XF 2.3 Spam Bots are Insane

[Fitz67]

https://www.underwaterdroneforum.com

So I have Geoblock Registrations 1.2.2 installed, countries CN, IN, PT, RO blocked. For some reason India is still getting through somehow?

Also have Cloudflare Turnstile enabled on registration, still like 20-30% bots are getting through.

Google's Captha is completely usesless... I see a lot of spam Add-ons that were once offered on here like Ozzys, is no longer offered.

Don't feel like transferring my domain over to cloudflare, what are my other options? Is there an addon to block ASN?

What about Clean Talk? https://cleantalk.org/help/install-xenforo2

Was talking with a Tech guy at work, bots are getting smarter while security is lacking and can't keep up, this is starting to ruin forums which are already down in popularity, as well as good experience on social media, very little good experience there is

Thread 'Spambots on the rise.'

Mar 5, 2025

I'm getting bombarded by spambots, they seem to be 'legit' users but if you look further you can tell they're spambots. I have a question at registration and they all use the same nearly identical answer. They also use a slew of weird email addresses.

What can be done to prevent this going forward? I have a slew of email addresses/IP addresses banned, I have bot protection turned on in cloudflare.....

• DarkGizmo
• Replies: 14
• Forum: Forum management

With more advancements made, loopholes in security may be inevitable with quantum computing

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Accept third party cookies

 

[chillibear]

I see a lot of spam Add-ons that were once offered on here like Ozzys, is no longer offered.

Still available at his site:

[OzzModz] Spaminator Bundle

This bundle will give you all three of the Spaminator addons. If you were to purchase these individually it would cost $120. But with this bundle you get all three for $100 a savings of $20...

snogssite.com

Personally I quite like:

X

Signup abuse detection and blocking

Nov 20, 2018

Provides a toolkit to reduce signup spam

• Xon
• Add-ons [2.x]

Also have Cloudflare Turnstile enabled on registration, still like 20-30% bots are getting through.

It generally seems to be considered the best of the bunch, but automated solving is cheap and so are people for that matter...

Asking for some extra information at registration can help, drop downs of options where the first is something duff that genuine users will either ignore, raise an eyebrow, etc whilst spambots will just pick the first value in the list.

Obviously stopforumspam, but I assume you are already using them.

We block various IP ranges at the firewall that are currently causing trouble. Either because they have tripped something on one of our other boxes or they are just on one of the various blacklists, for instance there is little point accepting traffic from IPs on https://www.spamhaus.org/drop/ for instance. Take your pick of the various blacklists available, different companies have different policies over what goes on their lists of course.

Alas perhaps you have a particularly tasty forum as far as spam link placement goes ...

 

[jeb35]

The amount of spam from Datacenters in Germany is way out of hand. The ISP 3XK Tech GmbH is terrible as well as its nothing but spam.

 

[chillibear]

We've seen some trouble from them over the last few months, OVH have also been a bit of a pain on and off recently hosting what seem to be very aggressive AI scrapers.

 

[Suzanne O]

Make sure you have unticked the allow guests to post box in admin cp

 

[Sim]

So I have Geoblock Registrations 1.2.2 installed, countries CN, IN, PT, RO blocked. For some reason India is still getting through somehow?

Check the IP address history for the spammers who are getting through - it could be that they registered via another IP that wasn't in the block list?

Geoblock registrations only works at the point of registration - once they are successfully registered, it does nothing.

It could also be that certain IP addresses are not identified as coming from India by Maxmind (which is used by Geoblock Registrations).

I also use Cloudflare to block networks at an ASN level. Any registration from a datacenter has that entire ASN get blocked completely, any registration from a VPN has that entire ASN subject to a managed challenge - but in both cases, only for the registration and contact form pages.

I also record the date I block each one in a spreadsheet so that if I get complaints from members about being blocked, I can see when I added the block and I can make notes about why certain networks should not be blocked etc.

 

[Zephyr]

Datacenters from China, Germany, and France have been hammering my site. I don't want to use Cloudflare and am trying to find alternatives besides blocking hundreds of ip ranges.

 

[Fitz67]

Thanks for help everyone! Love using these underwater drones, it's a new type technology, I own three of them, I love filming fish, as well as catching them, soon as I saw the movie the Abyss and Little Geek, I knew one day I wanted to own one. It's a nonstop hobbie I enjoy, it sucks that I have to completely block a country such as china where majority of these underwater drones are made, but I have no other choice. The spam is out of control now, I've owned car forums even during the early days of phpbb and vbulletin, never seen it this bad, I think governments are going to have to eventually do something!!! Even though I have small forums over the years, I enjoy running them and growing these hobbies, helps me even learning things myself about the hobbies. The facebook groups are alright for underwater drones, but they're lacking certain features a forum offers. It just sucks, because when people see my forum, they see the spam and just figure why bother register or post on an inactive forum.

I may try clean talk or Ozzy's addons next, maybe even result to Cloudflare, since these bots still put strain on your server, with Cloudlare takes all strain off.

 

[Alvin63]

If they're spam bots, Ozzie's registration spaminator should stop them all from joining. If they've already joined and are posting, you might need the login spaminator as well.

Cloudflare turnstile also stops them registering but I still used to get a few a week in the manual approval queue. Ozzie's spaminator will stop all of them joining I think.

 

[smallwheels]

Datacenters from China, Germany, and France have been hammering my site. I don't want to use Cloudflare and am trying to find alternatives besides blocking hundreds of ip ranges.

Realistically there is no other way if you want to lock out not only spammers but also scrapers including AI bots. The only question is how to that in the most comfortable way for yourself, w/o harm for legitimate users, with the least amount of effort and w/o negative impact on the site performance and wanted bots like search engines.

Also, your possibilities how you can achieve it depend a lot from your environment and the size and characteristics of your forum. As you have ruled out Cloudflare (like I did) you may be interested in the thread I started recently about diving into that rabbit hole:

S

Thread 'Learnings: Identifying and getting rid of unwanted traffic'

Apr 6, 2025

I've recently spent some time getting rid of unwanted traffic on my forums and thought maybe the learnings might have value for someone else, so I am writing them up. This is not intended as a tutorial or even advice - it is just a couple of finding that you may find useful or not. Also, there are many ways to Rome, depending from your situation, needs and abilities. So take it with a grain of salt.

Important race conditions for my actions: My forum is pretty small (currently ~2.000 registered users), runs on shared hosting (which limits my possibilities in terms of configuration), I...

• smallwheels
• Replies: 26
• Forum: Forum management

• 

In the meantime I've spent countless hours on the topic and am, based on the learnings from that, currently working on the next step in terms of experimenting - some promising ideas and first results, however, not yet ready to report publicly.

 

[Ferry]

It's very simple, you need to use CloudFlare for the domain and Turnstile from CF when registering. It is also necessary to make entering the date of birth mandatory. There will be no more spam.

Additionally, you can set up a white list of mail providers to get rid of spam from mailboxes like Jimmy@topmegaprovider69.com

 

[chillibear]

Glancing at the forum just now I suspect you could catch a decent number just with some choice words in the "spam phrases" box in (options - spam managment). All the ones I've just seen seem very weight loss related.

One forum I help with makes any gmail addresses hop through another layer by not granting them posting rights until the tick a "I wont spam" preference in their account. Fully automated bots of course don't do this so at least don't post rubbish on the board. The downside is we're less likely to spot them as bots except by manually seeing who registered but didn't go and do the tickbox - which seems unlikely since there is also a notification displayed. So you'd expect a human to respond.

Which of the XF steps are you currently doing?

 

[Alpha1]

What about Clean Talk? https://cleantalk.org/help/install-xenforo2

Their database of spammers is very good. They block a lot of spam bots. Add it to your arsenal.

 

[Alvin63]

Glancing at the forum just now I suspect you could catch a decent number just with some choice words in the "spam phrases" box in (options - spam managment). All the ones I've just seen seem very weight loss related.

One forum I help with makes any gmail addresses hop through another layer by not granting them posting rights until the tick a "I wont spam" preference in their account. Fully automated bots of course don't do this so at least don't post rubbish on the board. The downside is we're less likely to spot them as bots except by manually seeing who registered but didn't go and do the tickbox - which seems unlikely since there is also a notification displayed. So you'd expect a human to respond.

Which of the XF steps are you currently doing?

That's a good idea. I just had a long religious post slip through (must have been a human spammer as the bots are all blocked). And noticed it had the words d.rugs and g.ambling in it. The dot clearly trying to evade auto moderation and get the long religious message seen.

So I added d.rugs and g.ambling to the spam list


This would send posts to manual approval though (although I think some get blocked completely if it seems spam-like). So if there are a lot then a combination of blocking them from registering, as well as filtering them out when they post, might be good, so you don't get inundated with manual approvals.

I think Xon's sign up abuse and detection addon covers things from various angles as well and has a lot of options.

Did you decide to go for anything yet?

I've been quite happy with Cloudflare turnstile. If you already use cloudflare, it's quick and easy to implement and really reduced things to virtually nothing. I wanted a second layer to keep it to nothing. However human spammers can sometimes still get through.

There is also the option to set permissions so first posts go for manual moderation for new members. I've been trying to avoid that as it can affect genuine members who want a quick answer. But am considering that as well.