One of my two XF forums have been nailed by the spamming attack; I'm making adjustments on the second one now. Interesting though: the attacked forum was using ReCAPTCHA, the second was using Q&A, and has not seen the volume I've witnessed on the first forum. On the first forum, we manually approve memberships, so nothing got to the forum. But now I have to delete quite a few, and it is only increasing.
My first forum is very low volume. Since this morning when I stumbled out of bed, I've had 29 registrations. This started yesterday. We'd get maybe one spam registration per week that we would have to dump.
The IP addresses that I checked last night were predominately in Russia, with Ukraine coming a strong second, but they were also in western Europe, U.S. and South America. They appear to be using their own computers at home and also using proxies and hijacked computers elsewhere.
Botnet, perhaps? I've noticed that the IP address locations are scattershot. Can't pinpoint any one country or region.
Surges in spam are normal from time to time. I have been witness to several surges on different forum platforms over the years. In this case it appears that a new spam program called XRUMER may be responsible.
Xrumer has been around for several years. Looks like it has been updated to get all nice and cozy with XF. In fact, I think I may have downloaded it several years ago, or something similar, to see how it worked. I don't remember much, but it was scary to see how many forums were listed in the program, and how fast it could bang away at registrations. Mind boggling stuff!
Funny how people think this is a problem with xenforo. I might have had one beer too many, but to be honest you are responsible for stopping spam on your site. Sure, the tools xF provides by default could be a little bit better, but with a minimum of effort you can prevent it.
Definitely not an XF problem; however, I'm sure work will be done in future versions to lock things down a bit more, or improve our spam-fighting tools.
I will say this, though: banning IP addresses, email addresses, etc. are a total waste of time. I also tried checking for empty profile fields, or profile fields filled in with invalid data--it would only take a week or two for the spammers to adjust, and spamming would return with a vengeance. I chased all those during my days using phpBB2, and all of it was wasted work. My last iteration of phpBB2 had probably three dozen customizations, many of those done to combat spam. Just about all of those became useless only weeks after I'd installed them.
The
only thing that worked was a "secret code" type of registration system, and the spammers were too dumb to figure it out. It was a variation based on Q&A. What I did was create a handful of random eight-digit numbers. I hard-coded those into a phpBB2 modification I had installed and partially rewrote, and then put the secret code at the bottom of all of the site's pages...including the forum. The hilarious part is that this "secret" code was right at the bottom of the forum registration page! Only a very small number of human spammers ever leaked through. I still have two forums running phpBB2 unfortunately (no funds for XF on those two), but spam is still not a problem for those, surprisingly!
I believe that I based this on a "VIP Code" modification for phpBB2.
Something similar could be done with XF using the existing Q&A system. "Please enter your VIP Code here." Then, put the VIP code elsewhere on the site. I used to display one of my eight codes so it looked like they were randomly generated, while any of the eight would work. As dumb and simple as it was...it worked. At least this is something that might be a little easier for non-spammers--they can copy/paste a VIP code displayed elsewhere on the site, rather than answer a question that spammers might figure out. Changing the VIP codes every so often will help.
I'm sick of this. I've wasted I don't know how many hours (hundreds at least) over the past 10 or more years battling email spam, forum spam, WordPress comment and trackback spam...I'm SO over this. I'm too polite to say what I'd do with all of those effing spammers.