1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 Spam Patterns Figured Out

Discussion in 'XenForo Questions and Support' started by Zachary Ball, Aug 31, 2016.

Tags:
  1. Zachary Ball

    Zachary Ball Member

    Okay, so after carefully moderating my spam which is about 2-6 accounts that post links into threads once. I have found a pattern they all follow which allows me to assume they are bots or non-human.

    Here are the things 99% of them have in common:

    1. List location as NY, New York, New York NY, or really anything with that city.
    2. Age is always 21
    3. 99% of time they are female.
    4. (THIS IS THE MOST IMPORTANT) They all use the same name associated with email for their username.

    So, I have tried phrases, but I think I know what will block this certain bot.. I need to somehow not allow users to use the same name that is within their email. Any add-ons or edits I can make to make this happen?
     
    wedgar likes this.
  2. Brogan

    Brogan XenForo Moderator Staff Member

    You can try using the email ban function to target a specific string.
     
  3. Zachary Ball

    Zachary Ball Member

    I have used this.. but this won't solve it as there are very few with their own domain extensions. Most are using gmail and I can't just ban that due to other members using that.

    What the pattern here is that they are using the same exact word within their username that is in the email they register with..

    example: "IMASTUPIDSPAMMER" is a user that registered with the email "IMASTUPIDSPAMMER@Gmail.com"
     
  4. Brogan

    Brogan XenForo Moderator Staff Member

    You wouldn't be able to target that then.

    Presumably you have the other spam options configured?
    Such as SFS, DNSBL, etc.?
     
  5. Zachary Ball

    Zachary Ball Member

    Yes I do. Somehow they are finding a way around that.
     
  6. Snog

    Snog Well-Known Member

    Bad practice to ban this pattern. It's pretty common. For example my email address is my name at my website.
     
  7. Zachary Ball

    Zachary Ball Member

    Not bad practice at all, many places enable something along this line. I would simply have a message saying that you they need to use different words not in email.
     
  8. Snog

    Snog Well-Known Member

    I've never seen anyplace do that. But if I did, I can guarantee I would not register there. ;)
     
    Tracy Perry and ozzy47 like this.
  9. Zachary Ball

    Zachary Ball Member

    That is a very silly reason not to register.
     
  10. Martok

    Martok Well-Known Member

    I'm the same, my username is the same as the first part of my email address. Quite a few users on my forums also have exactly the same thing.

    I too wouldn't sign up to a website that wouldn't allow the same username as the first part of my email address.
     
    Tracy Perry, Snog and ozzy47 like this.
  11. Zachary Ball

    Zachary Ball Member

    Not going to ban them.. I would simply put them in a manual approval sequence to check the 3 other things i listed.

    Instead of telling me you wouldn't use a forum such as this.. how about we make this constructive for other members. As of right now, I still get spam and nothing has been resolved.
     
  12. Martok

    Martok Well-Known Member

    Maybe if you give more details of your spam management options setup (e.g. screenshots showing your settings), then maybe people can then give you some constructive feedback.
     
    Amaury likes this.
  13. Zachary Ball

    Zachary Ball Member

    Well, no one asked..

    I have a way to stop pretty much 99% of this spam with the idea posted above. There is no one else with this exact idea?
     
  14. rainmotorsports

    rainmotorsports Well-Known Member

    No because you are looking at it wrong.

    I had the same thing. Only all of the registrations were coming from 2 Pakistani and 2 Indian ISPs as well as VPN providers. I blocked those and set some moderation behaviour up using TPU detect spam registrations and they disappeared. Also don't have any and probably very little Indian traffic.

    Had a new flair up this time from a ton of Vietnamese ISPs. I'm using scoring to moderate and or reject them I have gone full on blocking due to the number of ISPs involved.

    With TPU and a recent version of XF no need for captchas etc because these are humans spamming not machines.
     
    Snog and Russ like this.
  15. rainmotorsports

    rainmotorsports Well-Known Member

    I will give you a couple of examples. First off I've turned off the built in stop forum spam settings because they aren't flexible.

    Below you will see 2 rejects. Now they would have been moderated but the extra country score threw it over the edge. I only plus 1 for name because generic names are on their ban list but I take email and IPs as more accurate leading to a score of 5. I decided due to the current VN problem that I'd give it some weight.
    Screenshot_20160831-182403~01.png

    Now in a second example I have actually added this hostname to the automatic reject pile. But AS name works too. Very often they don't have a good hostname.

    Screenshot_20160831-182428~01.png

    So I have very similar setups for the Pakistani and Indian spam. I never see it anymore. However the Vietnamese spam I see moderated on a rare occasion. Most other spammers get moderated due to SFS.
     
  16. Zachary Ball

    Zachary Ball Member

    Thank you so much, I will try this out!
     
  17. rainmotorsports

    rainmotorsports Well-Known Member

    It's very flexible and powerful. You will have to learn how it works and look at the properties of registrations for a couple of days to get started.

    Default score for moderation is 3 and reject is 6. You can change this but you can also set a particular thing directly to reject or moderate.

    Just putting +1 on name email and IPs each as well as +1 on problem countries should send the majority into moderation. From there you can observe and decide how harsh to be. If it's all from one ISP then blocking their AS name will do the trick. If it's all over then look for any other patterns that work for you.

    I don't feel bad about blocking VPNs for registration. They can still login. Just cant register.
     
    wedgar likes this.
  18. Zachary Ball

    Zachary Ball Member


    Thanks for taking the time to show me this. I am already tweaking and finding this is going to be much better than what is built within core. I am honestly very disappointed with the advancement of Xenforo with basic built in features. Don't get me wrong, the software is genius but they really lack a lot of basic and necessities. Spam like this can really hurt a forum, but again thanks for helping me out. I try to update in a week or two from now with my tweaks.
     
  19. rainmotorsports

    rainmotorsports Well-Known Member

    I think one of the biggest issues with this going into the core is the fact the lookups to determine things like the AS Name and what not depend on external providers. Should a lookup take too long or the provider not work at all it can stop registrations.

    Also worth noting in attempts to block data centers and vpns I did configure open ports for 80 21 and wtf is SMTP again 25? This can lead to false positives. Be careful with open ports as a diagnosis tool. In fact stay away from it until you have a need to block data centers which may be hosting custom VPN solutions.
     
  20. Hecter

    Hecter Member

    I'm getting this as well, its every day just loaded, they generally stick to the profile part but they land on my forums as well if I don't manage to get on that day. Most of it comes from airtelbroadband.in and every single one comes from NY, have you found a way to actually stop it? Or does anyone know how I can stop registrations from airtelbroadband.in as its doing my head in.
     

Share This Page