

[Opus X]

i use cloudflare turnstile and the built in features.
get no spam sign ups so far.
i know on the site i help with it is the same and he gets about 20 new sign ups a week.

 

[Peretz]

Cloudflare turnstile?

I signed up for Cloudflare Turnstile after reading that our traffic doesn't route through Cloudflare servers. I'm still reluctant to depend on Cloudflare products after their major services outage a while back, but it seems to be doing a better job than hCAPTCHA or reCAPTCHA v2 so far.

We'll see how it goes! If we encounter issues, I'll likely try the Q&A captcha next.

 

[Peretz]

You need to use @Xon sign up and abuse add on and his standard library add on.
Use cloudlflare turnstile as well

If Turnstile and Q&A captchas don't work out, I can ask my community if they would be willing to pay the one-time and annual costs for Xon's add-ons, but $30/year on top of the annual renewal fee would be a hefty price tag for a smaller community that's more active on Discord than forums these days (but there's still a place and purpose for forums! ).

 

[Alpha1]

1. Cloudflare turnstile
2. Cloudflare custom WAF rules
3. @Xon 's sign-up abuse addon
4. Cleantalk on registration

It's not a matter of set and forget. You will need to keep tweaking 2 and 3 until spam is fully gone and revisit when it comes back. Use email white-list in Xons addon.

 

[Peretz]

Unfortunately, Cloudflare Turnstile (in combination with Stop Forum Spam and Project Honeypot) does not seem to be slowing the rate of spam registrations. Our forums had 35 spam registrations in approximately 12 hours and Turnstile shows a visitor solve rate of 39.41%. I didn't find any configuration settings for Turnstile beyond choosing Managed, Non-interactive, or Invisible mode.

The good news is that other spam prevention features are keeping these junk accounts from posting, but I'd rather they not be able to create an account in the first place. Guess it's time to craft a Q&A captcha that humans can solve fairly easily but would stump the bots.

 

[Peretz]

i use cloudflare turnstile and the built in features.
get no spam sign ups so far.
i know on the site i help with it is the same and he gets about 20 new sign ups a week.

What are your settings for the built-in features?

I just changed our Stop Forum Spam settings from 1 / 2 / 7 / 5 to 1 / 2 / 30 / 2. I'm not confident those changes will help much.

 

[ekool]

Modify the built in keywords moderation for Xenforo under the Anti-Spam settings (Options -> Spam Management ->
Spam phrases).

If anyone uses one of the key words the post gets moderated. That seems to be the best way to catch people that slip through the cracks.

We use this keyword list and it gets pretty much all spam.

abortion
naked
sex
dating
keto*
health*
enhancement*
https://*
http://*
cbd*
financial
website
bitcoin
phishing
scam
FOREX
CRYPTO
religious
BLOCKCHAIN
email
e-mail
CYBER
temu
silver
supplier
mercury
Africa
worldwide
banking
china
crypto
btc
pills
dhabi
Dhabi
abortion
Whatsapp

 

[Suzanne O]

Also please use @Xon's sign up and abuse and standard library.
Make sure that guests can not post.

 

[Alpha1]

Built in SFS implementation is not very useful IME because SFS hits on username are useless. Use Signup Abuse for additional controls of SFS.

 

[MySiteGuy]

If Turnstile and Q&A captchas don't work out, I can ask my community if they would be willing to pay the one-time and annual costs for Xon's add-ons, but $30/year on top of the annual renewal fee would be a hefty price tag for a smaller community that's more active on Discord than forums these days (but there's still a place and purpose for forums! ).

This seems penny wise and pound foolish, considering the value of your time dealing with this.

 

[Peretz]

This seems penny wise and pound foolish, considering the value of your time dealing with this.

Fair point, but we're 100% funded by donations and our forums aren't nearly as active as our Discord server these days, so it may make more sense to just purge newly registered accounts with zero posts every month than spend $45 once and $30 annually. (It would be a very different story if our forums were as active today as they were a decade ago.) I can ask if community members are willing to donate to cover the expense.

I also plan to try the Q&A captcha and see how that goes.

 

[Sim]

Analyse the country each registration IP address comes from - consider using something like my addon to block registrations from that country. If the IP addresses are from Data Centres, use Cloudflare level ASN blocking to block those ranges.

Geoblock Registration

Nov 28, 2019

Ban or moderate users from specific countries when registering using Maxmind's GeoLite2 Database

• Sim
• geoblocking geoip geolite2 maxmind registration
• Add-ons [2.x]

Here is my current list of blocked country codes that cannot register on one of my sites:

A1, AE, AF, AL, AM, AR, BA, BD, BG, BO, BS, BY, CG, CM, CZ, DZ, EE, EG, ET, FI, GE, HU, ID, IL, IN, IQ, IR, JO, KH, KW, KZ, LA, LB, LI, LK, LV, MA,MD, ME, MG, MK, MM, MN, MO, MU, MX, MY, NG, NP, PH, PK, PL, PS, RS, RU, RW, SC, SI, SK, SN, SS, SY, TH, TR, UA, VN, XK, ZM​

 

[Opus X]

What are your settings for the built-in features?

I just changed our Stop Forum Spam settings from 1 / 2 / 7 / 5 to 1 / 2 / 30 / 2. I'm not confident those changes will help much.

on the site i am staff on it is
1/2/90/2
when i asked the admin he said the 90 was because he used other things that limited it to only 2 of the fields to check.