1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security issues and bots

Discussion in 'General XenForo Discussion and Feedback' started by kiwhen, Nov 23, 2013.

  1. kiwhen

    kiwhen Member

    I've been using XenForo for a while now, and granted - it's probably an older version than the one currently available for download. Some of these issues may have been adressed already, but I really can't be bothered with checking that at this point. I've pretty much had it with XenForo, and this is a sort of general feedback, but I'm also including some specific bugs. Hence the choice of forums.

    When I bought XenForo, I figured I could modify it any way I liked, using the powerful addon-system. True, you can pretty much do anything you like with it, but the learning curve is quite steep. There is little to no documentation available, and the even the simplest addons takes days of research, digging through forum discussions, other similar addons' source code and even XenForo itself. And this is coming from someone who speaks about ten different programming languages fluently. I can't imagine how hard it must be for someone with no experience at all.

    Anyway, after a couple of months, I gave up on this, and started working on my own solutions from scratch. That's what I'll be using from now on.

    The thing that really tipped me over, is the serious lack of security. We've had problems with spambots. Shortly after the initial attacks, we set up a series of tough anti-bot-questions, that were supposed to slow them down. By tough, I mean that they can't be calculated or otherwise figured out from the actual question, from a bot's point of view. This didn't help at all. It would seem like the bots somehow managed to avoid these questions.

    A couple of days ago, we really got our butts kicked, by a storm of bots. My response was to turn of user registration. Since you can't post anything on our forum without a user account, this would surely stop the attack, I thought.

    It didn't.

    I then turned on email validation. That kept them at bay. It would seem that turning off registration only serves to remove the button that says "sign up". It won't keep anyone from actually signing up. Brilliant design feature, I must say.

    Another thing; there is supposedly an anti-spam option for users. On our board, we have to wait something like 30 seconds between posts, regardless of what kind it is. Regular posts, status updates and so on. This lock doesn't apply to these bots either. They can post whatever they want, whenever they want, regardless of the rules set by the ACP.

    Again, I'm probably running an older version, but XenForo had been around for quite a while before I joined in, and this is pretty much the most basic security-stuff in the world of internets. It shouldn't be that hard to get it right. I know I'm never gonna get my money back, but on behalf of the folks still using XenForo today - for God's sake, fix this. And get some proper documentation on that API.
  2. Brogan

    Brogan XenForo Moderator Staff Member

    Moved from bugs to feedback.
  3. Mike

    Mike XenForo Developer Staff Member

    There are several things here that are simply incorrect -- notably, the registration comment and the flood check system. They're fairly straightforward to test.

    You are of course entitled to your opinion and there are obviously things we can improve. Best of luck with your new system.
    Adam Howard likes this.
  4. Amaury

    Amaury Well-Known Member

    Always make sure you're running the latest version of any forum software. In this case, XenForo 1.2.3.
    Adam Howard likes this.
  5. Adam Howard

    Adam Howard Well-Known Member

    I completely disagree.


    ^ People can post on our site even as guest and do not need e-mail confirmation to register. Out of the 1,000's of spam bots that try daily, maybe 2 or 3 get through once every 2 or 3 months. I'd hardly call that an issue (in fact I wouldn't).

    XenForo have been around for 3 years. In the full history of the company, there has been zero security issues directly related to XenForo it's self, with the only exception being a 3rd party flash upload module.

    During that time the competition (IPB and vBulletin) has had several security concerns on a regular basis. 7 security updates in 1 year for example or thousands of sites hacked for another example, all among the competition in relation to their code. None has ever occurred with XenForo.

    It is also so easy to use and learn XenForo, that even a complete newbie can easily use it. I have a family member who is so computer illiterate, that it took sometime for me to get them to understand where the desktop was (no lie), but from an end user point of view, they can easily use it.

    And from the back end point of view, one of our partners (co-owners) is completely "point and click" dependent. I would respectfully suggest that she is the reason why people have control panels. And yet she has no issue using the back end from the administrative side of things.

    However, I respect your opinion and your right to have it. I just do not agree with it.
    Last edited: Nov 24, 2013
  6. DarkGizmo

    DarkGizmo Active Member

    Your first mistake was not running the latest version of Xenforo.
    Your second one? Having no anti spam protection...having email validation off by default was quite foolish. Let me put it to you this way. I've had 1 add-on for anti spam used, and to be honest? Haven't had a SINGLE bot get through since i've added it. Keep your forum software and add-ons up to date and you won't have any problems. I find it funny how you won't say which version of xenforo you're even using to begin with....which makes me wonder. Well as others have said, this is all your opinion and you are right to have your own opinion. Good luck with building a system from scratch and I hope it works out for you.
    Adam Howard likes this.
  7. Sheratan

    Sheratan Well-Known Member

    Well, I just had only basic spam protection. Email validation and Q&A. No anti spambot addon. Using Xenforo since 1.1.3 on March 2013 and now using Xenforo 1.2.3 and guess what? There is zero spambot registration.

    Zero. Nothing. :cool:

    If you keep your xenforo update and use properly anti spambot protection, you can say this to all spambot engine:

  8. MikeMpls

    MikeMpls Well-Known Member

    I have a 1.2.2 forum that allows guest posting that has been 100% spam free, with XF QapTcha (I believe Adam Howard, above, uses that as well) and a one-line tweak in the PHP code just to discard automatically posts flagged by Akismet (they're always spam, why bother?) so I don't even have to moderate them.

    With 1.2.1 I get some registration spam but they can't post anything spammy.

    I have a couple more very small forums still on the 1.2.0 release candidates that are spam free, and others still on 1.1.x releases with various effective anti-spam addons.

    XenForo simply would not be what it is today if the developers had focused on stuff like spam for the first two years when it wasn't a problem.
    Adam Howard likes this.
  9. Adam Howard

    Adam Howard Well-Known Member

    You are correct.

    @serene originally released it for XenForo 1.1.x

    I have since updated it with a patch fix for it to work witn XenForo 1.2.x

    Of course I would still recommend using either the default spam options or getting a 3rd party anti-spam odd. Personally speaking, I use @sonnb Stop Spam Here add-on http://xenforo.com/community/resources/sonnb-stop-spam-here.1086/
    Shelley, TsinJu and sonnb like this.

Share This Page