• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Spam - what is Xenforo.com doing itself ? [Hallowe'en 2012]

Status
Not open for further replies.

Digital Doctor

Well-known member
#1
Seems that Xenforo.com is the only site still getting bombarded by spam.
Sure the mods are getting tired of it.
Seems like something else needs to be done.

What is Xenforo.com currently using ? Seems like Xenforo.com needs some Spam Addons installed :)

xenforo.com.spam.jpg

I think a large amount of precious moderator time is being wasted cleaning up all the spam.
 

Russ

Well-known member
#2
We have 868 pages of registrations that have been blocked since August 21st :),

That's 17,360 and we're not even a busy site yet.
 

RobParker

Well-known member
#4
This is getting a bit ridiculous. It hardly gives a good impression of the forums to find it full of spam every morning.

Wouldn't setting a few good Q&A captchas make a big difference as they seem to have done elsewhere. At the minute it looks like no one really cares.
 

RobParker

Well-known member
#5
Does this mean that XenForo is weak against spam? If I do purchase XenForo what can I do to prevent spam on my community (does XenForo provide tools to fight spam? If yes then why is this board getting spammed..?)

Please don't get me wrong, I just wish to know more about the software I am going to purchase :)
By setting a few Q&A questions we've never had any problems with spammers. There are also multiple spam protection addons which work really well. While understandably they don't want to use 3rd party addons on here, I don't know why they refuse to setup some better captchas.
 

tenants

Well-known member
#6
This is the core functionality, I think it should be left as core, with no plug-ins to show new users that are interested in buying the software what the core has to offer

Simple QAs will not stop bots registering here (the PR is too high for it not to "look" valuable for gaining links, and QAs are easy to extract the question list, since it is unlikely someone will sit down and type 1 Million unique questions that are not easy to solve with simple logic or extract the answers easily from Google... bots can do both)

Having said that, they have installed their own plug-ins to show case them: Resource Manager.
If you start adding plug-ins, new users will complain that they thought they were getting X/Y/Z, but now realise they have to pay for it

There are many anti-spam plug-ins available, see the list here: http://xenforo.com/community/resources/dealing-with-forum-spam.980/

I use my own CAPTCHA and anti-spam techniques which I have found to be 100% effective so far (I really love my Custom Img Captcha, but then I am blowing my own... so to speak):

CustomImgCaptcha (free): http://xenforo.com/community/resources/customimgcaptcha.1161/
FoolBotHoneyPot (paid): http://xenforo.com/community/resources/foolbothoneypot.1085/
StopCountrySpam (paid): http://xenforo.com/community/resources/stopcountryspam.1016/

You can also use alternative CAPTCHA mechanisms:

KeyCaptcha: http://xenforo.com/community/resources/keycaptcha-interactive-captcha.987/

The core for 1.3 will include the use of the StopForumSpam database (to look up a username/ip/email list of already known spammers), see here: 1.2 to include spam prevention
A plug-in named StopSpamHere already implements this (paid): http://xenforo.com/community/resources/sonnb-stop-spam-here.1086/
As does XenUtiles: http://xenforo.com/community/resources/8wayrun-com-xenutiles-tools.104/
 

RobParker

Well-known member
#10
Simple QAs will not stop bots registering here (the PR is too high for it not to "look" valuable for gaining links, and QAs are easy to extract the question list, since it is unlikely someone will sit down and type 1 Million unique questions that are not easy to solve with simple logic or extract the answers easily from Google... bots can do both)
We have around 5 questions and that's prevented any bots from registering. I appreciate we're obviously not as high profile but I'd suggest Q&As would still help a lot.
 

tenants

Well-known member
#11
If you make sure you don't use simple logic questions and questions that cant easily be queried with a search engine, I'm not saying it wont help (for a while)

The software is also able to gather and decipher artificial intelligence such as security questions (i.e. what is 2+2?) often used by forums upon registration. Since the latest version of XRumer, the software is capable of collecting such security questions from multiple sources and is much more effective in defeating them.
Helper program Hrefer is also included. This software is used to automatically parse results from search engines including Google, Yahoo, Bing and Yandex for forums and blogs that can then be used as a target list for the main XRumer application.[citation needed]
According to The Register, as of October 2008, XRumer can defeat CAPTCHAs of Hotmail and Gmail.
http://en.wikipedia.org/wiki/XRumer

One of Xrumers "show-offs" is that it contains a list of high PR XenForo sites, this being one of them

If those sites started to no longer work for Xrumer, it wouldn't take much to learn the QA answers (Xrumer already learns many QAs)
a quick link to the latest version of XRumer: http://ixrumer.com/xrumer/

You'll notice they talk about
Those who read topic "How to teach Xrumer to new text captcha" – know that our software is able to pass such protection like “What is current year?”, “2+2=?” etc.

Who didn’t read this topic we recommend to read it:
In that topic is described how to train XRumer to new protections by editing textcapctha.txt. With release of version 7.07 this process becomes easiest. Also is created mechanism of collective teaching of text CAPTCHA. That means all results of training are stored on our server and after are distributed to all our customers. Due to this system success rate is increased.

QAs are not the way forward, neither are common CAPTCHAs... they will learn from these / train against them

Custom CAPTCHA (your own CAPTHCA method or the free resource CustomImgCaptcha ), the stop forum spam method (coming in 1.3) to prevent known bots, hidden honey pot fields (such as FoolBotHoneyPot) and customisations of your registration pages that you can do your self (or also available with FoolBotHoneyPot), and validating the first few posts will all help and last a lot longer as methods

With QAs, you might find you will need to update them every few months to keep beating back the bots

There is another very big problem with QA's, but unfortunately I can't really talk about it until a fix is made
 

CTXMedia

Formerly CyclingTribe
#12
Presumably then, a person visits your site and grabs your questions (and answers) and adds then to the list within this software tool, then users of the software download the latest update (including your now-beaten Q&As) and get their spam through the front door?

So would it be good practice to rotate your Q&A's weekly/monthly to defeat such attempts?
 

tenants

Well-known member
#13
Not just the individual, the Xrumer application contains an extensive list of QAs, the Xrumer application can query common QAs using search engines, the Xrumer application can beat simple logic.. on top of that, the individual can edit their own textcapctha.txt (edit: oh, yes... I'm not sure if this text file then gets sent on, presumably it would make sense to do that)

Yes, it is a good idea to keep changing QAs (especially once you know they have failed), this is also true for image CAPTCHA .... prune out your weak CAPTCHA methods regularly

... text QAs is a fail for many reasons (not just for the reason I can not talk about), bots will make this more obvious in the months to come, right now, since text QAs are becoming widely used, we are entering the learning phase for Xrumer

It will always be an arms race if you use common methods to stop bots, even Google with extensive funds, continuously updating ReCAPTCHA are battling hard (as you can see by the amount of spam from ReCAPTCHA being beaten recently)

ReCAPTCHA will work again soon, but it will then be broken again too.. this will come and go in waves as the battle continues
 

steven s

Well-known member
#14
This is getting a bit ridiculous. It hardly gives a good impression of the forums to find it full of spam every morning.

Wouldn't setting a few good Q&A captchas make a big difference as they seem to have done elsewhere. At the minute it looks like no one really cares.
Certainly looks that way. If I visited a forum for the first time and saw several spams I'd think the admin abandoned the site.
Does this mean that XenForo is weak against spam? If I do purchase XenForo what can I do to prevent spam on my community (does XenForo provide tools to fight spam? If yes then why is this board getting spammed..?)

Please don't get me wrong, I just wish to know more about the software I am going to purchase :)
Out of the box it is very weak. I don't know how anyone could deny that at this point.
 

HWS

Well-known member
#15
tenants, just want to thank you for your work at those addons. Each of them more than recommendable. It is heartwarming to eperience the expertise and the dedication of some XenForo forum members here.

Whereas the real owners and developers of XenForo sadly do not care any more since a long time.
 

Pereira

Well-known member
#16
We had spam at the same time most XenForo forums were being spammed at the very start. We used reCaptcha at the time (which is useless nowadays).

We started using the Q&A system which has worked brilliantly. We ask basic questions that only people visiting our site would know if they were going to sign up and we've never had any spam accounts register since. Plus we don't have any third party addon installed.
 

dutchbb

Well-known member
#17
I've recently installed the Solve Media plugin and don't think I've seen much if any spam since. But just an intelligent question/answer filters out most of the spam too.
 

HWS

Well-known member
#19
I asume that this forum is used as a presentation tool for XenForo to show it's core product in action. It would be simply not acceptable to install any foreign addon.

Since no one develops XenForo currently, there is also no future version with a better anti-spam feature to be installed.
 

Edrondol

Well-known member
#20
Using XenUtils my small site has blocked 24,928 since putting it in place August 23 after the Great Spam Migration of 2012. 243 since midnight.

You just can't buy any better piece of mind than that. It's a fracking great product.
 
Status
Not open for further replies.