Spam bots on my site :( idk how to fix it. Any information would be great :)

[HyperGaming18]

Okay, so recently. I've had to redo my entire website and I've worked really hard on it. But unfortunatly there are these bots signing up on the website and constantly spamming it with stuff like this.

They just completely fill the website with ad's then they leave for a week or so and come back on another account with the same posts. It's stupid. I don't know why this happens and I don't know how to prevent it. Any tips would be great


my website: https://hypergaming.co.uk/

 

[Stefhan]

use recaptcha and email verification, if necessary approve accounts manually

 

[HyperGaming18]

use recaptcha and email verification, if necessary approve accounts manually

I use both. Recaptcha and Email Verification. But they just come back some times it looks like someone is scrapping xenforo websites from bing / google and just manually go on there and post random advertising posts.

 

[Stefhan]

I use both. Recaptcha and Email Verification. But they just come back some times it looks like someone is scrapping xenforo websites from bing / google and just manually go on there and post random advertising posts.

Try questions instead of recaptcha

 

[HyperGaming18]

Try questions instead of recaptcha

Can I do both?

 

[Dan Blather]

Stop Forum Spam - get an API and use it.

Custom questions instead of a captcha. Avoid math questions, because the bots can solve them now.

Require 10-15 seconds minimum on the registration page. Bots fill out the form and submit instantly.

Get a country-blocking plugin, and block new registration from India, Pakistan, Bangladesh, Russia, Ukraine, Belarus, Vietnam, Philippines, and China. Don’t worry about blocking legit users from those countries - in my experience, the ratio of legit users to spammers from the Axis of Forum Spam can be 1:100 to 1:10000.

Block disposable email domains.

Take note of the IP addresses from the spam accounts. Find the CIDR block of the biggest offenders using bgp.he.net. Block them, especially if they’re from the countries above, or a Web hosting company. (OVH, Hetzner Online, and server farms in the Netherlands host a lot of spambots and spammer proxies.)

 

[whynot]

Can I do both?

No, you cannot do both.

 

[toejam]

Simple question are you human stops all that.

 

[motowebmaster]

I don't have spammers actually posting, but am rejecting 10-20 registrations-held-for-moderation per day.

• Enable Email Confirmation
• Enable Captcha for Guests, I use Google's recaptcha v2
• Check new registrations against StopForumSpam Database, I have some minimums set, and an API key
• Check DNSBL upon registration, and a project honeypot key
• Registration timer to 10 seconds

Today, I maxed the security settings in the google recaptcha admin console to see if it makes a difference. Tested and it was hard for me to get past, but maybe others will be smarter than me.

I also plan on blocking registrations picked up by DNSBL, instead of manually rejecting them. It is insightful to see the moderated registrations, because they show matches against both StopForumSpam and DNSBL.

Custom questions was helpful, but found myself having to change them occasionally. I'm not complaining about having to reject moderated-registrations, it's better than the alternative, but am tinkering with the settings a bit to see if I can find a better balance.

 

[HyperGaming18]

Stop Forum Spam - get an API and use it.

Custom questions instead of a captcha. Avoid math questions, because the bots can solve them now.

Require 10-15 seconds minimum on the registration page. Bots fill out the form and submit instantly.

Get a country-blocking plugin, and block new registration from India, Pakistan, Bangladesh, Russia, Ukraine, Belarus, Vietnam, Philippines, and China. Don’t worry about blocking legit users from those countries - in my experience, the ratio of legit users to spammers from the Axis of Forum Spam can be 1:100 to 1:10000.

Block disposable email domains.

Take note of the IP addresses from the spam accounts. Find the CIDR block of the biggest offenders using bgp.he.net. Block them, especially if they’re from the countries above, or a Web hosting company. (OVH, Hetzner Online, and server farms in the Netherlands host a lot of spambots and spammer proxies.)

I've actually started using StopForumSpam and the Honeypot API's and I've already started submitting data. It's mainly from china though. I don't know how to block countries yet and the web server is actually on an OVH server haha. Same with my other servers they are all on the OVH network which kinda sucks if I have to block it. I know a few places rely on OVH game servers for vpn's for programs like openvpn. I use that myself. So If i block VPN's I'll have to constantly turn mine off because I have no clue how to allow my own VPN through if the IP constantly changes.

Can you link me to any useful links on how to region / country block registerations. Also how to block those disposable emails.



Thank you all for your responses the website is slowly getting overloaded with this spam accounts and It's really annoying I've gotta sit there for hours sometimes removing them all.

 

[Max Taxable]

It's really annoying I've gotta sit there for hours sometimes removing them all.

Try this too, mainly because it can't do any harm at all and it shut the bots water completely off, on my sites.

Edit the phrase: please_leave_this_field_blank

Make the phrase text of it read: Required Field

Reason is, xF 2.1 has random rotating false fields in the registration form. If anything is entered into any of these false fields the registration is rejected and the form just clears. These false fields are hidden - browsers can't load them therefore no humans can see them but the bot programs don't load pages - they copy the code and send it back filled out. So it's nonsensical to have these hidden false fields some people call "HoneyPots," then tell the botnet admins what they are.

So, change the text of the phrase, and watch the bots suddenly stop. Haven't had a single automated registration be successful since I did this.

 

[HyperGaming18]

Try this too, mainly because it can't do any harm at all and it shut the bots water completely off, on my sites.

Edit the phrase: please_leave_this_field_blank

Make the phrase text of it read: Required Field

Reason is, xF 2.1 has random rotating false fields in the registration form. If anything is entered into any of these false fields the registration is rejected and the form just clears. These false fields are hidden - browsers can't load them therefore no humans can see them but the bot programs don't load pages - they copy the code and send it back filled out. So it's nonsensical to have these hidden false fields some people call "HoneyPots," then tell the botnet admins what they are.

So, change the text of the phrase, and watch the bots suddenly stop. Haven't had a single automated registration be successful since I did this.

Is there any documentation on that?

 

[Dermot]

You can block entire countries by Using GEOIP with .htaccess or .htaccess alone.

To use GEOIP, ask your host if geoip and mod_geoip is installed.

You can then use the following in .htaccess

# Countries to block     
SetEnvIf GEOIP_COUNTRY_CODE CN DenyCountry #Block China
SetEnvIf GEOIP_COUNTRY_CODE RU DenyCountry #Block Russia
# End List

You can use the following purely in .htaccess

Getting IPs/Ranges can be got HERE

Tick country then select Apache .htaccess DENY

you would then use the acl list in your .htaccess

example HERE

That list is china's IP range and set to deny from them all.

These are not the only two ways of blocking Countries, but will give you a good start.

 

[Max Taxable]

Is there any documentation on that?

I hope not. Wouldn't be wise.

Phrase text change is easily reverted and won't hurt to try. Read the code for the register form, you'll see the "HoneyPots."