XF 1.5 Spam Patterns Figured Out

Z

Zachary Ball

Active member
Okay, so after carefully moderating my spam which is about 2-6 accounts that post links into threads once. I have found a pattern they all follow which allows me to assume they are bots or non-human.

Here are the things 99% of them have in common:

1. List location as NY, New York, New York NY, or really anything with that city.
2. Age is always 21
3. 99% of time they are female.
4. (THIS IS THE MOST IMPORTANT) They all use the same name associated with email for their username.

So, I have tried phrases, but I think I know what will block this certain bot.. I need to somehow not allow users to use the same name that is within their email. Any add-ons or edits I can make to make this happen?
 
Sort by date Sort by votes
I have used this.. but this won't solve it as there are very few with their own domain extensions. Most are using gmail and I can't just ban that due to other members using that.

What the pattern here is that they are using the same exact word within their username that is in the email they register with..

example: "IMASTUPIDSPAMMER" is a user that registered with the email "IMASTUPIDSPAMMER@Gmail.com"
 
Upvote 0 Downvote
Snog said:
Bad practice to ban this pattern. It's pretty common. For example my email address is my name at my website.
Click to expand...
I'm the same, my username is the same as the first part of my email address. Quite a few users on my forums also have exactly the same thing.

I too wouldn't sign up to a website that wouldn't allow the same username as the first part of my email address.
 
Upvote 0 Downvote
Not going to ban them.. I would simply put them in a manual approval sequence to check the 3 other things i listed.

Instead of telling me you wouldn't use a forum such as this.. how about we make this constructive for other members. As of right now, I still get spam and nothing has been resolved.
 
Upvote 0 Downvote
Zachary Ball said:
Instead of telling me you wouldn't use a forum such as this.. how about we make this constructive for other members. As of right now, I still get spam and nothing has been resolved.
Click to expand...
Maybe if you give more details of your spam management options setup (e.g. screenshots showing your settings), then maybe people can then give you some constructive feedback.
 
Upvote 0 Downvote
No because you are looking at it wrong.

I had the same thing. Only all of the registrations were coming from 2 Pakistani and 2 Indian ISPs as well as VPN providers. I blocked those and set some moderation behaviour up using TPU detect spam registrations and they disappeared. Also don't have any and probably very little Indian traffic.

Had a new flair up this time from a ton of Vietnamese ISPs. I'm using scoring to moderate and or reject them I have gone full on blocking due to the number of ISPs involved.

With TPU and a recent version of XF no need for captchas etc because these are humans spamming not machines.
 
Upvote 0 Downvote
I will give you a couple of examples. First off I've turned off the built in stop forum spam settings because they aren't flexible.

Below you will see 2 rejects. Now they would have been moderated but the extra country score threw it over the edge. I only plus 1 for name because generic names are on their ban list but I take email and IPs as more accurate leading to a score of 5. I decided due to the current VN problem that I'd give it some weight.
Screenshot_20160831-182403~01.webp

Now in a second example I have actually added this hostname to the automatic reject pile. But AS name works too. Very often they don't have a good hostname.

Screenshot_20160831-182428~01.webp

So I have very similar setups for the Pakistani and Indian spam. I never see it anymore. However the Vietnamese spam I see moderated on a rare occasion. Most other spammers get moderated due to SFS.
 
Upvote 0 Downvote
Zachary Ball said:
Thank you so much, I will try this out!
Click to expand...

It's very flexible and powerful. You will have to learn how it works and look at the properties of registrations for a couple of days to get started.

Default score for moderation is 3 and reject is 6. You can change this but you can also set a particular thing directly to reject or moderate.

Just putting +1 on name email and IPs each as well as +1 on problem countries should send the majority into moderation. From there you can observe and decide how harsh to be. If it's all from one ISP then blocking their AS name will do the trick. If it's all over then look for any other patterns that work for you.

I don't feel bad about blocking VPNs for registration. They can still login. Just cant register.
 
Upvote 0 Downvote
rainmotorsports said:
It's very flexible and powerful. You will have to learn how it works and look at the properties of registrations for a couple of days to get started.

Default score for moderation is 3 and reject is 6. You can change this but you can also set a particular thing directly to reject or moderate.

Just putting +1 on name email and IPs each as well as +1 on problem countries should send the majority into moderation. From there you can observe and decide how harsh to be. If it's all from one ISP then blocking their AS name will do the trick. If it's all over then look for any other patterns that work for you.

I don't feel bad about blocking VPNs for registration. They can still login. Just cant register.
Click to expand...


Thanks for taking the time to show me this. I am already tweaking and finding this is going to be much better than what is built within core. I am honestly very disappointed with the advancement of Xenforo with basic built in features. Don't get me wrong, the software is genius but they really lack a lot of basic and necessities. Spam like this can really hurt a forum, but again thanks for helping me out. I try to update in a week or two from now with my tweaks.
 
Upvote 0 Downvote
I think one of the biggest issues with this going into the core is the fact the lookups to determine things like the AS Name and what not depend on external providers. Should a lookup take too long or the provider not work at all it can stop registrations.

Also worth noting in attempts to block data centers and vpns I did configure open ports for 80 21 and wtf is SMTP again 25? This can lead to false positives. Be careful with open ports as a diagnosis tool. In fact stay away from it until you have a need to block data centers which may be hosting custom VPN solutions.
 
Upvote 0 Downvote
Zachary Ball said:
Okay, so after carefully moderating my spam which is about 2-6 accounts that post links into threads once. I have found a pattern they all follow which allows me to assume they are bots or non-human.

Here are the things 99% of them have in common:

1. List location as NY, New York, New York NY, or really anything with that city.
2. Age is always 21
3. 99% of time they are female.
4. (THIS IS THE MOST IMPORTANT) They all use the same name associated with email for their username.

So, I have tried phrases, but I think I know what will block this certain bot.. I need to somehow not allow users to use the same name that is within their email. Any add-ons or edits I can make to make this happen?
Click to expand...

I'm getting this as well, its every day just loaded, they generally stick to the profile part but they land on my forums as well if I don't manage to get on that day. Most of it comes from airtelbroadband.in and every single one comes from NY, have you found a way to actually stop it? Or does anyone know how I can stop registrations from airtelbroadband.in as its doing my head in.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

MapleOne
  • Question Question
XF 2.2 I figured out how to remove single line breaks on mobile but leave them on desktop
Replies
2
Views
368
MapleOne
MapleOne
ak38
  • Question Question
XF 1.5 Spam bots eating bandwidth and skewing visitor figures
Replies
3
Views
450
ak38
ak38
DieselMinded
  • Question Question
Figured out how to Replace Specific Node Icons
Replies
5
Views
811
DieselMinded
DieselMinded
Amin Sabet
Other Anyone figured out a way to compress proxied images?
Replies
0
Views
1K
Amin Sabet
Amin Sabet
naia
Crowdsourced Human Spammers
Replies
3
Views
1K
Anthony Parsons
Anthony Parsons
Back
Top Bottom