[TAC] Total XF1 Anti-Spam Collection Complete

[TAC] Total XF1 Anti-Spam Collection Complete [Paid] 1.2.92

No permission to buy ($48.00)
Overview Updates (24) Reviews (4) History Discussion
There is something very strange going on... after going through fbhp/anyapi... it either fails and stops them, or passes them back to the core (if it fails, it doesn't pass it back to the core, but there is no way for fbhp/anyapi to register them, I simply do not save users, I let the core do that)

... So the only way it would let them through is if it passed them back to the core... and at that point, the core SFS would have caught them anyway (since you had it switched on, which isn't necessary).

So, something is not right here. The only way they could/should have got though is through is via the twitter/google/facebook registration, unless there is another way on your system, do you mind sending me you url via pm
 
It might be worth investigating these users by looking at the server access logs, it might tell you where / how they registered (bear in mind, we know they at least attempted via register.php)

When you click on those logs, are there registration errors displayed
 
Last edited:
I just started a little vacation today but I will reach out as soon as I'm back next week so we can dig into this! In the meantime we will be collecting plenty of good data. Thanks so much for the proactive support!
 
Hang on, is this the same as "I am not a robot tick box - recapthca"
... isn't it just a re-branding of the same thing

You can already add that as part of the core, although I don't use it in xenforo, since I know it will be targeted.

It's called "no-captcha recaptcha", some browser based bots pass it already (google fix, bots modify, it gets broke, google update ... it's just the same old battle with a different name), xrumer are also looking at this (I suspect next version, but they have been saying they are looking at it for a while!)

http://www.botmasterlabs.net/event/2016-08-10/1/


upload_2017-3-16_14-29-12.webp
 
Last edited:
Most of the time I would agree with you. Bad for humans, good for bots, at least the no-catpcha isn't too bad for humans

Captchas aren't great, especially if you are using captchas that are global (ones provides by companies that lots of people use)
These are the biggest targets and when they break, floods of bots get through. There has been an on going battle with recaptcha and bots, it always gets broken, fixed, broken, fixed
- people trust it due to the brand, and wonder why they get floods of bots all in one go. It is because you trust it, it is such a security issue... never rely on one mechanism alone, all mechanisms will eventually be bypassed.

... it's just such a big target, its worth the effort to solve. There is nothing that AI can not solve, this is one battle that google will always lose.
This goes for any problem, be it games, word recognition, no-captch- recpathca

If only there were a way that you could create your on custom image captcha, that wasn't targeted due to the lack of trainig sets, that was easy for humans... sounds like something so simple :) (cough ... CustomImgCaptcha)
There are limits on image recognition when data sets are not readily available to train against. Most the captchas solvers use neural networks and train them against the vast data set readily available by global companies (Gee, great idea Google, thanks for making it so easy).

If vast data sets are available, this becomes an ideal situation for neural networks. ANNs work well if there is a large defined data set, particularly supervised neural networks.

... when there are no data sets to train against (your own images that no one else uses), this becomes a lot tougher
... AI then needs to raise it's level to be "general solver"

Resonance Art Theory Neural Networks are a types of unsupervised / clustering network, but even they it require a level of good data sets.

So if you customised your image, and have a few completely different types of imaged based questioned, AI is a bit stuffed for now

... however, in this situation, botters just send out the captcha to be solved by cheap labour (and they do).... splat goes any captcha in this scenario

(8.51, solving manually... this can be farmed off to cheap labour... btw this is a v.old xrumer, it now solves many more)
To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 
Last edited:
@alpha1

Yeah, invisible captcha is nothing new, it's just a re-branding of no-captcha-recaptcha

... it's just hidden... whoop whoop (and already bypassed by some bots... and about to be bypassed by some of the more prevalent bots)

recpathca no captcha bypassing https://xenforo.com/community/threads/notes-to-self.126176/#post-1133289

By the time the core adds this to xenforo, it will probably have hit one of it's useless phases before they fix it, then it becomes useless again, then they fix it.... yada yada

Learn from all the other captchas, even you your self have said that
Alfa1 said:
All the captchas in XenForo have been broken.
Click to expand...

Do not use global captchas (if you aim is to prevent spam), they will always be broken, regardless of how big or how well funded the company are, eventually AI wins every time and will always win
 
tenants updated TAC(Tenants Anti-Spam Collection) - Anti-Spam Complete Collection with a new update entry:

updates to the latest versions

  1. TAC AnyApi 1.0.7
  2. TAC AuthCaptha 1.0.1
  3. TAC CustomImgCaptcha - Customise your images for CAPTCHA 2.4.1
  4. TAC De-Dos - Reduce the effect DOS attacks usually caused by spam bots 2.0.08
  5. TAC FoolBotHoneyPot - Stop spam bots registering 3.0.23 .... IMPORTANT FIX
  6. TAC StopCountrySpam - black/white list country IPs from registering 3.0.04
  7. TAC StopHumanSpam -...
Click to expand...

Read the rest of this update entry...
 
@Gene
I think I know what that issue might have been now, somebody mentioned the same in PM, its fixed although I didn't know it was an issue, something looked a bit strange in fbhp version 3.0.17

It wasn't an intentional fix for this issue, just something that looked out of place, so it shouldn't be reproducible in the latest fbhp version (or version 3.0.20 up I think)

If you click on that log... (just one click) does it show registration errors, like this:

View attachment 149974

if "anyapi_sorry_youve_been_detected_against_the_x_database" is present, or any errors are present, I know it wasn't this log that it bypassed, since if there are errors the data never goes back to the parent action register (so the user can't be created)

Code: 
        if($errors)
        {
            $fields = $data;
            $fields['tos'] = $this->_input->filterSingle('agree', XenForo_Input::UINT);
            $fields['custom_fields'] = $customFields;
            return $this->_getRegisterFormResponse($fields, $errors);
        }

       // only gets here if no errors
        return parent::actionRegister(); // it is only here that a user can be created

If this is the case, then what other routes can the users get in (google/twitter/fb?)



I did do something different in version 20, I moved

Code: 
        $writer->bulkSet($data);
        $writer->setPassword($passwords['password'], $passwords['password_confirm'], null, true);
        $errors = array_merge($errors, $writer->getErrors());

outside of the stopbotter check, it looked like I was only merging certain errors if found in stopbotters... that could have been this bug


so if there were no errors in the above log, it's quite possibly fixed in version 3.0.20 up. Let me know if there were errors, and if this happens with the latest version
Click to expand...

... there weren't any reg errors in this case, so it was the issue that was fixed with v20 (well, at least I assumed its fixed)
 
tenants said:
@Gene
I think I know what that issue might have been now, somebody mentioned the same in PM, its fixed although I didn't know it was an issue, something looked a bit strange in fbhp version 3.0.17

It wasn't an intentional fix for this issue, just something that looked out of place, so it shouldn't be reproducible in the latest fbhp version (or version 3.0.20 up I think)



... there weren't any reg errors in this case, so it was the issue that was fixed with v20 (well, at least I assumed its fixed)
Click to expand...
Awesome, thanks for the follow-up! I got stuck away longer than expected due to the snowstorm in the northeast US this week, and (good news) I didn't get to collect much more data as the Korean spammers have finally given up on targeting us due to the more stringent filtering and security we have in place now thanks to TAC. No regrets at all about buying this add-on.
 
That's crazy! Who is going to scan the QR code? I wonder if it's worth the effort for the spammer. They don't give up hey.
 
Can't see anything it does that dedos doesn't already do, what is it that you particularly like about it? There version is free, you can probably add it your self, it's not something I can or need to include in tac antispam
 
Two functions that would be extremely useful would be:
  1. If a member has triggered any of the TAC addons, then display a tab on profile (visible to staff) and list the entry in there.
    This function would allow us to spot repeat offenders. We frequently encounter users who post something suspicious but not clearly spam. Different staff members will handle the reports so such members can fly under the radar for a long time.
  2. Then introduce a Spam Trigger Count. Display this count on member card and on any log entry. This way we can quickly see if the same member has been repeatedly trying to post suspect content.
 
You must log in or register to reply here.

Similar threads

Yugensoft
Add-on Offer: Sale of IP Rights of All Addons
Replies
10
Views
2K
ssj2_ssbm
ssj2_ssbm
JordanH
What is the Best Anti-Spam addon?
Replies
9
Views
2K
JordanH
JordanH
DRE
What's The Best Spam Protection Measures?
2 3
Replies
46
Views
5K
Bram
B
Top Bottom