Join Another Admin Forum Today for Free!

Join a Forum of Forum and Blog Admins from Around the World. Learn how to create the Best Forum or Blog from Seasoned Experts. Find out how to Promote Your Forum or Blog and Earn Money. Become a Better Admin by joining in on the discussions on Another Admin Forum. Join Today, it’s Free!

Join Now Log in

Security Questions

Shawn Gossman

Shawn Gossman

Administrator
AAF Administrator
AAF Moderator
Joined
Sep 7, 2023
Messages
5,169
Reaction score
544
So, inspired by @JoelR post here, I wanted to create a new topic on the issue of Security Questions.

Do you use a security questions feature on your forum to mitigate spam accounts? This is where people registering must answer a question that you defined with an answer that you have assigned to it.

Mine is "Spell mapson backwards" and you can get an idea of what to do. I keep it simple so that I don't scare anyone off having to google it.

But how about you all? What are your questions and do you keep it simple?
 
I used to use security questions, but now I use cloudflare’s turnstile feature instead. The security question feature worked for a while for me, but I find cloudflare’s turnstile feature to be more effective in my niche.
 
What does the turnstile feature do?
 
Shawn Gossman said:
What does the turnstile feature do?
Click to expand...
It’s a verification captcha replacement tool and it blocks a majority a bots from joining your forum.

www.cloudflare.com

Cloudflare Turnstile, a free CAPTCHA replacement

Cloudflare Turnstile is a simple, free CAPTCHA replacement so web visitors have great, CAPTCHA-free experiences.
www.cloudflare.com www.cloudflare.com

“Cloudflare Turnstile confirms web visitors are real and blocks unwanted bots without slowing down web experiences for real users.”

“Turnstile can generate multiple types of non-intrusive challenges to verify users are human, all without showing visitors a puzzle”

It works pretty well.
 
Shawn Gossman said:
So, inspired by @JoelR post here, I wanted to create a new topic on the issue of Security Questions.

Do you use a security questions feature on your forum to mitigate spam accounts? This is where people registering must answer a question that you defined with an answer that you have assigned to it.

Mine is "Spell mapson backwards" and you can get an idea of what to do. I keep it simple so that I don't scare anyone off having to google it.

But how about you all? What are your questions and do you keep it simple?
Click to expand...
Spelling words backwards is what I do also, but that's not denying other methods could be just as good. However, obviously questions like "What is 2+2?" is laughable and also very weak images to decipher.
 
I also have the "what's the second word in the title of this forum?"

Should be easy enough for hoooomins but hopefully not bots :D
 
XRumer is bound to integrate some kind of AI feature and make security questions the worst form of CAPTCHA.

On AAF:
Spell "mapson" backwards without the quotes. Don't space anything.
Click to expand...
1728705975678.png

Even the more "difficult" ones that I used to use like this are easy to crack:
Put the word that appears in parenthesis in this security (green) check without parenthesis into the CAPTCHA below.
Click to expand...

1728706095114.png
 
frm said:
XRumer is bound to integrate some kind of AI feature and make security questions the worst form of CAPTCHA.
Click to expand...
Captcha and timers on register forms has pretty much made xrumer and other software like it obsolete for creating accounts. I have not seen them try to register for a while.

I also haven't see any type of bot post spam for a while. All the spam these days comes from actual humans that get pennies to register and post.
 
AWS said:
Captcha and timers on register forms has pretty much made xrumer and other software like it obsolete for creating accounts. I have not seen them try to register for a while.
Click to expand...
I'm not in that area anymore (black/grey hat), so I'm not entirely sure if Xrumer is still a thing. No matter who I spoke to, on the shady side of (SEO forum) town, I could never get in contact with someone to buy it, even with the cash that it required (the real Xrumer, which I believe was over $1000).

I could've done so much with that...
 
I have used simple questions related to the domain name itself. But with AI, any logical question can be answered automatically.
What stops spam bots right away is a pay-wall :) But it also stop users from joining :)
StopForumSpam has done a great job too. It blocks a large percentage of bots.
 
Mike30 said:
What stops spam bots right away is a pay-wall :) But it also stop users from joining :)
Click to expand...
I would prefer a $1 paywall registration system where it charges the card and automatically gives it a refund for a legitimate member to join. I wouldn't mind the 2.5% (like 3 cent fee) to run that charge, either.

I'm just unsure how many would be open to verifying identity (that I would not have stored on XF, rather just with the merchant processing system... though it could be "tied back" manually; I wouldn't want to carry over the PII and store it with XF) with a credit card, even for $1 that they would immediately get back.

I could develop something as proof of concept, but it would be costly if I went from members joining to 0.
 
I like that idea @frm but I just worry some people would be put off by it and not join.

I worry they might see it as a possible scam.

If it was more frequent, it could work better I think.
 
frm said:
I would prefer a $1 paywall registration system where it charges the card and automatically gives it a refund for a legitimate member to join. I wouldn't mind the 2.5% (like 3 cent fee) to run that charge, either.

I'm just unsure how many would be open to verifying identity (that I would not have stored on XF, rather just with the merchant processing system... though it could be "tied back" manually; I wouldn't want to carry over the PII and store it with XF) with a credit card, even for $1 that they would immediately get back.

I could develop something as proof of concept, but it would be costly if I went from members joining to 0.
Click to expand...
I like to charge at least $5/year for most websites I run. I don't get as many users, but I don't have problems with bots either.
If they see value on your website, they pay for it. It's not really a problem. But it takes more advertising and promoting what you got to offer.


I would say it should cost something to the signing party, otherwise bots will run knowing they will get refunded.

I am a big fan of StopForumSpam with their API. But it takes only a few parameters to identify bots. (username, email, IP) It does help, but it can bypassed

Another consideration is that not everyone online have credit cards. And others are not willing to put their card on every forum. That it's an issue.
It should be something accessible to most users But at the same time difficult for a bot to replicate or do 1000 times per minute.
 
Last edited:
Mike30 said:
I would say it should cost something to the signing party, otherwise bots will run knowing they will get refunded.
Click to expand...
They wouldn't have the cards to run it though -- gift cards wouldn't work, and no real spammer (someone that does 1000s) would put out their real name to verify.
Mike30 said:
Another consideration is that not everyone online have credit cards. And others are not willing to put their card on every forum
Click to expand...
It wouldn't be entered on the forum or even go to the forum, just the validation would. It would be on something everyone is familiar with like PayPal, Stripe, 2Checkout, Western Union, etc.
 
Bawse said:
I have one security question, and Google Captcha enabled on my forum. It helps filter out most/all spam accounts.
Click to expand...
That should be pretty sufficient. I have Stop Forum Spam enabled on my forums, too, but mainly emails.
 
I only have hCaptcha on RealShit and have only had 1 or 2 members join in the months its been up in an attempt to spam (perhaps to post at a later date). However, my other forums get bombarded with sign-ups and sing-ups/posts daily.

I've concluded that it's the footer. Spam bots are finding forums by searching "forum"+"Community platform by XenForo" (the footer copyright link). This is because RS is brand-free, while my others aren't. That's not to say that there is also a slight possibility that RS is "mature content" so to find it, they would need to disable "safe search" to grab the link. Though, with as many times as it's been backlinked, you'd figure it would be found by a bot and added to a list by now.

However, I think this is a double-edged sword after having 2 brand-free forums. I think some users want to find XenForo forums to join, and without the footer, they can't. I've found with my forums that have the copyright footer, legitimate members grow quicker, whether active or not. On the other hand, without the footer, it's a slow crawl.

Does anybody else have experience with brand-free and can make an A/B test assumption like this too?
 
You must log in or register to reply here.
Back
Top Bottom