XF 1.5 Spam Patterns Figured Out

Zachary Ball

Active member
Okay, so after carefully moderating my spam which is about 2-6 accounts that post links into threads once. I have found a pattern they all follow which allows me to assume they are bots or non-human.

Here are the things 99% of them have in common:

1. List location as NY, New York, New York NY, or really anything with that city.
2. Age is always 21
3. 99% of time they are female.
4. (THIS IS THE MOST IMPORTANT) They all use the same name associated with email for their username.

So, I have tried phrases, but I think I know what will block this certain bot.. I need to somehow not allow users to use the same name that is within their email. Any add-ons or edits I can make to make this happen?
 
I have used this.. but this won't solve it as there are very few with their own domain extensions. Most are using gmail and I can't just ban that due to other members using that.

What the pattern here is that they are using the same exact word within their username that is in the email they register with..

example: "IMASTUPIDSPAMMER" is a user that registered with the email "IMASTUPIDSPAMMER@Gmail.com"
 
Bad practice to ban this pattern. It's pretty common. For example my email address is my name at my website.
I'm the same, my username is the same as the first part of my email address. Quite a few users on my forums also have exactly the same thing.

I too wouldn't sign up to a website that wouldn't allow the same username as the first part of my email address.
 
Not going to ban them.. I would simply put them in a manual approval sequence to check the 3 other things i listed.

Instead of telling me you wouldn't use a forum such as this.. how about we make this constructive for other members. As of right now, I still get spam and nothing has been resolved.
 
Instead of telling me you wouldn't use a forum such as this.. how about we make this constructive for other members. As of right now, I still get spam and nothing has been resolved.
Maybe if you give more details of your spam management options setup (e.g. screenshots showing your settings), then maybe people can then give you some constructive feedback.
 
No because you are looking at it wrong.

I had the same thing. Only all of the registrations were coming from 2 Pakistani and 2 Indian ISPs as well as VPN providers. I blocked those and set some moderation behaviour up using TPU detect spam registrations and they disappeared. Also don't have any and probably very little Indian traffic.

Had a new flair up this time from a ton of Vietnamese ISPs. I'm using scoring to moderate and or reject them I have gone full on blocking due to the number of ISPs involved.

With TPU and a recent version of XF no need for captchas etc because these are humans spamming not machines.
 
I will give you a couple of examples. First off I've turned off the built in stop forum spam settings because they aren't flexible.

Below you will see 2 rejects. Now they would have been moderated but the extra country score threw it over the edge. I only plus 1 for name because generic names are on their ban list but I take email and IPs as more accurate leading to a score of 5. I decided due to the current VN problem that I'd give it some weight.
Screenshot_20160831-182403~01.webp

Now in a second example I have actually added this hostname to the automatic reject pile. But AS name works too. Very often they don't have a good hostname.

Screenshot_20160831-182428~01.webp

So I have very similar setups for the Pakistani and Indian spam. I never see it anymore. However the Vietnamese spam I see moderated on a rare occasion. Most other spammers get moderated due to SFS.
 
Thank you so much, I will try this out!

It's very flexible and powerful. You will have to learn how it works and look at the properties of registrations for a couple of days to get started.

Default score for moderation is 3 and reject is 6. You can change this but you can also set a particular thing directly to reject or moderate.

Just putting +1 on name email and IPs each as well as +1 on problem countries should send the majority into moderation. From there you can observe and decide how harsh to be. If it's all from one ISP then blocking their AS name will do the trick. If it's all over then look for any other patterns that work for you.

I don't feel bad about blocking VPNs for registration. They can still login. Just cant register.
 
It's very flexible and powerful. You will have to learn how it works and look at the properties of registrations for a couple of days to get started.

Default score for moderation is 3 and reject is 6. You can change this but you can also set a particular thing directly to reject or moderate.

Just putting +1 on name email and IPs each as well as +1 on problem countries should send the majority into moderation. From there you can observe and decide how harsh to be. If it's all from one ISP then blocking their AS name will do the trick. If it's all over then look for any other patterns that work for you.

I don't feel bad about blocking VPNs for registration. They can still login. Just cant register.


Thanks for taking the time to show me this. I am already tweaking and finding this is going to be much better than what is built within core. I am honestly very disappointed with the advancement of Xenforo with basic built in features. Don't get me wrong, the software is genius but they really lack a lot of basic and necessities. Spam like this can really hurt a forum, but again thanks for helping me out. I try to update in a week or two from now with my tweaks.
 
I think one of the biggest issues with this going into the core is the fact the lookups to determine things like the AS Name and what not depend on external providers. Should a lookup take too long or the provider not work at all it can stop registrations.

Also worth noting in attempts to block data centers and vpns I did configure open ports for 80 21 and wtf is SMTP again 25? This can lead to false positives. Be careful with open ports as a diagnosis tool. In fact stay away from it until you have a need to block data centers which may be hosting custom VPN solutions.
 
Okay, so after carefully moderating my spam which is about 2-6 accounts that post links into threads once. I have found a pattern they all follow which allows me to assume they are bots or non-human.

Here are the things 99% of them have in common:

1. List location as NY, New York, New York NY, or really anything with that city.
2. Age is always 21
3. 99% of time they are female.
4. (THIS IS THE MOST IMPORTANT) They all use the same name associated with email for their username.

So, I have tried phrases, but I think I know what will block this certain bot.. I need to somehow not allow users to use the same name that is within their email. Any add-ons or edits I can make to make this happen?

I'm getting this as well, its every day just loaded, they generally stick to the profile part but they land on my forums as well if I don't manage to get on that day. Most of it comes from airtelbroadband.in and every single one comes from NY, have you found a way to actually stop it? Or does anyone know how I can stop registrations from airtelbroadband.in as its doing my head in.
 
Top Bottom