I think it's more associated with the diyaudio member accounts being publicly searchable by webcrawlers and search engines, it becomes an irresistible target.
It won't stop the automated bots, they'll keep creating accounts, using email confirmation like your example and what I posted at #15 will cause the spammers to find a easier target.
Why is this even a thing? What is the benefit of it? I'm not knocking DIYA for this - I know most do it. I just don't understand why.
I agree, the member details should not be visible to all visitors.
Should be member only, and maybe the members can also set their visibility if needed, like the ignore option.
Or the welcome page should not show any posts at all...log in essential to see the new posts page and on wards.
And also what about references to topics / threads on Google and other searches?
Should be member only, and maybe the members can also set their visibility if needed, like the ignore option.
Or the welcome page should not show any posts at all...log in essential to see the new posts page and on wards.
And also what about references to topics / threads on Google and other searches?
Good question, its the default Xenforo forum setting, I've suggested to the site admins to change it to "members only".
Spammers like sites configured like this.
Last edited:
You can already set your account visibility, goto account settings - privacy, then set options to who can see your account profile and details.
See attached example. This will prevent your account details being scraped by webcrawlers.
Attachments
lol.....Nigella is hanging in there, in fact out of all the accounts I've reported, this one in particular is interesting, as it appears to be unlike any other I've encounted on the forum. All the other spammers that posted only did so once, however Nigella is the only one posting twice and rather convincingly, which is rather unusual, which gives the account some legitimacy. I hope she gets her subwoofer sorted out.
I'm really undecided.....because in one post she links to the same website as Ellen did, but her other post seems very genuine.....possibly why her account is still up.
If I was having a each-way bet, I would give her the benefit of the doubt and delete her spammy post and keep the other about her subwoofer open and let her keep the account active...........but Im fairly certain that Ellen and Nigella are one and the same person (in this case a actual human being), they both posted the same day with links to kynix (a semiconductor distribution company).
If you haven't noticed, her friend Ellen won't be joining us in 2022, see post #2.
I'm really undecided.....because in one post she links to the same website as Ellen did, but her other post seems very genuine.....possibly why her account is still up.
If I was having a each-way bet, I would give her the benefit of the doubt and delete her spammy post and keep the other about her subwoofer open and let her keep the account active...........but Im fairly certain that Ellen and Nigella are one and the same person (in this case a actual human being), they both posted the same day with links to kynix (a semiconductor distribution company).
If you haven't noticed, her friend Ellen won't be joining us in 2022, see post #2.
While I've posted about some of the obvious spam mainly from search optimisation engine (SEO) spammers, there are other types which are more difficult to detect. These accounts resort to using tactics to evade detection so that they appear more human like.
In one particular case a forum spammer (deleted before I could capture a screenshot ) replied to a old 2017 post in the solid state pictures forum, all that was within the post was a copy of a previous post plus a web link to a website unrelated to the post or forum. They were using a post to obfuscate their activities, however another forum member spotted the spam web link.
Another spammer resorted to similar tactics by posting an innocuous reply to a older forum message, it would have gone unnoticed if it wasn't for the telltale signs in their account name.
These type of spammers probably need to have a human sitting behind the account. So far these are the least common type that have frequented the forum.
In one particular case a forum spammer (deleted before I could capture a screenshot ) replied to a old 2017 post in the solid state pictures forum, all that was within the post was a copy of a previous post plus a web link to a website unrelated to the post or forum. They were using a post to obfuscate their activities, however another forum member spotted the spam web link.
Another spammer resorted to similar tactics by posting an innocuous reply to a older forum message, it would have gone unnoticed if it wasn't for the telltale signs in their account name.
These type of spammers probably need to have a human sitting behind the account. So far these are the least common type that have frequented the forum.
Now we're left with the difficult if not impossible to detect type spammers, at least from the perspective from a forum member. Site Admins will have at their disposal tools integrated into the forum software to provide greater detail and insights about user accounts. However this can be a time consuming task more so if the spam rates are high.
The accounts are a variation of a theme.
I'll generalise here and I thought about posting some edited account examples but I didn't want to tip off any spammers. I can PM site admins with examples if required.
The next type of spammer will create an account then pretend to look around the forum to generate normal activity then leave, the problem is it's difficult to tell if its a spammer or a genuine user, the idea is they'll come back at a later date to include spam in their now ordinary looking account profiles without generating any suspicions.
The next type is similar to the above but without any account activity, there are telltale signs, more than likely generated by a Bot. I like to call these "Zombie Accounts" as they will come back to life at a later date.
These accounts seem to be test runs, to ascertain forum access difficulty, its akin to amassing an army in preparation for something more insidious.
Also these type of accounts seem to make up a larger percentage of all new accounts created simply by the fact it's an automated process.
It maybe the case site admins may have to nuke a large percentage of all accounts since the changeover to xenforo, this can be minimised if we can use some of the telltale signs and backend forum software management tools.
The accounts are a variation of a theme.
I'll generalise here and I thought about posting some edited account examples but I didn't want to tip off any spammers. I can PM site admins with examples if required.
The next type of spammer will create an account then pretend to look around the forum to generate normal activity then leave, the problem is it's difficult to tell if its a spammer or a genuine user, the idea is they'll come back at a later date to include spam in their now ordinary looking account profiles without generating any suspicions.
The next type is similar to the above but without any account activity, there are telltale signs, more than likely generated by a Bot. I like to call these "Zombie Accounts" as they will come back to life at a later date.
These accounts seem to be test runs, to ascertain forum access difficulty, its akin to amassing an army in preparation for something more insidious.
Also these type of accounts seem to make up a larger percentage of all new accounts created simply by the fact it's an automated process.
It maybe the case site admins may have to nuke a large percentage of all accounts since the changeover to xenforo, this can be minimised if we can use some of the telltale signs and backend forum software management tools.
Email verification is ok, but easy to circumvent. There are many "temporary / disposable" email systems... Even if they aren't disposable, I have seven email addresses and counting. SMS is a little better but I have four textable numbers on my single phone...
The best verification I ever saw on a website was to take a picture of yourself holding a piece of paper with your user name written on it, and then a photo of your government ID.
The best verification I ever saw on a website was to take a picture of yourself holding a piece of paper with your user name written on it, and then a photo of your government ID.
I guess the easiest way would be to ban the disposable/spammy email domains from the verification process.
If it's too hard to create an account the spammers will just move on, particularly if its a Bot.
The forum does have built-in spam databases to automate the detection of known spammers and domains.
"The best verification I ever saw on a website was to take a picture of yourself holding a piece of paper with your user name written on it, and then a photo of your government ID."
Very dangerous here, many payments are linked to Government schemes, so a leaked ID can have problems.
Here a CFO of a mobile phone company lost his job when it turned out that they had created bank accounts in their sister company ( a payments bank), and those accounts had been credited with money by the government, only the account holders did not know. Every new connection was given a bank account, and the government policy was to pay to the newest account. So they got the money, and did not tell the account holders...
It was sorted out later, but the amount was mind boggling.
You need the national ID card, called Aadhar card here, to get mobile phone connections, among other things.
If your card is used as ID, a code is sent to your cell phone, and that is used to complete the transaction.
Difficult on an international forum.
Very dangerous here, many payments are linked to Government schemes, so a leaked ID can have problems.
Here a CFO of a mobile phone company lost his job when it turned out that they had created bank accounts in their sister company ( a payments bank), and those accounts had been credited with money by the government, only the account holders did not know. Every new connection was given a bank account, and the government policy was to pay to the newest account. So they got the money, and did not tell the account holders...
It was sorted out later, but the amount was mind boggling.
You need the national ID card, called Aadhar card here, to get mobile phone connections, among other things.
If your card is used as ID, a code is sent to your cell phone, and that is used to complete the transaction.
Difficult on an international forum.
Ya I was thinking more of a government issued photo ID such as https://www.ontario.ca/page/ontario-photo-card
or even a utility bill with your name and address on it.
Besides, you take a photo of yourself holding the ID. Your thumb covers some of the number.
or even a utility bill with your name and address on it.
Besides, you take a photo of yourself holding the ID. Your thumb covers some of the number.
Then you replace the ID requirement with a random statement to be written long hand on paper and photographed while you're holding it.
How about a long hand application form to be filled out and mailed in by the user? How many spammers would take the time to mail their application to Australia and wait 4 to 6 weeks? Also you must enclose the application fee of 10 gold pieces...
I can verify my identity and log into some websites by logging into my online banking to verify who I am... What are the chances of some kind of auth system? Even being able to sign up/ sign in with Google would remove some spammers...
How about a long hand application form to be filled out and mailed in by the user? How many spammers would take the time to mail their application to Australia and wait 4 to 6 weeks? Also you must enclose the application fee of 10 gold pieces...
I can verify my identity and log into some websites by logging into my online banking to verify who I am... What are the chances of some kind of auth system? Even being able to sign up/ sign in with Google would remove some spammers...
- Status
- Not open for further replies.