What's The Best Spam Protection Measures?

LP-John said:
It's really interesting, but we have an unintended security measure. We created a plugin called "Simple Rules" which displays the rules for our forum. What this does is give users who have not agreed to our rules a usergroup we specified which does not have the ability to do anything unless they read the rules and click "I agree". I have it on both of my personal forums and even though we get spammers who sign up, they can't do anything at all since they don't have the ability to.

So every few days I do a mass user update by finding all users who have the usergroup we set up and delete them :).

Hopefully that gives some other people some ideas.
Click to expand...
I wouldn't even want them to create an account. Your Simple Forms addon could be used by guests right? So Simple Forms could be on the registration page as a guest is signing up right? If they don't fill out a form that has the rules, that could prevent them from registration? Can Simple Forms already be used to do that?
 
All such methods above about double opt in rules and such, are still useless at the end of the day, because a human spammer will accept and then spam. The suggested products above stop every avenue, no work on your part every x days, nothing further to do.

@DRE you don't need stop bot resources... it doesn't have any real definitive impact overall because bots hitting your registration page get caught in FBHP which isn't really any load for you and merely a little bandwidth. Who cares if a few GB of bandwidth are taken from spambots... no doubt you're allocated way above anything you're actually going to use. Don't complicate your spam prevention.

Those 3 things are all you need... ignore the rest for a 99.99% spam-free time participating upon your site.
 
  • Like
Reactions: DRE
DRE said:
I wouldn't even want them to create an account. Your Simple Forms addon could be used by guests right? So Simple Forms could be on the registration page as a guest is signing up right? If they don't fill out a form that has the rules, that could prevent them from registration? Can Simple Forms already be used to do that?
Click to expand...
I don't want to derail the discussion but yes with the latest version of SF guests can submit forms. However, you can't replace registration with a form or anything like that. Simple Forms cannot block people from registering.
 
LP-John said:
I don't want to derail the discussion but yes with the latest version of SF guests can submit forms. However, you can't replace registration with a form or anything like that. Simple Forms cannot block people from registering.
Click to expand...
What I mean is, can we make the form a requirement? Kind of like how we can already make custom user fields a requirement on registration.
 
DRE said:
What I mean is, can we make the form a requirement? Kind of like how we can already make custom user fields a requirement on registration.
Click to expand...
The best way I can think of doing this is to make your "Registered" usergroup have no permissions to do anything but view Simple Forms. Create a notice for Registered users telling them they have to submit a particular form. Using the latest release you can set up a promotion to run if they have filled out a particular form you've created. Then have that secondary usergroup give them permissions to do everything they normally would :)
 
 
Last edited:
Unfortunately, the best anti-spam measures are the ones that work, but also that no one else is doing. Spammers aren't going to bother reverse engineering spam mitigation systems to get at 1 or 2 sites... but to get at thousands? Sure...

It's a little annoying that way because we have some pretty neat anti-spam stuff, but once we share it then it starts becoming less useful for us. Boo spammers! :)
 
You will have to find a tool that understands the content the spammers write. I overview posts with links to a not-approved target.

I do have contracts with advertisement agencies where some clients pay hundreds of dollars for a single thread I open up consiting of one or two links linking to the clients page. Imagine you avoid paying hundreds of dollars by just registering yourself and write that hopefully unnoticed thread yourself.

The more one can gain, the more effort one will undertake to break the rules.
 
digitalpoint said:
Unfortunately, the best anti-spam measures are the ones that work, but also that no one else is doing. Spammers aren't going to bother reverse engineering spam mitigation systems to get at 1 or 2 sites... but to get at thousands? Sure...

It's a little annoying that way because we have some pretty neat anti-spam stuff, but once we share it then it starts becoming less useful for us. Boo spammers! :)
Click to expand...

Agree, the developers for applications such as XRumer target larger volumes, but closer to 10's of thousands - millions rather than thousands
So if you do share it, and it's a mechanism that can be targeted, just make sure it doesn't reach a high volume (make it paid ;) )

This is true for "soft" mechanism, I keep saying this over an over.
Many plugins work well due to the low popularity of the mechanism, as soon as that mechanism reaches a significant number, it becomes a worth while target, so if soft mechanisms are put into the core of an application with volume, they will be targeted. We have seen this for simple tick boxes (are you a bot), logical question (1+1), all text-QAs (solved with textcaptcha.txt), ReCapatha (solved with training ANNs) ... and we will soon see this for the registration timer (solved with script pausing)

Once a mechanism reaches a threshold (this commonly occurs when put into the core, but can happen with popular mechanism), the mechanism will soon be rendered useless

There are some mechanism that are hard to target due to the challenge for AI. Simple sliders / games / honeypots / timers / image recogintion of known public libraries / custom text questions ... are no challenge for AI, so as soon as any of these reach a significant volume, they will be rendered ineffective. The trick is to know what the limitation of AI currently is, and where most automated programs find difficulty

However, there do exist some "harder" anti spam mechanism (things that can't easily be targeted). An example of a hard antispam mechanism is an API. APIs are not so easy to target, so are ideal for putting into the core of an application (there are ways to target APIs, of which I wont mention). So, APIs in the core is a good idea

But APIs will never stop 100% of spam, soft mechanism can...
So multiple uncommon mechanism is useful and these can stop 100% of spam (so I applaud multiple non core mechanisms, or even custom mechanisms)
... It's even better if you can find a non common mechanism which is very hard to target (this is why something as simple as CustomImgCaptcha will out last many other CAPTCHAs, the idea is customised by the forum admin, and there is no set available to train an ANN against)
 
Last edited:
This is why I love KeyCapthca... their library is constantly changing and at the end of the day, the AI needs to grab a mouse pointer and correctly put the image together so it can verify, which is only activated on mouseover.

Good image capthca is seriously effective.

Your human spam add-on @tenants is unbelievably effective when set with some decent settings and realistic like:post ratio.
 
Is there a way to change the name of the registration form to make it less easy to guess where it is? So instead of /register how about something else like a string of random characters /cwerc3297y239923hd2

Would that be effective at all?
 
If its clickable, its very easy to find via any HTML reader. Unless you do other manipulations, but I see no real benefit to doing this.
 
Jeremy said:
If its clickable, its very easy to find via any HTML reader. Unless you do other manipulations, but I see no real benefit to doing this.
Click to expand...

I'm doing this to create a paid members only forum where you must pay first before you can join. The registration page wouldn't be clickable or linked from any other page. It would also be blocked from search engines. Unless you know the crazy random URL, you could never find it. Also, registration links would be removed from drop down login and login overlay popup (so no linkage there either). The only way to get to the registration page would be as a thank you page from a payment processor that redirects you there once payment is made. When you rename it, you eliminate all of the spammers who are familiar with xenforo and know that's where the registration page sits. Would this work?
 
Deepmartini said:
When you rename it, you eliminate all of the spammers who are familiar with xenforo and know that's where the registration page sits. Would this work?
Click to expand...
If you're talking about a paid only forum, that is completely different than 99.9% of www forums, thus it has no real bearing. As above, it is a useless spam fighting technique for 99.9% of internet forums, as they're not pay to participate.
 
You must log in or register to reply here.

Similar threads

Stuart Wright
  • Suggestion Suggestion
Improving the user profile. Adding permissions and anti-spam for fields & overhauling the presentation
2
Replies
20
Views
2K
leebo
L
tristan9
Xenforo and edge caches
Replies
5
Views
1K
motowebmaster
motowebmaster
Nulumia
Add-on A Look At The Upcoming Public Release of SEO & Index Tools
2 3
Replies
46
Views
10K
Forsaken
Forsaken
frm
Q&A Spam Uptick?
Replies
3
Views
413
Ozzy47
Ozzy47
Dnyan
Do suggest about server configuration for my website
Replies
1
Views
469
WSWD
WSWD
Top Bottom