XF 1.1 My Forum's Getting Lots Of Spam

System0

Active member
edit by jake - I just posted a resource that consolidates all of the information from this thread into one guide:
http://xenforo.com/community/resources/dealing-with-forum-spam.980/


I've never had any problems with spam before but when I checked my forum today I saw lots of spam threads. Some were in Russian though many were in English.

I checked some users and they had fully validated their account using Gmail. The spam is undoubtedly automated though.

Some users have signed up using the domain andasio.com.

At the moment I am getting a new thread every few minutes and the IP addresses are all different so there doesn't seem to be any way to stop it

(note: I haven't installed any new add ons or mods in a while so I don't think that's the issue)

I used to have this problem with vBulletin though this is the first time I've ever had a problem with XenForo. It's kind of taken me by surprise to be honest.

Any idea how this is happening and how I can stop it?

Thanks,
Kevin
 

HydraulicJack

Well-known member
I have a field where I require that the registrant or spam-bot provide their order number which at this point lets anybody or anybotty register as long as the field is not empty. At this point the bot is getting into being Registered, Awaiting Confirmation by putting sports teams names in - such as Cleveland Cavaliers, etc. (new spam registrations seem to be pulling from a fairly limited table of these names).

However, my required order number does have a specific format using a combo of numeric, hyphen, and alpha, which they are not real ikely to know or learn, so I'd like to know how I could configure this field to require a specific pattern of numeric, hyphen, and alpha, so the spam bots would more likely get defeated.

I'm not a wizard coder or even in that ballpark, so I'm hoping one of you might have a suggestion that might be easy for me to apply such a pattern match test to this specific field.

Many thanks in advance!
HJ
 

Jake Bunce

Well-known member
I have a field where I require that the registrant or spam-bot provide their order number which at this point lets anybody or anybotty register as long as the field is not empty. At this point the bot is getting into being Registered, Awaiting Confirmation by putting sports teams names in - such as Cleveland Cavaliers, etc. (new spam registrations seem to be pulling from a fairly limited table of these names).

However, my required order number does have a specific format using a combo of numeric, hyphen, and alpha, which they are not real ikely to know or learn, so I'd like to know how I could configure this field to require a specific pattern of numeric, hyphen, and alpha, so the spam bots would more likely get defeated.

I'm not a wizard coder or even in that ballpark, so I'm hoping one of you might have a suggestion that might be easy for me to apply such a pattern match test to this specific field.

Many thanks in advance!
HJ

Callback:

http://xenforo.com/community/resources/custom-user-field-callback-validate-value.379/

Or a regex may be possible, but I need you to give me specific examples of valid entries so I can try to create a regex for it.
 

HydraulicJack

Well-known member
I created a special field that required that new member provide a valid order number (they buy my publication to get access to my forum)... and Jake Bunce provided me with a specific regex that so far has fixed it.

So... even if you're not selling something, you might give some thought to having some way to validate that they are legitimate by sending an email automatically to someone who supposedly registers with a code in it of a specific pattern that could then be checked by regex test. Jake Bunce is really the guy to ask about this kind of stuff, imho.

I didn't disclose my specific test pattern in the public forum even here but did so in a private conversation here with Jake. He provided the regex code and one of my Admins installed it and so far that seems to be working. We were getting over 100 spam registrations per day every day and at least for the past few days, i.e. since we DID apply Jake's regex that field, no more spam reg's as yet.

Also, re: the spam we DID get prior was always the same very low number sports team names so maybe something could be screened for that.

Good luck... and ask Jake!
 

seneca

Member
I have custom user fields that are "required" during sign up, but they are getting through without filling everything out. Ideas? Somehow when I run through the sign up process, it makes me fill everything out.
 

tenants

Well-known member
It sounds stupid, but I don't think these fields are required (via the back end), they just display on the registration form and seem required (and most humans wont know how to bypass this, but some bots will)

I just had a look at actionRegister() and actionValidateField() and if a custom field isn't sent (ie a bot sends the POST request directly to the actionRegister without sending any of the custom fields) it's simply skipped over

I can't see what would make a custom field "required" (from the back end, the form it's self is just cosmetic, bots often wont care about this)

Although, I would expect others to have mentioned this by now... so maybe I'm wrong

PHP:
public function actionValidateField()
    {
        $this->_assertPostOnly();
        $field = $this->_getFieldValidationInputParams();
        if (preg_match('/^custom_field_([a-zA-Z0-9_]+)$/', $field['name'], $match))  {
 
/* But, if custom field param is not even sent... =>  no preg_match
*  no errors for the custom field will get sent back ...
*  so the "required" field could be skipped when sending the POST directly
*/
 
            $writer = XenForo_DataWriter::create('XenForo_DataWriter_User');
            $writer->setCustomFields(array($match[1] => $field['value']));
            if ($errors = $writer->getErrors()) {return $this->responseError($errors);}
            return $this->responseRedirect(XenForo_ControllerResponse_Redirect::SUCCESS,'',
                new XenForo_Phrase('redirect_field_validated', array('name' => $field['name'], 'value' => $field['value']))
            );
        }
        else  {return $this->_validateField('XenForo_DataWriter_User'); }
    }

Smells like it could be a bug, but Jake seems to have fixed the above guys issue with custom fields, I'm a bit mythed (was that a core edit / plugin to extend actionRegister ?)

Jake??? are required fields validated back end if they are not sent (ie a POST request is sent directly to action register without containing any custom fields params or values???)
 

HydraulicJack

Well-known member

Jake Bunce

Well-known member
It sounds stupid, but I don't think these fields are required (via the back end), they just display on the registration form and seem required (and most humans wont know how to bypass this, but some bots will)

I just had a look at actionRegister() and actionValidateField() and if a custom field isn't sent (ie a bot sends the POST request directly to the actionRegister without sending any of the custom fields) it's simply skipped over

I can't see what would make a custom field "required" (from the back end, the form it's self is just cosmetic, bots often wont care about this)

Although, I would expect others to have mentioned this by now... so maybe I'm wrong

PHP:
public function actionValidateField()
    {
        $this->_assertPostOnly();
        $field = $this->_getFieldValidationInputParams();
        if (preg_match('/^custom_field_([a-zA-Z0-9_]+)$/', $field['name'], $match))  {
 
/* But, if custom field param is not even sent... =>  no preg_match
*  no errors for the custom field will get sent back ...
*  so the "required" field could be skipped when sending the POST directly
*/
 
            $writer = XenForo_DataWriter::create('XenForo_DataWriter_User');
            $writer->setCustomFields(array($match[1] => $field['value']));
            if ($errors = $writer->getErrors()) {return $this->responseError($errors);}
            return $this->responseRedirect(XenForo_ControllerResponse_Redirect::SUCCESS,'',
                new XenForo_Phrase('redirect_field_validated', array('name' => $field['name'], 'value' => $field['value']))
            );
        }
        else  {return $this->_validateField('XenForo_DataWriter_User'); }
    }

Smells like it could be a bug, but Jake seems to have fixed the above guys issue with custom fields, I'm a bit mythed (was that a core edit / plugin to extend actionRegister ?)

Jake??? are required fields validated back end if they are not sent (ie a POST request is sent directly to action register without containing any custom fields params or values???)

Bug confirmed. Report and code fix posted:

http://xenforo.com/community/threads/required-custom-fields-can-be-skipped-on-registration.41413/
 

Baby Community

Well-known member
edit by jake - I just posted a resource that consolidates all of the information from this thread into one guide:
http://xenforo.com/community/resources/dealing-with-forum-spam.980/


I've never had any problems with spam before but when I checked my forum today I saw lots of spam threads. Some were in Russian though many were in English.

I checked some users and they had fully validated their account using Gmail. The spam is undoubtedly automated though.

Some users have signed up using the domain andasio.com.

At the moment I am getting a new thread every few minutes and the IP addresses are all different so there doesn't seem to be any way to stop it

(note: I haven't installed any new add ons or mods in a while so I don't think that's the issue)

I used to have this problem with vBulletin though this is the first time I've ever had a problem with XenForo. It's kind of taken me by surprise to be honest.

Any idea how this is happening and how I can stop it?

Thanks,
Kevin
I've had spam problems for years. I got the spaminator plugin. The problem is gone…

As far as I follow, dozens of spambots are trying to become a member of the Bebek community and publish topics. Thanks to Spaminator, none of them succeeded.

Spaminator add on is here:
https://snogssite.com/
 
Last edited:

MikeMpls

Well-known member
Spam hasn't been a significant issue since checks of the StopForumSpam database were integrated in Release 1.2. about 9 years ago. There have been some spam-related improvements since, but if you're running 1.2 or later and are plagued with spam, you need to review how you have configured your forum. Spam has been all but non-existent in releases for past several years.
 

AzzidReign

Well-known member
Get cloudflare, block china, russia, india, and w/e other country that is known for spamming from accessing your registration page. Doing this has resulted in a massive decrease in spam, and that's with have SFS throughout the years where spam was an issue for us.
 

Dragonfruit

Well-known member
Get cloudflare, block china, russia, india, and w/e other country that is known for spamming from accessing your registration page. Doing this has resulted in a massive decrease in spam, and that's with have SFS throughout the years where spam was an issue for us.
Not all users from those countries are spammers. I even had someone from Russia message me privately once and thanking us for not imposing such restrictions on them like many other sites/boards have done. We’ve had legitimate sign ups from those 3 countries you’ve listed. Sure it’s not a lot, but I rather not discriminate just because there’s others ruining it for them.

Using the antispam registration addons here seems to be sufficient for us. There’s no need to block entire countries.
 

AzzidReign

Well-known member
Not all users from those countries are spammers. I even had someone from Russia message me privately once and thanking us for not imposing such restrictions on them like many other sites/boards have done. We’ve had legitimate sign ups from those 3 countries you’ve listed. Sure it’s not a lot, but I rather not discriminate just because there’s others ruining it for them.

Using the antispam registration addons here seems to be sufficient for us. There’s no need to block entire countries.
You say there is no need but we were battling it every single day with 20+ threads, despite having a bunch of anti spam addons, trying different captchas and q&a. When I looked, we got less than a handful of legitimate users from those countries with us being strictly english based site. I've had 3 requests through email or social media asking why they can't sign up...that's in the span of 2 years doing this now. In those cases, we created the accounts for them and had them create a new password upon logging in.

I'd rather take 30 seconds to create an account, 3x in 2 years, rather than deal with multiple spammers every single day, creating sleeper accounts that don't get caught until they start spamming with them at later dates.

But hey, you do you. I've been doing this for 17+ years now. Whatever makes my life easier, I'm going to do.
 
Top