Up until a couple of days ago member accounts were visible publicly unless the member changed their privacy settings.
This has now been changed, all member accounts are now hidden from public view unless they have logged onto the site. You can increase your privacy via your account settings.
Yes, very true, also it's the ease of creating an account without a second step verification process or human intervention which seems to be the default configuration for many xenforo forums.
I made a suggestion in post #14 to enable the send a verification email with a link to complete the account creation process, This should stop bots creating accounts.
Some members were concerned about privacy and what spammers were exploiting.
The attached image is from a profile created by the typical SEO (search engine optimiser) spammer. Unil recently all member profiles were viewable without being logged in.
Adding to this the forum in general is been indexed by webcrawlers and search engines so we can find things on the internet. SEO spammers exploit this on forums where the profile is scraped by these indexers, so in their account profile they include keywords, website info and weblinks knowing that the indexers will collect this information to increase views and hits on search engines and thus increasing the visibilty of their website.....on the premise more clicks = more $$$
The attached image is from a profile created by the typical SEO (search engine optimiser) spammer. Unil recently all member profiles were viewable without being logged in.
Adding to this the forum in general is been indexed by webcrawlers and search engines so we can find things on the internet. SEO spammers exploit this on forums where the profile is scraped by these indexers, so in their account profile they include keywords, website info and weblinks knowing that the indexers will collect this information to increase views and hits on search engines and thus increasing the visibilty of their website.....on the premise more clicks = more $$$
Attachments
Here is another spammer (account reported) that created an account 20min ago, its been going around for a few months and has setup accounts at a number of forums. All the Bing search results are forums.
As a twist, this Bot managed to setup an account at Github (deleted) and is only visible via Bing's cache.
🤖 are very efficient.
As a twist, this Bot managed to setup an account at Github (deleted) and is only visible via Bing's cache.
🤖 are very efficient.
Attachments
I already reported that one. Its quite easy to spot whether the newest-joined member is potentially a spammer. On the homepage box to the right mouse over the 'Latest Member' and if it shows they're updating their profile in the pop-up box then that's likely a spammer. Real users prefer to get stuck into the forum or do PMs.
Yeah, it took me about 10mins whilst I was searching around and in the process of reporting it. It made me laugh that it created a Github account.
You would think so.......but you would be surprised on how many really old accounts logon to the forum and never post....watch the current visitors list
If I don't see them on the front page I can catch them on the "view members list" bottom left corner coloured sqaures. The problem is I don't know if its in realtime or a delayed summary, but its been useful.
What really scares me is the number of 🤖 creating
accounts....
You would think so.......but you would be surprised on how many really old accounts logon to the forum and never post....watch the current visitors list
If I don't see them on the front page I can catch them on the "view members list" bottom left corner coloured sqaures. The problem is I don't know if its in realtime or a delayed summary, but its been useful.
What really scares me is the number of 🤖 creating
accounts....This is how persistent 🤖 can be in creating accounts, the above account was deleted sometime yesterday, a couple of hours ago another account was generated with the same first four characters and just changed the last four. All the Bing search results are forum infections. It's difficult to kill a
See attached.
Attachments
Great suggestion. Implemented, members-only now for all those.
We are indeed using that.
We are using reCaptcha V2, StopForumSpam, and thanks to the hard work and tireless dedication of the mods, manual moderation until released.
Thanks, it's been educational if nothing else however it's seems (and not totally unexpected) the SEO spammers are still bypassing these measures, I've reported a couple yesterday and today. In one case the account was deleted only to be recreated the next day with a slight variation to the account name, see post #68.
See the Wikipedia link in post #67 to see the capabilities of spamming software tools.
Not to mention everyday the Spam Bot's are creating numerous zombie accounts in new and inventive ways, also bypassing the updated measures.
Considering the number of accounts that are created everyday (its probably around 10 or so), has there been any considerations to have a human verify the account ?
See the Wikipedia link in post #67 to see the capabilities of spamming software tools.
Not to mention everyday the Spam Bot's are creating numerous zombie accounts in new and inventive ways, also bypassing the updated measures.
Considering the number of accounts that are created everyday (its probably around 10 or so), has there been any considerations to have a human verify the account ?
We do human verify the accounts when they attempt to post. No posts from new accounts get through without the mod team's permission.
And this has been the case for, I think, the last decade.
The mods have manually vetted quite literally hundreds of thousands of posts over the last decade in order to keep the spammers out and the discussions free of spam.
We have a number of automated tools are our disposal to help guide decisions, but in the end nothing beats a DIYer to sniff out someone who isn't a DIYer.
And this has been the case for, I think, the last decade.
The mods have manually vetted quite literally hundreds of thousands of posts over the last decade in order to keep the spammers out and the discussions free of spam.
We have a number of automated tools are our disposal to help guide decisions, but in the end nothing beats a DIYer to sniff out someone who isn't a DIYer.
Also what is done in connection with StopForumSpam.
In any case, I have seen a shift since correcting the settings.
The issue is the spammers never post, they rely on the fact as long as there is no human verification of the account it will disappear into the background never to be seen. The only way you see these type of spammers is when the account appears in the new members list and then go to visually check the account profile.
Here is an example I found today by using a dedicated Bing search, this account is a SEO spammer, because they never posted it just sits there waiting to be scraped by the webcrawlers. This has been the case with all the SEO spammers I have reported, they all have a zero post count.
This SEO spammer account was created on the 14/12, 4 days after the forum update back in December, it has a zero post count and went undetected.
Account - https://www.diyaudio.com/community/members/wireless1online.532485/#about
I have found a few more SEO spammers using this Bing search that I wouldn't been able to do so as a normal user of the forum, the Xenforo management tools allows an admin or mod to perform detailed account searches.
Yes. I think there's been a tapering off, but the
account creation is going gang busters.I'm about to report the final five of the SEO spammers that I found using Bing that were created back in mid december before I was actively looking for them.
Yes, this is our major problem ATM. Spammers know that they can post to their profile page with no approval needed. That's all they need to do to get paid. No newb should be able to post or do anything without moderator approval.
A couple of updates, thanks for all the suggestions @Indiglo.
- We used to ask an audio specific question during registration. After migration we switched to CAPTCHA. We have now gone back to the audio specific question. It's an easy question, but a non-audio person would have to Google the answer, enough to stop spambots picking the low-hanging fruit from 100,000 default XF installations
- New, moderated members, now cannot make profile posts at all until they are out of moderation
Update - we are using a totally custom registration modal (pop up screen), so the CAPTCHA -> Q&A didn't stick. Will be implemented.
Good news, thanks for the updated changes. I appreciate how difficult and time consuming it is stopping the spammers considering the highly developed software tools they have at their disposal.
I'll keep an eye out in an event that they change their tactics. If all goes well I might post an update in week on how successful the changes have been.
I'll keep an eye out in an event that they change their tactics. If all goes well I might post an update in week on how successful the changes have been.
- Status
- Not open for further replies.