XF 1.1 My Forum's Getting Lots Of Spam

HydraulicJack

Well-known member
I have a field where I require that the registrant or spam-bot provide their order number which at this point lets anybody or anybotty register as long as the field is not empty. At this point the bot is getting into being Registered, Awaiting Confirmation by putting sports teams names in - such as Cleveland Cavaliers, etc. (new spam registrations seem to be pulling from a fairly limited table of these names).

However, my required order number does have a specific format using a combo of numeric, hyphen, and alpha, which they are not real ikely to know or learn, so I'd like to know how I could configure this field to require a specific pattern of numeric, hyphen, and alpha, so the spam bots would more likely get defeated.

I'm not a wizard coder or even in that ballpark, so I'm hoping one of you might have a suggestion that might be easy for me to apply such a pattern match test to this specific field.

Many thanks in advance!
HJ
 

Jake Bunce

XenForo moderator
Staff member
I have a field where I require that the registrant or spam-bot provide their order number which at this point lets anybody or anybotty register as long as the field is not empty. At this point the bot is getting into being Registered, Awaiting Confirmation by putting sports teams names in - such as Cleveland Cavaliers, etc. (new spam registrations seem to be pulling from a fairly limited table of these names).

However, my required order number does have a specific format using a combo of numeric, hyphen, and alpha, which they are not real ikely to know or learn, so I'd like to know how I could configure this field to require a specific pattern of numeric, hyphen, and alpha, so the spam bots would more likely get defeated.

I'm not a wizard coder or even in that ballpark, so I'm hoping one of you might have a suggestion that might be easy for me to apply such a pattern match test to this specific field.

Many thanks in advance!
HJ
Callback:

http://xenforo.com/community/resources/custom-user-field-callback-validate-value.379/

Or a regex may be possible, but I need you to give me specific examples of valid entries so I can try to create a regex for it.
 

HydraulicJack

Well-known member
I created a special field that required that new member provide a valid order number (they buy my publication to get access to my forum)... and Jake Bunce provided me with a specific regex that so far has fixed it.

So... even if you're not selling something, you might give some thought to having some way to validate that they are legitimate by sending an email automatically to someone who supposedly registers with a code in it of a specific pattern that could then be checked by regex test. Jake Bunce is really the guy to ask about this kind of stuff, imho.

I didn't disclose my specific test pattern in the public forum even here but did so in a private conversation here with Jake. He provided the regex code and one of my Admins installed it and so far that seems to be working. We were getting over 100 spam registrations per day every day and at least for the past few days, i.e. since we DID apply Jake's regex that field, no more spam reg's as yet.

Also, re: the spam we DID get prior was always the same very low number sports team names so maybe something could be screened for that.

Good luck... and ask Jake!
 
I have custom user fields that are "required" during sign up, but they are getting through without filling everything out. Ideas? Somehow when I run through the sign up process, it makes me fill everything out.
 

tenants

Well-known member
It sounds stupid, but I don't think these fields are required (via the back end), they just display on the registration form and seem required (and most humans wont know how to bypass this, but some bots will)

I just had a look at actionRegister() and actionValidateField() and if a custom field isn't sent (ie a bot sends the POST request directly to the actionRegister without sending any of the custom fields) it's simply skipped over

I can't see what would make a custom field "required" (from the back end, the form it's self is just cosmetic, bots often wont care about this)

Although, I would expect others to have mentioned this by now... so maybe I'm wrong

PHP:
public function actionValidateField()
    {
        $this->_assertPostOnly();
        $field = $this->_getFieldValidationInputParams();
        if (preg_match('/^custom_field_([a-zA-Z0-9_]+)$/', $field['name'], $match))  {
 
/* But, if custom field param is not even sent... =>  no preg_match
*  no errors for the custom field will get sent back ...
*  so the "required" field could be skipped when sending the POST directly
*/
 
            $writer = XenForo_DataWriter::create('XenForo_DataWriter_User');
            $writer->setCustomFields(array($match[1] => $field['value']));
            if ($errors = $writer->getErrors()) {return $this->responseError($errors);}
            return $this->responseRedirect(XenForo_ControllerResponse_Redirect::SUCCESS,'',
                new XenForo_Phrase('redirect_field_validated', array('name' => $field['name'], 'value' => $field['value']))
            );
        }
        else  {return $this->_validateField('XenForo_DataWriter_User'); }
    }
Smells like it could be a bug, but Jake seems to have fixed the above guys issue with custom fields, I'm a bit mythed (was that a core edit / plugin to extend actionRegister ?)

Jake??? are required fields validated back end if they are not sent (ie a POST request is sent directly to action register without containing any custom fields params or values???)
 

Jake Bunce

XenForo moderator
Staff member
It sounds stupid, but I don't think these fields are required (via the back end), they just display on the registration form and seem required (and most humans wont know how to bypass this, but some bots will)

I just had a look at actionRegister() and actionValidateField() and if a custom field isn't sent (ie a bot sends the POST request directly to the actionRegister without sending any of the custom fields) it's simply skipped over

I can't see what would make a custom field "required" (from the back end, the form it's self is just cosmetic, bots often wont care about this)

Although, I would expect others to have mentioned this by now... so maybe I'm wrong

PHP:
public function actionValidateField()
    {
        $this->_assertPostOnly();
        $field = $this->_getFieldValidationInputParams();
        if (preg_match('/^custom_field_([a-zA-Z0-9_]+)$/', $field['name'], $match))  {
 
/* But, if custom field param is not even sent... =>  no preg_match
*  no errors for the custom field will get sent back ...
*  so the "required" field could be skipped when sending the POST directly
*/
 
            $writer = XenForo_DataWriter::create('XenForo_DataWriter_User');
            $writer->setCustomFields(array($match[1] => $field['value']));
            if ($errors = $writer->getErrors()) {return $this->responseError($errors);}
            return $this->responseRedirect(XenForo_ControllerResponse_Redirect::SUCCESS,'',
                new XenForo_Phrase('redirect_field_validated', array('name' => $field['name'], 'value' => $field['value']))
            );
        }
        else  {return $this->_validateField('XenForo_DataWriter_User'); }
    }
Smells like it could be a bug, but Jake seems to have fixed the above guys issue with custom fields, I'm a bit mythed (was that a core edit / plugin to extend actionRegister ?)

Jake??? are required fields validated back end if they are not sent (ie a POST request is sent directly to action register without containing any custom fields params or values???)
Bug confirmed. Report and code fix posted:

http://xenforo.com/community/threads/required-custom-fields-can-be-skipped-on-registration.41413/
 
Top