• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

What's The Best Spam Protection Measures?

DRE

Well-known member
#1
What's the best spam protection measures that you have taken for your Xenforo forum? As I mentioned in my Paid Request thread I need bot protection, of which I had been looking at Incapsula's free plan and am wondering if that would be a good idea to use especially since there already is a Xenforo Resource about it. I'm moving my site over to a new host because my site has been getting aggressively indexed by Baidu search engine spiders. This indexing by the Chinese search engine is using up the site's resources and bandwidth of which I do not have much of since I am on shared hosting. I've looked at the various addons and am wondering if I should get either sonnb Stop Spam Here, which is advertised as a total spam protection tool or Tenants Anti Spam Complete Collection. Do you use any kind of cdn service for bot protection and have you used those spam protection addons? How do they compare? They seem to be about the same.
 

Bram

Well-known member
#2
Why not block the baidu spiders via a robots.txt file?

We suffered a lot from bots that registered last year but since having a human verification questions havent seen a single post :) (fingers crossed)
 
Last edited:

DRE

Well-known member
#3
Why not block the baidus spiders via a robots.txt file?

We suffered a lot from bots that registered last year but since having a human verification questions havent seen a single post :) (fingers crossed)
These bots are ignoring my robots.txt file.
 

Bram

Well-known member
#6
Jikes i am with you @DRE. Now i have upgraded my forums and this nice little Spider thingy is visible in the whois online box I see that Baidu seems to love our forums as well. Not sure if that love is mutual as we hardly receive any traffic from China.
 

Alfa1

Well-known member
#9
I always thought Spiders (not those yucky kinds) were a good thing for your website.
Not if they scrape/ download your website, suck up your bandwidth & server resources, scan for security vulnerabilities, automatically register thousands of spam accounts, use your content to copy it to other sites and compete with you over it, etc. etc.
The use of bad behavior anti spam has saved me a lot of headaches and money.
 

dvsDave

Well-known member
#11
I use a well-maintained ip block list, it has cut down the number of spammers knocking on my door by quite a bit. I have a month subscription to a service that keeps an updated list of IP addresses by country and consolidates the IP's into the smallest list possible. If you are interested in this list, please send me a PM. I would be happy to share if you are willing to help me defray my monthly costs on this. I used to get a lot of login attempts on my WHM/cpanel from greece, of all places. I used this service to block the whole of greece (I have no legit users from greece) and most of the login attempts have stopped. I still get some, but the vast majority of attempts have stopped.
 

Anthony Parsons

Well-known member
#13
Which one of these do you use and which one do you think is better?

1. sonnb Stop Spam Here

2. Tenants Anti Spam Complete Collection.
I have used both, and Tenants is the winner by far.

Spam is easy to combat now. You only need three things installed to wipe out 99.99% from your Xenforo site:
  1. KeyCaptcha correctly installed to cover all elements of contact, login and password recovery.
  2. Tenants foolbothoneypot. Turn off all the default XF stuff... just use FBHP and nothing else.
  3. Tenants human spam prevention. It stops all manual spammers in their tracks across your forum elements. You will need to adjust to your board, though it wipes it all out when done right.
Everything else is a waste of time and space now. You can use Jaxels xenutiles spam for an after thought, and run that once a month to see if anything got through by the 0.01% the above would miss.

As for Baidu, there are some inventive htaccess and other solutions to block them. As you don't run your own server, IP blocking via firewall is out, so htaccess it is. You can block them by IP or.... try something along the lines of:

Code:
SetEnvIfNoCase User-agent “Baidu” spammer=yes
SetEnvIfNoCase User-agent “Yandex” spammer=yes
SetEnvIfNoCase User-agent “Sosospider” spammer=yes

<Limit GET PUT POST>

order deny,allow

deny from env=spammer
</Limit>
Within the top of your htaccess...

As spammers often cloak their behaviour as baidu, which is why it gets such a bad rap, you can use something like:

Code:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^Baiduspider.* [NC]
RewriteRule .* - [F]
 

DRE

Well-known member
#14
I have used both, and Tenants is the winner by far.

Spam is easy to combat now. You only need three things installed to wipe out 99.99% from your Xenforo site:
  1. KeyCaptcha correctly installed to cover all elements of contact, login and password recovery.
  2. Tenants foolbothoneypot. Turn off all the default XF stuff... just use FBHP and nothing else.
  3. Tenants human spam prevention. It stops all manual spammers in their tracks across your forum elements. You will need to adjust to your board, though it wipes it all out when done right.
Everything else is a waste of time and space now. You can use Jaxels xenutiles spam for an after thought, and run that once a month to see if anything got through by the 0.01% the above would miss.

As for Baidu, there are some inventive htaccess and other solutions to block them. As you don't run your own server, IP blocking via firewall is out, so htaccess it is. You can block them by IP or.... try something along the lines of:

Code:
SetEnvIfNoCase User-agent “Baidu” spammer=yes
SetEnvIfNoCase User-agent “Yandex” spammer=yes
SetEnvIfNoCase User-agent “Sosospider” spammer=yes

<Limit GET PUT POST>

order deny,allow

deny from env=spammer
</Limit>
Within the top of your htaccess...

As spammers often cloak their behaviour as baidu, which is why it gets such a bad rap, you can use something like:

Code:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^Baiduspider.* [NC]
RewriteRule .* - [F]
Thank you Anthony Parsons. Your posts reads like a paid consultant wrote it so I'm really honored. I have a managed VPS with root access so I basically run my server now. Thank you for the htaccess rewrites.
 
Last edited:

DRE

Well-known member
#15
Alright I was really unsure about buying @tenants TAC addon but @MattW and @Anthony Parsons gave it rave reviews. Just waiting for my account to be upgraded so that I can install it. I also want to buy StopBotResources due to the following posts.

I use StopBotResource, so the bots that usually get logged with stopProxies don't even make it to the registration page..
Does FoolBotHoneypot do the same thing as your StopBotResources addon?
no,

FoolBotHoneyPot only stops bots from registering, but it stops 100% of bots from registering (both known and unknown bots) using elegant mechanisms, and these mechanism are invisible / unnoticeable to humans. The bots will still visit each page, they just wont be able to register

StopBotResources stops 75-95% of bots from using any resources (these are known bots), it does this using the StopProxies API, it does this on every core page. The bots get returned a 404 (or error of your choice), this requires less queries(1 instead of 11-15), and a lot less bandwidth (bytes instead of hundreds of thousands of bytes).

With FoolBotHoneyPot installed, I haven't had to worry about bots registering on any of my forums (pre an post 1.2) - This plugin is for large and small forums

With StopBotResoutces installed I haven't had to worry about bots taking up too much bandwidth for my small forums on shared hosts - This plugin is for small start up forums, since for large forums bot resources are negligible
 

tenants

Well-known member
#17
Just waiting for my account to be upgraded so that I can install it.
Waiting where?

There should be no waiting on SurreyForum. As soon as you upgrade (this is automated), you have access to download it (and the latest individual updates)
 

John L.

Well-known member
#18
It's really interesting, but we have an unintended security measure. We created a plugin called "Simple Rules" which displays the rules for our forum. What this does is give users who have not agreed to our rules a usergroup we specified which does not have the ability to do anything unless they read the rules and click "I agree". I have it on both of my personal forums and even though we get spammers who sign up, they can't do anything at all since they don't have the ability to.

So every few days I do a mass user update by finding all users who have the usergroup we set up and delete them :).

Hopefully that gives some other people some ideas.
 

RoldanLT

Well-known member
#19
It's really interesting, but we have an unintended security measure. We created a plugin called "Simple Rules" which displays the rules for our forum. What this does is give users who have not agreed to our rules a usergroup we specified which does not have the ability to do anything unless they read the rules and click "I agree". I have it on both of my personal forums and even though we get spammers who sign up, they can't do anything at all since they don't have the ability to.

So every few days I do a mass user update by finding all users who have the usergroup we set up and delete them :).

Hopefully that gives some other people some ideas.
unless they read the rules and click "I agree"
Is there any addon available for this kind of feature?
 

John L.

Well-known member
#20
unless they read the rules and click "I agree"
Is there any addon available for this kind of feature?
None to my knowledge. I'm surprised it hasn't been requested. It was a pretty popular vB plugin called Cyb Advanced Rules which worked similar (but with many more features that I didn't need). We just created a little sloppy plugin to do this. Nothing release quality since our focus is Simple Forms and our new project.