Xenforo & Duplicate Accounts

[Alfuzzy]

Does Xenforo have a system in place to catch folks registering duplicate accounts (either purposely or accidentally)?

I'm mostly talking about someone new (or existing) registering for an account...and if they choose a username or email address already in the database...they are prompted to use something different.

Reason why I'm asking is...just had an existing member create a 2nd account (using the same email address)...and the XF system didn't reject the 2nd account when the same email address was used a 2nd time.

This has happened before...doing some investigation this time.

Thanks

 

[bzcomputers]

...just had an existing member create a 2nd account (using the same email address)

This should not be possible, Xenforo does check for this and it is not an option. Are you sure the emails aren't just very similar?

 

[Mendalla]

Yeah, I've actually tried it before myself when setting up test accounts and it does not allow it. I have to add an alias to the email I use for testing for each new test account.

 

[Alfuzzy]

This should not be possible, Xenforo does check for this and it is not an option. Are you sure the emails aren't just very similar?

Hi bzcomputers & Mendalla,

Yes that's what I was thinking as well (XF checks for this).

I've investigated. Looks like the XF software did what it's supposed to do (not allow accounts with duplicate usernames or duplicate email addresses). Before the site was migrated to XF it was running vBulletin 4...we had a tool that allowed blocking of new accounts if the IP address was the same. Not sure if this was built into vBulletin, if it was custom code, or an add-on.

Back in the day before the proliferation of VPN's and ways to hide/mask IP addresses...spammers would do their spamming from the same IP address...and this sort of tool was handy. Not as much now.

If I was interested in using this sort of tool with XF...is there a way to do it (block multiple account creation from the same IP address)?

Thanks

 

[Forsaken]

This is the add-on I use for multiple account detection: https://xenforo.com/community/resources/signup-abuse-detection-and-blocking.6812/

 

[bzcomputers]

If I was interested in using this sort of tool with XF...is there a way to do it (block multiple account creation from the same IP address)?

This is not the best way to go about it. Multiple people in the same house, business, etc. could be blocked from creating account - this is not what you typically want to do.

You should look at spam management and that is integrated very well into XenForo. Under Setup - Options - Spam Management. Setup both Stop Forum Spam and DNS Blacklist / Project Honey Pot. This will check against known bad ip addresses.

 

[Alfuzzy]

This is not the best way to go about it. Multiple people in the same house, business, etc. could be blocked from creating account - this is not what you typically want to do.

I think in theory you're right...but I don't think my site has many members from the same household or business. With that said...my wife & I both do have accounts on the site...so in theory if we tried creating two accounts today...one of us would get blocked.

How about this. Instead of blocking multiple accounts being created from the same IP...how about if two or more accounts were being created from the same IP getting flagged...and needing manual approval from a staff member?

Could this be done with a stock XF install...or via add-on?

Thanks

 

[Alfuzzy]

This is the add-on I use for multiple account detection: https://xenforo.com/community/resources/signup-abuse-detection-and-blocking.6812/

Thanks Forsaken. Xon has some some great add-on's...but $45 for this add-on is unfortunately too much for the budget.

 

[bzcomputers]

Could this be done with a stock XF install...or via add-on?

Would require add-on as mentioned above.

In my opinion checking for duplicate IPs is an old school way of going about spam protection. There are better methods already integrated into XenForo. If checking for duplicate IPs was a sound way to protect your site, XenForo would have added it long ago, it's literally a couple lines of code.

I have a site running XenForo with over 175000 members using only the XenForo built in spam protection options and have zero issues that aren't caught by those methods.

 

[Alfuzzy]

In my opinion checking for duplicate IPs is an old school way of going about spam protection. There are better methods already integrated into XenForo. If checking for duplicate IPs was a sound way to protect your site, XenForo would have added it long ago, it's literally a couple lines of code.

I have a site running XenForo with over 175000 members using only the XenForo built in spam protection options and have zero issues that aren't caught by those methods.

I agree...using IP address to help block duplicate accounts probably is old school...but could be an extra layer to prevent duplicate accounts. I think the duplicate accounts activity usually comes from longtime members that have been inactive for a while...they've forgotten their login details...then they register again with a new account.

In the case of this thread...we only found out about the "duplicate account thing"...when a newly registered member contacted us with a request to change their account email address...and turns out that email address was already used in another account (this person from an old account).

But sometimes new members create an account...then don't like the username they created...then create a new account with a different username & different email address (instead of contacting us with a request to change their account username). In this case if the person is not using a VPN...they probably have the same IP address...and if the site was checking for duplicate accounts via IP address...this sort of thing would get flagged/caught.

We probably get about 20-25 new account registrations/day...the numbers can add up quickly.

As far as spam protection...the biggest issue is spam via the "Contact Us" form. We of course have CAPTCHA running...but this doesn't stop them all. Many folks say Q&A CAPTCHA is the best. But even with Q&A Captcha (the Q&A being site topic specific)...spammers still get thru. If the Q&A Captcha is too hard...then it can get too difficult for new folks joining...since they may not even know the answer (without looking it up). Lol

I'm going to guess (at the moment)...Captcha blocks about 80% of the spammers via the Contact Us form. I tried an experiment a while ago for about a week where Captcha was turned off...and spammers via the Contact Us for increased about 5x. After a week & Captcha was turned back on...spammers via Contact Us dropped back to its normal level. Captcha definitely helps...but still wish it was better.

 

[bzcomputers]

If you're worried about duplicate accounts from non-malice members, in my opinion, your really worrying about something you shouldn't. It is causing absolutely no harm. They are getting a new account and can once again post if they choose to.

Busy sites have lots of new user accounts created daily that will never be logged into again because of any number of reasons ...the new user gets what they need and moves, the new user doesn't find what they need and goes elsewhere, the new user was confused and your site was not what they thought it was, etc..

If the user had significant presence on your site before and wanted to continue under that old member id they forgot or lost access to, believe me they will let you know, and typically before they attempt to create a new account. If you ban a user there account is marked and the IP can also be banned.

The Contact Us form is a whole other topic and will always be a weak link. No login required means security will be minimal and spam chances much higher. Captchas are moving towards being obsolete. The harder the captcha the lower percentage a human can solve and bots are quite smart these days.