[BirdOPrey5]

Well the Q&A seems to be enabled now.

[max.]

spammers are registering users without the Question and Answer option.

They are registering users directly in the database.


This is a issue that vbulletin knows already.


They need to release a fix to stop this issue.


We are using this version: vBulletin 3.8.7 Patch Level 3

[kpmedia]

Hogwash.
Spammers don't have direct access to your database.

[BirdOPrey5]

Originally Posted by max.

spammers are registering users without the Question and Answer option.

They are registering users directly in the database.


This is a issue that vbulletin knows already.


They need to release a fix to stop this issue.


We are using this version: vBulletin 3.8.7 Patch Level 3

Never seen this happen. If someone is directly accessing your database you've been hacked.

[Max Taxable]

Originally Posted by mike2902

I still dont know why the question and answer system doesn't stop spam registrations. Im getting 50 per day and they cant be getting the question right. I have the question as a statement to send me an email via the contact us form at the bottom of the page and tell me how you found the board. I never get any emails and I still get 50 spam registrations per day even though they are not answering the question. Im running 3.8.7.

Install this simple fix and end all autospam registrations altogether:

Bot Blocker

I haven't had a successful spambot register since install, it has stopped over 5,000 and counting.

I heard that the latest version of a popular auto-spamming software gets around the Q&A by something called "averaging" but I don't understand it. I don't use any of the native vBulletin human verification options anymore, the hack I linked you to above makes them all superfluous.

[Zachery]

So, once the people who make bots figure out they need to add a delay, then your defenses are broken. You shouldn't rely on any one single system.

[Max Taxable]

Originally Posted by Zachery

So, once the people who make bots figure out they need to add a delay, then your defenses are broken. You shouldn't rely on any one single system.

Of course you're right about the bolded. As for the other? The whole point of bots is SPEED. It'll never happen. Plus, there's not a "got'cha" message telling them how or why the registration attempt failed.

[CAG CheechDogg]

I guess I am one of the lucky ones that doesn't get spammers on my site. I only use reCaptcha and I have not had any spam on my forums in over 5 months.

I do however have a long list of IP ranges that I have looked at and verified as possible spammer's IPs. I can share that list which is added in your htaccess file to deny anyone from that range of known IP ranges access to your site.

You have to be careful though that you are not deny access to good people who are not spammers by adding a range of IPs instead of just the one IP. In my case I know who will be visiting my site and from what country.

The countries that are know for spammers are places like russia, hungary, poland, austria, czech republic and other small countries in that area. Since I know I will rarely get actual members from those areas/countries I have blocked most of those IP ranges.

I have used reCaptcha for a long time and never have had problems with it. I used it on my wordpress and joomla sites as well and it has worked out great.

Like Zachery said on his post, "You shouldn't rely on any one single system", I use reCaptcha and of course IP bans as well.

[BirdOPrey5]

Here is the advice I give out when people contact support about too much spam-

We have determined the most effective "Human Verification" currently built into vBulletin is "Question and Answer" verification.

To enable this go to your Admin CP -> Settings -> Human Verification Manager. (In VB 3.x it is Admin CP -> vBulletin Options -> Human Verification Manager)

Click on this link.

On the new page choose the option for "Question & Answer Verification."

If this is the first time you are using it you will need to add one or more questions and answers. To add your first question click on the "Add New Question" near the bottom center of the page.

On the next page enter a question. Do not make this a math question (what is 2+2?)- Math questions are absolutely worthless. If your forum is about a specific topic try to make the question something someone interested in your niche would likely know. If not still make a question that requires a human to answer- creativity helps here.

An example question would be: If there are three people in a room how many total toes are likely in the room?

Leave the box for "Regular Expression" blank. Use it only if you understand Regular Expressions.

Hit "Save"

On the next page there will now be a button "Add New Answer" - Press It.

The next page is one simple box marked "Answer." Enter the answer to the question. Questions can have multiple correct answers.

Answers are NOT case sensitive so if you put "thirty" in as an answer both "Thirty" and "THIRTY" will also work.

Enter "thirty" as the answer (without quotes.)

Save.

Now you will be back on the page where you can press the "Add New Answer" again, press it.

This time add the answer: 30
And hit "Save" again.

If your forum is multi-lingual you may want to continue adding answers to cover the word "thirty" in different languages.

When you believe you have set every possible correct answer you can click on the Admin CP Menu to go back to "Human Verification Manager" and repeat the process to add additional questions.

The more questions you have the better you will be- five is a good minimum, 10 or more is better.

We have found forums that implement good Q&A questions stop nearly all "bot" spam. (We have documented drops of a 90% reduction in registrations, all of which were spammers.) There will always be spam created by humans though who cannot be blocked by easy questions. If you feel you still have too much spam to handle please check out various "anti-spam" mods available on vBulletin.org:

VB 4.x Anti-Spam Mods:
http://www.vbulletin.org/forum/forum...c&daysprune=-1

VB 3.8 Anti-Spam Mods:
http://www.vbulletin.org/forum/forum...c&daysprune=-1

Please note like all vBulletin modifications we do not provide official support for 3rd party mods, you will need to ask for help in the threads of the mod in question if you need help installing, configuring, or using the mod.

Overall the best defense against spam is to have an active and vigilant moderator staff able to find and delete spam quickly. Educate forum users on how to use the "Report Post" button to report spam. Do not let the forum run without a moderator or administrator making regular visits to keep an eye on things.

[Max Taxable]

Originally Posted by CAG CheechDogg

I guess I am one of the lucky ones that doesn't get spammers on my site. I only use reCaptcha and I have not had any spam on my forums in over 5 months.

I do however have a long list of IP ranges that I have looked at and verified as possible spammer's IPs. I can share that list which is added in your htaccess file to deny anyone from that range of known IP ranges access to your site.

You have to be careful though that you are not deny access to good people who are not spammers by adding a range of IPs instead of just the one IP. In my case I know who will be visiting my site and from what country.

The countries that are know for spammers are places like russia, hungary, poland, austria, czech republic and other small countries in that area. Since I know I will rarely get actual members from those areas/countries I have blocked most of those IP ranges.

I have used reCaptcha for a long time and never have had problems with it. I used it on my wordpress and joomla sites as well and it has worked out great.

Like Zachery said on his post, "You shouldn't rely on any one single system", I use reCaptcha and of course IP bans as well.

The Captcha and the Q&A annoy humans. Plus, the "designer" spam bot programs are now defeating those. That's why I have tried to get away from using them.

I use the "Ban Spiders by User Agent" to exclude MSIE 0-7, this takes out ALOT of bots. It's one of the handiest Mods ever. In addition, I use the Mod I linked above, because it emails me with details on the bots, so I can send them to Project Honey Pot, thus helping others stop spam.

I have NO Moderator staff, don't need any. Eliminate the bots, eliminate most all spam and also, most all need for moderators.

[CAG CheechDogg]

@ Max Taxable

I could care less if Captcha and Q&A annoys "humans", if they really want to join my forums they have to go through the process.

Even with Captcha on, I am still getting people to register, just this month alone I have 88 new registered members and none of them are spam accounts, last month I had 70+.

You choose not to have moderators and that is fine, everyone's sites and forums are different and serve different purposes.

I happen to know a spammer and from him telling me how they find sites to spam is pretty impressive. They have figured out a way to scan sites for any kind of script that slows down and tries to deny registration to bots and humans. They don't always do it just to spam, they do it to show people that no matter what they can still get through your registration process regardless of what anti-spam system you have.

So in other words, the more "you" try to stop them the more they are going to mess with you, especially if you have a pretty active site or forums.

I don't want to be getting emails with details about bots and besides I have blocked and every day I add new IPs and ranges to block most bots. Getting emails every day about bots is just not something everyone wants to deal with. If you do that is fine, it annoys me.

[Max Taxable]

Originally Posted by CAG CheechDogg

@ Max Taxable

I could care less if Captcha and Q&A annoys "humans", if they really want to join my forums they have to go through the process.

Even with Captcha on, I am still getting people to register, just this month alone I have 88 new registered members and none of them are spam accounts, last month I had 70+.

You choose not to have moderators and that is fine, everyone's sites and forums are different and serve different purposes.

I happen to know a spammer and from him telling me how they find sites to spam is pretty impressive. They have figured out a way to scan sites for any kind of script that slows down and tries to deny registration to bots and humans. They don't always do it just to spam, they do it to show people that no matter what they can still get through your registration process regardless of what anti-spam system you have.

So in other words, the more "you" try to stop them the more they are going to mess with you, especially if you have a pretty active site or forums.

I don't want to be getting emails with details about bots and besides I have blocked and every day I add new IPs and ranges to block most bots. Getting emails every day about bots is just not something everyone wants to deal with. If you do that is fine, it annoys me.

I was merely describing what I do, not recommending it. I have been a active botnet fighter for 11+ years. I am well aware of their techniques and research. I've also been instrumental in shutting down a couple, one admin of which is sitting in US federal prison.

The scripts I use aren't detectable and don't slow down the registration process at all.

Project Honey Pot data is used by quite a few anti-spam plugins, not the least of which is Spam -o- Matic, for blocking known sources of forum spam. I collect data on spammers and enter that data at PHP. It's just a hobby that might have the side benefit of helping others.

I hate spam.

[CAG CheechDogg]

Lol...well good for you on putting that person behind bars. I hate spam too and have done my share, maybe I put something behind bars too but honestly I have never been told if I have or not.

But you did say that "The Captcha and the Q&A annoy humans. Plus, the "designer" spam bot programs are now defeating those. That's why I have tried to get away from using them." which is something I have not had a problem with.

Even your scripts will be defeated at some point and every script is detectable, what makes you think they are not, or the ones you use are not?

[Max Taxable]

Originally Posted by CAG CheechDogg

Lol...well good for you on putting that person behind bars. I hate spam too and have done my share, maybe I put something behind bars too but honestly I have never been told if I have or not.

But you did say that "The Captcha and the Q&A annoy humans. Plus, the "designer" spam bot programs are now defeating those. That's why I have tried to get away from using them." which is something I have not had a problem with.

Even your scripts will be defeated at some point and every script is detectable, what makes you think they are not, or the ones you use are not?

By the same token - that is if your board is crawled by google and such, you WILL have the bigger autospam problems others enjoy. The bigger botnets WILL deploy on you, using the latest bot tech that goes right past captcha, Q&A, and the other native human verification tools.

For a script to be looked for, hunted for detection, there must be some clue first, just how the bots are being defeated. Lots of the anti-spam stuff deliver a "got'cha" type message when bots are blocked. That's self defeating. I've been using the time sensitive mod for over a year, it gives no "got'cha" and thus far, after stopping over 5,000 autospam registrations, there's no evidence the botnet admins are even aware of it.

[CAG CheechDogg]

Oh Google is searching the heck out of my site and forums I know that for a fact lol...

So you mean to tell me that there is nothing in that time sensitive mod that they are not aware of? That is pretty hard to believe.

I have never used the time sensitive mod because I honestly haven't had to use it, but others who have spam problems have. I don't want to ask you here why that mod is not detectable in order to prevent giving out clues, but good to know that the mod is a good one. Sometimes when I set up a site with forums for others they end up with big time spam problems and I could probably use that on their sites.

What works for me might not work for others, know what I mean?