New customer - thank you so much for existing, XenForo!

[odingalt]

Hi,

I am the proprietor of a very small gaming e-commerce website, we were running PHPBB many moons ago. Some of our members convinced us to upgrade to Vbulletin, telling us about how PHPBB couldn't do this and PHPBB couldn't do that.

Well, after a couple of years on Vbulletin, and about a dozen security breaches of our forums, we'd had enough. Today we purchased XenForo.

Data conversion was a breeze. It actually converted over all of our attachments, files, everything. Amazing. I swear even when I converted FROM VB4 to VB4 (don't ask) it lost data. The XenForo admin panel is much less of a clusterf### than VB4's admin CP (which is impossible to navigate).

XenForo support pages actually give me the correct information when trying to find a setting in the admin panel, as opposed to VB4's outdated documentation.

Only time will tell if XenForo is secure, but VB4 was a piece of swiss cheese (get it? Lots of holes). Got tired of cleaning up the script kiddiez graffiti. As far as I am concerned VB4 was dropped by their maker entirely, left wide open to backdoors, just to try to get VB4 customers to upgrade to VB5.

VB didn't get my money this go around - XenForo did!

Thanks for existing!

 

[odingalt]

Also, XenForo is actually (apparently) conscientious regarding SEO (I don't know enough to know if XenForo's friendly URL's actually help or not). VB4 + SEO = bye bye SERPs! VB4 wants you to upgrade to VB5 to get any improvement for SEO. I'm all for paying for major upgrades but VB4 was such a pile of junk and a waste of money, grrr. And seriously, I like that XenForo locks the install folder. Now, I never ever forgot to delete the install folder on VB - however - every time I got hacked, I was told that I needed to delete my (non-existant) install folder. Just yet another of the many irritations you can expect from VB.

Sorry for making this post a VB rant. I just hope XenForo is as good in the long run as it has been for me for the past two hours! Will try to remember to come back and post after I've had to roll a few security patch updates etc. One nice thing was VB's panel would let you know when you were out of date. Will wait to find out if XenForo has a notification system.

 

[Lisa]

Welcome to XenForo It doesn't have an ACP notification system to tell you if it's out of date but an email is sent out when a new version is available, it's posted on the forums as well and tweeted/FB'd.

 

[Teapot]

Will wait to find out if XenForo has a notification system.

As well as what @Azhria Lilu said, you can also watch the announcements forum for new threads - you'll be e-mailed, and receive an alert here, only a minute or two after the thread is posted. The e-mails (and sometimes social media notifications) tend to go out a day or so after the release.

 

[odingalt]

Allright day 3 and I'm ready to delete XenForo and go back to Vbulletin. I'll take getting hacked any day over getting spammed to death.

On Vbulletin, I was able to insert a custom question in the middle of the registration page that spam scripts wouldn't pick up on. I got 0 (yes literally ZERO) spam signups for months. I did not use captcha, I did not use custom Q&A. What I did was just insert a random but required entry box. Like name.. forum name... password... what's the president's name... spam scripts missed this every time.

Even before that, if a customer was spamming to death, you could easily ban/delete all posts and go about your business.

On XenForo, the lack of a ban+delete all posts button is a sorely overlooked feature in my opinion.

Now if you'll excuse me, I have to go manually click and delete a few hundred posts, and then figure out how to downgrade from XenForo back to vbulletin.

 

[odingalt]

I also read this and it's equally useless: https://xenforo.com/help/spam/

 

[Jeremy P]

If you change the settings in the ACP you'll get a "ban+delete" link called "Spam."

And the "What is the president's name?" is literally a custom Q&A CAPTCHA, which XenForo supports out of the box.

Read what you linked, don't just skim it and jump the gun as soon as you see the word "query." Queries are for if you messed up and removed the account before using the spam button.

 

[odingalt]

(Wasn't a useful nor productive post, edited and deleted)

 

[odingalt]

(Wasn't a useful nor productive post, edited and deleted)

 

[Russ]

The page you linked to:

https://xenforo.com/help/spam/

Specifically states:

To make the Spam Cleaner available at all times, set all three values to 0.

Regarding PREVENTING it, have you thought about some question and answers specific to your site? Maybe what comes before 360?

Regarding the hidden question I think this plugin has something like that along with other options:

http://xenforo.com/community/resources/tac-tenants-anti-spam-collection-anti-spam-free-version.1474/

 

[odingalt]

"To make the Spam Cleaner available at all times, set all three values to 0."

What I was afraid this meant was that it would submit all of my forum users (even the good ones) to potential automatic spam trigger and cleanup, I was afraid to enter three 0's in that XenForo might accidentally go and wipe out my entire forums claming everybody was a spammer and adding them to the trigger list (provided that I put in overly sensitive settings in for the trigger settings). Does entering three 0's put everybody on the potential list for trigger spam, or does it just enable the spam cleanup button for all posts? I'd hate to accidentally trigger good users. I'm not a fan of triggers/thresholds, they sound good but they don't play well in the real world. (A la style of spam assassin, the most worthless spam filtering trigger-based algorithm on the planet.)

 

[odingalt]

(Thanks for posting back will try to be more reasonable in future posts, then if somebody else finds the posts, they may actually find this thread useful too.)

 

[odingalt]

I said:

I did not use captcha, I did not use custom Q&A. What I did was just insert a random but required entry box. Like name.. forum name... password... what's the president's name... spam scripts missed this every time.

Then you said

And the "What is the president's name?" is literally a custom Q&A CAPTCHA, which XenForo supports out of the box.

I am confused. I said I did not use custom Q&A. The Q&A system was defeated a long, long time ago. In some cases the spammers (overseas, working for fractions of a penny per signup) will sit there with a screen full of little windows of Q&A's and they will manually answer each and every Q&A to bypass the Q&A system. The system I described above was not just enabling the stock Q&A system, which is already scraped by signup bot software. The systme I described involves inserting a random field within the standard user registration, and then requiring that the words the user enters in the box be a particular set of words. The reason this is not Q&A is that since it's a randomly inserted box, it won't be picked up by the scraper bots like the official Q&A system. I hope this explanation makes sense. I don't have a live example as I removed that old installation entirely and I'm too lazy to restore from backup to a temporary URL to demonstrate.

 

[Jeremy P]

Oh, I would still classify that as a Q&A, just with a random input ID.. but I do get the distinction. There is an addon for that I do believe, though I don't use it myself.

Have you configured StopForumSpam/Honey Pot and the DNSBL for registrations? And Akismet for posts? I've had maybe 1 spammer get thru while it blocked 213 attempts in the past month.

 

[odingalt]

I'm wary of add-ons. Are they secure? Are they officially supported if something goes wrong, or are they third party "open source"? Or do they come with an understanding that they are third party/non-supported?

 

[Jeremy P]

The options I mentioned are built in, except for the captcha you were talking about.

The Resource Manager has a review system to help you gauge the quality. The questions you asked vary widely by author and add-on. Some of my addons are open source, for example, others are free but not open source, and others still cost money.

They are not officially supported, but unless they change the database structure it's unlikely they'll cause problems that disabling them can't fix. And even then the community is helpful enough to unofficially support them, and if your forums are completely broken I would think XF support would do what they could to help repair them.

 

[rainmotorsports]

@odingalt your method is basically the same (or reverse of) concept as FoolBotHoneyPot. With the exception of the field being visible. FBHP adds a bunch of hidden fields that only a spam bot would ever fill out and they do, all day long.

FBHP probably blocks 60 a day on our site meaning 0 getting through. We have had 3 spam registrations in the last 5 months total.

It looks at alot more than just those fields, if any are its game over for the bot but if they miss them there are several other things. Sample from my log:

Hidden Fields Modifed, Registration Too Fast,
FoolBotHoneyPot: Detected As A Bot - Registration Blocked
8 minutes ago : 31.41.218.134:62412
Username: lldaqcp
Email: lbsnux@ebnevelde.org
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.12785 YaBrowser/13.12.1599.12785 Safari/537.36
Time taken to register: 6 (seconds)
JavaScript Enabled Browser: FALSE
Altered Hidden Field Count: 17
Basic Proxy Detection: Possibly Forged IP Address, ipAddress (31.41.218.134) == ReverseDNS (31.41.218.134)
Browser Plugins Detected: None
Bot Detected On StopBotters: FALSE

I installed it, the only maintainence required was updating the version for 1.3. That update had come out prior to 1.3's release and it was only required due to 1.3 supporting ipv6. Been a beautiful thing for me.

 

[TPerry]

I'm wary of add-ons. Are they secure? Are they officially supported if something goes wrong, or are they third party "open source"? Or do they come with an understanding that they are third party/non-supported?

The ones I use are third party and WELL supported by their author (@tenants).
I run the paid (branding free) version on one site and on the other two the branded version (saving up the scratch to get the branding free of them also).
Branded version: http://xenforo.com/community/resources/tac-tenants-anti-spam-collection-anti-spam-free-version.1474/
Branding free version (paid): http://xenforo.com/community/resour...ollection-anti-spam-complete-collection.1469/

Haven't had a bot one (or spammer) hit ANY of my 3 forums while using these.

 

[odingalt]

Ok guys thanks for weighing in. Sorry again for frustrated tone of the posts early on. [Cavemen don't adapt easily to change. Unga bunga!] Will read up on everything you've posted.

 

[Lisa]

Ok guys thanks for weighing in. Sorry again for frustrated tone of the posts early on. [Cavemen don't adapt easily to change. Unga bunga!] Will read up on everything you've posted.

It's understandable to get frustrated when you're getting to grips with a new software. Bear with it and don't be scared to ask ask ask! There's always someone around here who will be able to steer you in the right direction