Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+15 votes
in Q2A Core by
@scott, @pupi1985, Yesterday this Q2A site was showing users 32.2k and today it shows 33.3k more than 1000 users registered in a day. Also 33k users dont seems real, I checked few user profile and they posted SPAM link in their profile. Please check newly registered users.

This issue I have seen on other Q2A site also. It happens even if recaptcha is enabled.

It is time to add extra screening/checks before registering new users. please think on this.
More than 100?
@arjunsuresh, it is now 1200 users in less than 30 hrs.
@ProThoughts Please, elaborate more about your approach. What does exactly "it is time to add extra screening/checks" mean? Provide step by step instructions on how to solve this issue, please.

BTW, everyone can "think on this", not only Scott and I :) In fact, the more the rest of the people think the more we can focus on coding.

BTW2, there were 80 new users in the last 24 hs
I have cheked various forums and their different solutions for fighting spam. Actually no-one has properly been able to provide a solid solution for this issue. Some use Stopforumspam database (which I don't trust much), some use recaptcha and some use other methods.

But the best method I came across is to have an option to delete all user profiles which haven't been verified in a span of one week or one month. It's quite natural to assume that if a user hasn't verified his profile in a week or month then he actually isn't joining the website. So having such a half profile makes no sense at all. Thus having a way to delete all such profiles at once can reduce a lot of spam related problems.
@Gurjyot Singh Your comment seems to be quite realistic and elaborated so I will reply accordingly.

I think the first step is to accept the fact that you can't get rid of SPAM. The registration form is a doorbell. It is there for everyone to ring. The more filters you apply on the people who are trying to register, the more cumbersome the process will be and the more chances you'll have users dropping off.

Bots can be avoided by custom solutions (plugins). If your site has a custom barrier, the bot developer will have to create some custom code. The thing is that recaptcha is quite standard so there are services paying people just to input captchas and offer those humanly-validated captcha solutions. So you end up making sure the captcha is input by a human but still the registration is performed by a bot.

So CLEARLY, if you have a good anti-spam solution (distributed with the core or not), it will become popular. If it is popular people will make a business braking it (and it will happen, even at the cost of paying people to input pieces of text).

So the best thing to do is to code the solution yourself or pay someone to do it for you. In any case, make sure the code is not public. Whenever you get hit by spammers again, which means someone has automated a way to bypass your barrier, just update the code (smartly) and see how spam is reduce again. It's the cycle of life, just like virus antivirus.

BTW, I have empiric data for you. Simply adding a new required field to the registration form which does not conform to the Q2A standards turned 100 fake registrations in a 5-day period into 1. You could try with the ToS that comes with Q2A but you would only be stopping bots that have not been developed to pay attention to that field.
@pupi1985, here are my thoughts on how to prevent this SPAM users.

1. Update current reCaptach plugin and along with Google reCaptach add manual questions and answers as a captcha. Admin should be able to enable both options, reCaptach and QA captacha. admin should be able to add any kind of QA for this captcha. When user clicks on registration then ask random question. This will help to eliminate bot users.
2. As Gurjyot Singh suggested, if profiles are not verified within certain time then add option to delete such users.

I know there are some plugins like logical captach for q2a but this feature must be part of Q2A.

Adding new field on registration page will help only for few days but they will crack that also. I have seen SPAM users on such Q2A.

I feel above two options will help a lot to reduce SPAM users.
@ProThoughts Definitely that is an approach that's worth answering :) However, there are a few things to consider here:

1. I guess you're suggesting to upgrade to reCaptcha v3. If you make some research you'll figure out it doesn't really improve bot detection. It just makes life easier for humans and allows to better decide what to do with the bots. In other words, a successful registration in v2 will mean a successful registration in v3 (unless you tweak it up to a value in which you might lose real registrations).

I acknowledge the fact that the docs state that v3 does a better job letting spammers out by analyzing there actions in the site. However, the registration is the first step, so there shouldn't be any history in the site.

Also bare in mind that everything I said about well-known captcha solutions in my previous comment, still applies here.

Regarding adding questions, I think there already is a plugin for that? Maybe from @q2apro? Those plugins are useful to stop fully automated bots. However, they are almost of no use to bots aided by humans. The bot just needs to try to register. Read the question, look for the answer in the database, use the answer if present or send the question to the bot developer so that they can input the answer. Then that question is useless. If you think about it, the site owner had to think the question, write it, answer it and save it. The bot the developer just needed to store the answer in the database. This kind of plugins would only work if you change the question every day (and don't use any previous one, of course) and hope for the bot developer to get tired of answering your question.

Anyway, I think this approach will stop fully and naive automated bots. This is valid as long as you don't publish the code and the solution does not get popular so that it is worth breaking.

2. This will not prevent spam. This will post-process seemingly-spammer users. This is just a cleanup activity rather than a spam prevention approach. In fact, I believe there was a plugin called User Management from @qa-themes. Deleting users that match that criteria is a kind of feature that could definitely be part of it.

> I know there are some plugins like logical captcha for q2a but this feature must be part of Q2A.

I don't agree with this. For either of the approaches a plugin can be (or has already been?) developed. Furthermore, and I'm going to repeat myself again with this, but if this is part of the core, then all bots will break it. So it is even worse to have it in the core. So why do you say it must be part of Q2A?

> Adding new field on registration page will help only for few days but they will crack that also. I have seen SPAM users on such Q2A.

This is similar to item #1. You are adding a new field. Any fully-automated bot can break that. However, if you do it just for your site, the bot developer will have to create the ad-hoc solution for your site. Then it is up to them to decide if it is worth breaking it or not. Also the statistics I've shared in my previous post are still valid after 4 months of adding the custom checkbox.
@pupi1985, I'm not asking to create logical captaca in core, it should be default plugin maintained by q2a developers.

regarding user management plugin, I tested back and found it has some issues. These kind of feature should be in q2a core or part of q2a default plugins.

I still see many SPAM users registering everyday on this q2a. Please enable all required plugin/feature/add extra field to stop this SPAM,  we can then recommend that solution to everybody.
It is not clear to me why it has to be developed by the core developer. Anyone can create a plugin for that and that should take weight from the core developer's shoulders so that he can focus on making a richer core that would make plugins be simpler to develop, which in turn would result in more developers wanting to create more plugins, and this should go on and on.

Regarding the user management plugin, you are saying it is not good because there are issues you found while testing it. I've just checked the issues section of the plugin and I see none: https://github.com/q2a-projects/Q2A-User-Manager/issues . If you don't submit the issues, then the testing is not complete and is literally useless because the issues are not going to get fixed on their own.

Regarding the spam users, indeed, there are a lot. However, I see around 20 to 30 daily spam posts here and not even 1 of them gets actually published. I don't see any harm, although I do agree that having less of them, would definitely be better.
I know it is good if other people develop plugins, thats good for the community. When it comes to mandatory features like SPAM protection or any useful feature to grow community, I feel it must be part of Q2A default plugin or core. Again these are my views, you and scott may think differently.

I thought of posting issues about that user management plugin here and on github then forgot. I will do when I get time.
Maybe if someone develops a *high quality* solution as a plugin and creates a pull request to the Q2A repo, *maybe*, Scott will merge it
in 2.5 month 5.6k users(around 75 users register per day) are added, today user count on this site is 38.9k .....You and scott should look into this spam issue.
That comment brings up to step 1, I guess, and we'll have to talk about SPAM prevention and SPAM cleaning.

In your last comment you said you were going to post some issues of the user management plugin (SPAM cleaning) here. I haven't seen any post about that plugin in the last months. Just to clarify, I'll try to fix the issues (at least those that are relatively easy to fix) but I won't develop new features
edited by
Yes, we can discuss about this SPAM feature in detail. I do see other people also complaining about this. My only one site was infected so much with this so I moved from q2a to other forum platform. I re-installed q2a site at least 5 time from backup to remove spam. You can imagine how much SPAM it was. Interestingly I dont see that much SPAM on other sites.

Please think about this SPAM protection feature seriously.

One option I can think of now is ....
1. allow registration email from certain domain, like gmail.com, yahoo.com or outlook.com only
2. dont allow registration email from certain domain like protonmail.com, mailinator.com etc
3. remove fb login plugin and come up with social login plugin, add fb, google, twitter, instagram, github etc in it. If there is spam then admin can enable registration only from these social sites.

I will think more on this and will post my more idea about SPAM protection.
Items #1 and #2 are the same feature: filtering by domain. If I remember correctly, there already exists a plugin that does that.

Regarding #3, disabling registration by email seems to be too aggressive. I wouldn't join a site that doesn't allow me to use my email address to register. But that's probably my opinion and other people may think differently
#1,#2 There is a plugin but dont know how stable it is. Why not discuss with owner of plugin and fork under official q2a github account. This way people will know that is  stable plugins.

btw, these are some features I feel should be in official q2a plugin or core.

#3 disabling registration using email can help if there is heavy spam. There will be other options like registration using gmail, twitter account still open. User can disable email registration for sometime.
How to block registration from a particular domain?
Bcoz I am getting heavy spam.
I've created a Honeypot plugin and has been blocking 100% of the Spam registration for me:

Please log in or register to answer this question.