Join Another Admin Forum Today for Free!

Join a Forum of Forum and Blog Admins from Around the World. Learn how to create the Best Forum or Blog from Seasoned Experts. Find out how to Promote Your Forum or Blog and Earn Money. Become a Better Admin by joining in on the discussions on Another Admin Forum. Join Today, it’s Free!

Security Questions

Shawn Gossman

Administrator
AAF Administrator
AAF Moderator
Joined
Sep 7, 2023
Messages
6,256
Reaction score
783
So, inspired by @JoelR post here, I wanted to create a new topic on the issue of Security Questions.

Do you use a security questions feature on your forum to mitigate spam accounts? This is where people registering must answer a question that you defined with an answer that you have assigned to it.

Mine is "Spell mapson backwards" and you can get an idea of what to do. I keep it simple so that I don't scare anyone off having to google it.

But how about you all? What are your questions and do you keep it simple?
 
I used to use security questions, but now I use cloudflare’s turnstile feature instead. The security question feature worked for a while for me, but I find cloudflare’s turnstile feature to be more effective in my niche.
 
What does the turnstile feature do?
 
What does the turnstile feature do?
It’s a verification captcha replacement tool and it blocks a majority a bots from joining your forum.


“Cloudflare Turnstile confirms web visitors are real and blocks unwanted bots without slowing down web experiences for real users.”

“Turnstile can generate multiple types of non-intrusive challenges to verify users are human, all without showing visitors a puzzle”

It works pretty well.
 
So, inspired by @JoelR post here, I wanted to create a new topic on the issue of Security Questions.

Do you use a security questions feature on your forum to mitigate spam accounts? This is where people registering must answer a question that you defined with an answer that you have assigned to it.

Mine is "Spell mapson backwards" and you can get an idea of what to do. I keep it simple so that I don't scare anyone off having to google it.

But how about you all? What are your questions and do you keep it simple?
Spelling words backwards is what I do also, but that's not denying other methods could be just as good. However, obviously questions like "What is 2+2?" is laughable and also very weak images to decipher.
 
I also have the "what's the second word in the title of this forum?"

Should be easy enough for hoooomins but hopefully not bots :D
 
XRumer is bound to integrate some kind of AI feature and make security questions the worst form of CAPTCHA.

On AAF:
Spell "mapson" backwards without the quotes. Don't space anything.
1728705975678.png

Even the more "difficult" ones that I used to use like this are easy to crack:
Put the word that appears in parenthesis in this security (green) check without parenthesis into the CAPTCHA below.

1728706095114.png
 
XRumer is bound to integrate some kind of AI feature and make security questions the worst form of CAPTCHA.
Captcha and timers on register forms has pretty much made xrumer and other software like it obsolete for creating accounts. I have not seen them try to register for a while.

I also haven't see any type of bot post spam for a while. All the spam these days comes from actual humans that get pennies to register and post.
 
Captcha and timers on register forms has pretty much made xrumer and other software like it obsolete for creating accounts. I have not seen them try to register for a while.
I'm not in that area anymore (black/grey hat), so I'm not entirely sure if Xrumer is still a thing. No matter who I spoke to, on the shady side of (SEO forum) town, I could never get in contact with someone to buy it, even with the cash that it required (the real Xrumer, which I believe was over $1000).

I could've done so much with that...
 
I have used simple questions related to the domain name itself. But with AI, any logical question can be answered automatically.
What stops spam bots right away is a pay-wall :) But it also stop users from joining :)
StopForumSpam has done a great job too. It blocks a large percentage of bots.
 
What stops spam bots right away is a pay-wall :) But it also stop users from joining :)
I would prefer a $1 paywall registration system where it charges the card and automatically gives it a refund for a legitimate member to join. I wouldn't mind the 2.5% (like 3 cent fee) to run that charge, either.

I'm just unsure how many would be open to verifying identity (that I would not have stored on XF, rather just with the merchant processing system... though it could be "tied back" manually; I wouldn't want to carry over the PII and store it with XF) with a credit card, even for $1 that they would immediately get back.

I could develop something as proof of concept, but it would be costly if I went from members joining to 0.
 
I like that idea @frm but I just worry some people would be put off by it and not join.

I worry they might see it as a possible scam.

If it was more frequent, it could work better I think.
 
I would prefer a $1 paywall registration system where it charges the card and automatically gives it a refund for a legitimate member to join. I wouldn't mind the 2.5% (like 3 cent fee) to run that charge, either.

I'm just unsure how many would be open to verifying identity (that I would not have stored on XF, rather just with the merchant processing system... though it could be "tied back" manually; I wouldn't want to carry over the PII and store it with XF) with a credit card, even for $1 that they would immediately get back.

I could develop something as proof of concept, but it would be costly if I went from members joining to 0.
I like to charge at least $5/year for most websites I run. I don't get as many users, but I don't have problems with bots either.
If they see value on your website, they pay for it. It's not really a problem. But it takes more advertising and promoting what you got to offer.


I would say it should cost something to the signing party, otherwise bots will run knowing they will get refunded.

I am a big fan of StopForumSpam with their API. But it takes only a few parameters to identify bots. (username, email, IP) It does help, but it can bypassed

Another consideration is that not everyone online have credit cards. And others are not willing to put their card on every forum. That it's an issue.
It should be something accessible to most users But at the same time difficult for a bot to replicate or do 1000 times per minute.
 
Last edited:
I would say it should cost something to the signing party, otherwise bots will run knowing they will get refunded.
They wouldn't have the cards to run it though -- gift cards wouldn't work, and no real spammer (someone that does 1000s) would put out their real name to verify.
Another consideration is that not everyone online have credit cards. And others are not willing to put their card on every forum
It wouldn't be entered on the forum or even go to the forum, just the validation would. It would be on something everyone is familiar with like PayPal, Stripe, 2Checkout, Western Union, etc.
 
I have one security question, and Google Captcha enabled on my forum. It helps filter out most/all spam accounts.
That should be pretty sufficient. I have Stop Forum Spam enabled on my forums, too, but mainly emails.
 
I only have hCaptcha on RealShit and have only had 1 or 2 members join in the months its been up in an attempt to spam (perhaps to post at a later date). However, my other forums get bombarded with sign-ups and sing-ups/posts daily.

I've concluded that it's the footer. Spam bots are finding forums by searching "forum"+"Community platform by XenForo" (the footer copyright link). This is because RS is brand-free, while my others aren't. That's not to say that there is also a slight possibility that RS is "mature content" so to find it, they would need to disable "safe search" to grab the link. Though, with as many times as it's been backlinked, you'd figure it would be found by a bot and added to a list by now.

However, I think this is a double-edged sword after having 2 brand-free forums. I think some users want to find XenForo forums to join, and without the footer, they can't. I've found with my forums that have the copyright footer, legitimate members grow quicker, whether active or not. On the other hand, without the footer, it's a slow crawl.

Does anybody else have experience with brand-free and can make an A/B test assumption like this too?
 
Back
Top Bottom