How do you handle spam registrations?

FTL

Well-known member
This is a conversational thread about how we handle spam registrations. I don't need help with it, but I'm sure we could all pick up a few tips from each other.

I just let XF put all registrations in an approval queue where they show up as spam, getting something like the screenshot below. I mean, just look at it, weird username and no one has an email address like that. This account is clearly utter garbage and I've since spam cleaned it of course. Sometimes the system auto-bans them without any human intervention. I like that the best! 😁

spam registration.webp

btw, I noticed that if I delete the banned spam accounts from the ACP, the spammers just tried to register them again, with the exact same usernames and email addresses. I guess these must be bots that don't know better. I therefore have to leave them in there to prevent this, but I'd really rather not have them there as they just clutter up my members list with useless accounts.

If registrations look legit and don't get flagged by the system, they then end up in a 5-post premoderation queue as I went with the example in the XF manual for forum promotions. I can see from the first one or two posts if the user is ok and hence manually take them out of it, usually after a short background check on the username and email address / domain, or immediately if it's someone I know or have invited.

Finally, my forum only has a few active users, but clearly it's "arrived", since the spammers have finally noticed NerdZone after many months online and register several accounts daily, sigh. :rolleyes: A dubious honour indeed.

If anyone here would like to register a nice, genuine account and take part, you'd be most welcome. 🙂 We're UK based (London timezone) welcoming people around the world and are always on the lookout for quality members to join our friendly community.
 
The idea that @z3r010 had about using Cloudflare's challenge system on the registration page has worked surprisingly well for me.

I ended up making it a simple one-click config in my Cloudflare add-on and the results of using it have been great. Since I've started using it on my site, I've gotten zero spam registrations. Cloudflare shows the CSR (Challenge Solve Rate) at only 5.71%... which means 94.29% of the requests for the registration URL are blocked because it's a bot of some sort. 4 out of the 70 requests to register in the last 24 hours were from legit users.

1659472938000.png

1659472999920.png

Did I mention that I've received exactly zero spam registrations? :)
 
Looks good. If I ever use Cloudflare I'll be sure to try this out. 🙂
Oh ya... should have mentioned that it would only work on a site using Cloudflare. Although not sure why any site wouldn't use the free Cloudflare plan these days (I forgot some people still don't.. haha).
 
  • Like
Reactions: FTL
Oh ya... should have mentioned that it would only work on a site using Cloudflare. Although not sure why any site wouldn't use the free Cloudflare plan these days (I forgot some people still don't.. haha).
Free you say? I must check it out!
 
Free you say? I must check it out!
Yep... unless you have some very unique needs, the free plan will have everything you need. And if you aren't using them already, you most likely don't have those unique needs. :)

Of my 27 sites, I have 25 on their free plan and 2 on their lowest cost paid plan. And to be honest, I don't need those 2 on their paid plan either, I just like to give them something so they stay in business. So they get $25/month total from me at least.

They are also the least expensive (and least spamming) domain registrar that I know of. $8.57 for .com domains (with free privacy included).

1659473844451.png
 
  • Like
Reactions: FTL
The idea that @z3r010 had about using Cloudflare's challenge system on the registration page has worked surprisingly well for me.
I've been doing this since 2017-2018 or so back on XF1.x, and it works remarkably well at defeating automated signups. Some additional work is required to avoid human spam signups, largely around VPNs and known-bad actor ISPs.

In addition the the registration page being forced to be non-ajax, I've also done that with the login page. This helps prevent some credential stuffing attacks, and other login abuse.
 
For years and until recently I was able to defeat most bots with a couple of custom questions one of them being:
"Take the square root of 25, do not subtract 2, instead add 3, what do you get?"
That worked a lot better than Google's reCAPTCHAv2.

However bots got clever apparently and I was getting around 25 spam registration a day. Now I have crafted a question that's very specific to the web site, should be easy to answer for humans in the context but gives little away for bots. It seems to work so far.
 
Top Bottom