Preventing Spam in phpBB 3.0.6 and Above [*Read First Post*]

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Preventing Spam in phpBB 3.0.6 and Above [*Read First Post*]

Post by Phil »

This topic has been updated--please see this post for up-to-date information.


The methods listed below apply primarily to phpBB 3.0.6 and above. Many of them will not work with older versions. Techniques for phpBB 3.0.5 and older are available here; however, they are no longer supported. Please use this topic to discuss techniques for phpBB 3.0.6 and above only.

phpBB 3.0.6 ships with many new features that make it easier than ever to prevent spam on your board. The key to prevention is making your forum unique -- the information below will help you understand the issue and provide you with solutions to eliminate spam.

FAQ
  • What is a spam bot?
    Simply put, a spam bot (with relation to phpBB) is a script that is able to register an account and/or post spam on your board.
    Image
  • Is spam a security threat?
    No. While spammers may seem like they are breaking through your defenses, they actually don't do anything that a regular users couldn't do (register, post, etc). Spam is therefore not a vulnerability and should not be considered as such.
  • How do they work?
    Spam bots do what they are programmed to do; nothing more. Not having the ability to adapt on the fly puts bots at a disadvantage when put against informed administrators such as yourself. The trick for dealing with bots is to stay one step ahead of their authors. Nearly all anti-spam MODs focus on changing the registration/posting form in order to prevent bots from being able to fill out the information properly.
  • Do bots fill in the form the same way humans do?
    No, the majority of bots submit their responses directly, without loading the form that you set up. What this means in practical terms is that changing only the HTML form will not do anything; you need to actually change how the passed information is interpreted (that means editing the .php files). If you encounter MODs that only edit HTML, they are pointless.
  • Should I ban bots by IP or email TLD (.ru, .info, etc.)?
    If your goal is to save time, this strategy will not help. IPs are often cycled and there are thousands of available proxies that can be found just by searching. By banning IPs, you will also end up banning legitimate users. As bots use a variety of TLDs for their email accounts (including .com, .org and .net), banning international ones like .ru may help slightly, but you will once again end up banning legitimate users (and won't ban nearly every bot). In short, you should focus on preventing as many bots as possible, while not causing legitimate users too much extra hassle.
  • What about human spammers?
    Fighting human spammers is more difficult than fighting bots. While bots will blindly attempt to register and post on every board possible, human spammers will want to make sure that their spam is actually being seen. The trick to fighting human spammers, therefore, is to remove any incentive they would have of targeting your board.
  • Will following this guide stop all spam?
    As I said above, human spammers are difficult to stop and some bots may be adapted to work on your site. Following this guide will, however, cause a significant decrease in the amount of spam starting from the very first day :)
Stopping Spam - Techniques and Strategies
  1. Custom Profile Fields - There is an article in the Knowledge Base detailing utilising Custom Profile Fields as a spam deterrent. This seems to be effective against most bots.
  2. Admin Activation - This is not practical on most boards, but is an excellent option on smaller, less-trafficed boards. Many spam registrations utilise Gmail addresses or .cn domains, and use a seemingly random combination of letters and numbers for their username.
  3. MODs - The best option to stop spam is to make your board somewhat unique, by using deterrents like MODs that are not implemented in a stock phpBB3 install. You may view the list of validated anti-spam MODs here. Please note that many anti-spam MODs not listed as compatible with 3.0.6+ will not work with 3.0.6+!
  4. CAPTCHA Plugins - phpBB 3.0.6 introduces a new CAPTCHA plugin architecture. To enable a CAPTCHA plugin, install it if necessary, then browse to ACP -> CAPTCHA module settings. Below is a list of CAPTCHA the standard plugins, followed by validated plugins, sorted alphabetically; if yours is not included please PM myself or another Support Team member and it will be added.

    Included CAPTCHA Plugins
    • CAPTCHA Without GD - This CAPTCHA is best known as the original phpBB2 CAPTCHA. It has long since been broken by bots, and should not be used unless no other alternatives are available.
      Image
    • GD 3D CAPTCHA - A 3D CAPTCHA that relies on a change in perspective as well as various other obfuscation methods to be effective. Generally effective against spambots, however some users with depth perception issues may have difficulty reading this CAPTCHA.
      Image
    • reCAPTCHA - Relies on the third-party reCAPTCHA service and requires an API key from the reCAPCHA website (available free with registration). Generally effective against spambots.
      Image
    • GD CAPTCHA - The changes made to this CAPTCHA in phpBB 3.0.5 made it slightly more effective against spambots. For maximum effectiveness, one should Configure this plugin to be more difficult. Do keep in mind, however, that these settings make the CAPTCHA more difficult to read, also impacting human users. Therefore, it is recommended that you tweak the CAPTCHA slightly and enable another form of spam protection to stop bots that are not stopped by the CAPTCHA. An effective CAPTCHA setup will have the CAPTCHA background X and Y axis lowered. Additionally, 3D-noise objects should be enabled and an alternate font should be selected.
      Image
    • Q&A CAPTCHA - Allows you to define a "Question" and a possible "Answer" in order to determine if a user is a bot. Questions should be easily recognizable and not ambiguous, and preferably not easily found using a search engine (like arithmetic). This CAPTCHA plugin is generally more suitable to niche forums. While it is possible to use a more common question ("What colour is the sky?" "What is 2+2"), there are other CAPTCHA plugins that are preferable to this if such questions are necessary.
    Downloadable CAPTCHA Plugins
    • Crazy Maths Plugin by igorw - A CAPTCHA that shows a complex math question to the user / bot in question. The administrator can define these questions and typeset them with LaTeX-style notation.
    • Fancy jQuery CAPTCHA by mtotheikle - Adds a fancy jQuery plugin CAPTCHA for phpBB 3.0.6
    • Rotate Image CAPTCHA Plugin by ckwalsh - A captcha plugin that rotates supplied images and asks humans/bots to identify the upright image.
    • SimpleMath CAPTCHA Plugin by nickvergessen - Displays a little arithmetic problem to the user, which needs to be solved.
    • Sortables CAPTCHA Plugin by Derky - This CAPTCHA plugin adds two columns, you can add options to each column. All the options will be displayed into one column, then the user has to sort the options from one to the other column, by dragging them with the mouse. If the options are dragged to the correct columns the CAPTCHA is solved.
  5. Newly Registered Users Group - phpBB 3.0.6 also sees the introduction of the "Newly Registered Users" group. This feature, which may be enabled via the User Registration Settings page of the ACP, allows the administrator to define a minimum post count; if a user is below this limit they will be a member of the Newly Registered Users group. Permissions may be set on this group much like any other group -- an example use is to place the Newly Registered Users group on the moderation queue for all forums. The user is automatically removed from the group when they reach the defined post amount. Be aware that this feature is not retroactive -- users who registered prior to a board's upgrade to phpBB 3.0.5 will not be placed in the Newly Registered Users group, regardless of their post count.
These steps, used individually or together, should work to slow or stop your spam problem. Please seek support for the MODs listed above in their respective topic, and utilize this topic only to discuss techniques.

Changelog
1257208576 - initial 3.0.6 version - Phil
1257630682 - fix a few typos and add Newly Registered Users group section - Phil
1257666819 - remove post queue section as it is no longer a feature - Phil
1258319097 - add notice about support for versions ≤ 3.0.6 - Phil
1283318911 - correct a broken link to the MODDB and change my username in the changelog - Phil
1287263691 - switch to Titania style links - Noxwizard
Last edited by Noxwizard on Sat Oct 16, 2010 8:15 pm, edited 9 times in total.
Moving on, with the wind. | My Corner of the Web
User avatar
Greyhart
Registered User
Posts: 8
Joined: Mon Nov 23, 2009 12:03 am
Contact:

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by Greyhart »

iWisdom wrote:
[*]Newly Registered Users Group - phpBB 3.0.6 also sees the introduction of the "Newly Registered Users" group. This feature, which may be enabled via the User Registration Settings page of the ACP, allows the administrator to define a minimum post count; if a user is below this limit they will be a member of the Newly Registered Users group.
How?
I'm new to phpBB but I've been running things like this since the BBS days. I've looked all over the ACP for a way to set the minimum number of posts, and I don't find it.

My forum was just registered in the last few weeks and I'm getting pounded by spam (you do realize the spammers are using your own list of registered forums to find us, right?) so I'd really like to know how to set this up.

All I need is to moderate them for maybe 5 posts. I'll know by that time if they're just there to spam or not.

Greyhart
CyberWitchcraft
Wisdom is knowing how much you really don't know.
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52767
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by stevemaury »

ACP, User Registration settings, New member post limit - set to whatever number you want

ACP, User Registration settings, Set Newly Registered Users group to default, Yes.

Done.

What "list of registered forums" do you refer to? I am aware of none.
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
User avatar
Greyhart
Registered User
Posts: 8
Joined: Mon Nov 23, 2009 12:03 am
Contact:

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by Greyhart »

stevemaury wrote:ACP, User Registration settings, New member post limit - set to whatever number you want

ACP, User Registration settings, Set Newly Registered Users group to default, Yes.

Done.
Yes, I finally found it under the General tab last night, after I posted this. Unfortunately, as a New User, my posts are moderated, so I couldn't edit or delete it.
stevemaury wrote:What "list of registered forums" do you refer to? I am aware of none.
Sorry, I was thinking of some other software that I had just registered, unrelated to the forums. It seemed like as soon as I clicked the registration link, I started getting spam in the forums.

This new capability should cut that down to zero. I'll see the spam, but no one else will.

That reminds me, do I have to go into each forum and look for moderated posts, or is there a global area I can catch all posts from all New Users in all forums?

Greyhart
CyberWitchcraft
Wisdom is knowing how much you really don't know.
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52767
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by stevemaury »

The Moderator control panel will show you posts waiting approval in all forums you can moderate.
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
megahoboriffic
Registered User
Posts: 6
Joined: Fri Feb 27, 2009 3:10 pm

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by megahoboriffic »

Over a year ago i found a mod that allowed me to set a miminum number of posts that a user must make before they can post images/attachments. i see that with this latest update 3.0.6 that that feature is now built-in. will this feature overwrite the old changes i made, or will they interfere with each other? i just wanted to be sure before i update.
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52767
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by stevemaury »

We have no way of knowing that. Do you have any other MODs?
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
midwestbonsai
Registered User
Posts: 177
Joined: Sat May 28, 2005 12:48 am
Location: Wisconsin USA
Contact:

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by midwestbonsai »

Does anyone know if there is a reCAPTCHA plugin for 3.0.6?
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by Phil »

There is one included in the package.
Moving on, with the wind. | My Corner of the Web
thered
Registered User
Posts: 71
Joined: Wed Sep 28, 2005 8:05 pm

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by thered »

I'm running 3.0.5 at present with the excellent Anti-bot Question Mod by CoC. I've never had a bot problem since I installed it. Everything else is running perfectly too, so I'm reluctant to upgrade.

I have a couple of questions, first, I'm told the the above mod doesn't work in 3.0.6 - so, if I do upgrade, do I need to 'unmod' my files first, and what about the change it has made to my database schema?

Secondly, has anyone had, or seen reported, any spambot issues with standard 3.0.6 installation?
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26455
Joined: Fri Aug 29, 2008 9:49 am

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by Mick »

thered wrote:Secondly, has anyone had, or seen reported, any spambot issues with standard 3.0.6 installation?
I have a 3.0.6 vanilla-ish (only cosmetic changes) live board that has been running for two weeks without problems. I'm using the standard CAPTCHA with the fairly standard dropdown box and numbers custom profile fields and there has been no bot attacks as yet. My other boards, two still 3.0.5, have similar setups and they have been clear since January.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
bbrunnrman
Registered User
Posts: 80
Joined: Sun Dec 24, 2006 9:19 pm

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by bbrunnrman »

Regarding the Newly Registered Users Group:
iWisdom wrote:Be aware that this feature is not retroactive -- users who registered prior to a board's upgrade to phpBB3 will not be placed in the Newly Registered Users group, regardless of their post count.
As a minor correction, "phpBB3" should be replaced by "phpBB 3.0.6" in the above statement. I've just upgraded my board from 3.0.5 to 3.0.6. Previously, while running 3.0.5, we had it configured using the option so each new user's first post went into the Moderation queue. That option from 3.0.5 has been replaced by the new option to place new users into the Newly Registered Users usergroup. At this time, our board still includes 242 "new" users who registered before our upgrade to 3.0.6 (mostly while we were running 3.0.5) and haven't posted anything yet. Prior to our latest upgrade, those users' initial posts would have gone into the Moderation queue so we could review them. As it turned out, none of those users were placed into the Newly Registered Users group during the upgrade process, so we will no longer get to review their posts when those 242 people post for the first time.

We could, I suppose, place them manually into the Newly Registered Users group. However, I've already done some experimenting and determined that if you add somebody into that usergroup manually, you'll also need to remove them manually; the software won't remove them automatically when they reach the designated number of approved posts.

Over time, this problem will fade away. But for now, we still have these 242 "new" users who registered before the 3.0.5 to 3.0.6 upgrade, and for this particular group of people, we've lost a capability that we had in 3.0.5.
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by Phil »

Quite right, it has been correct. Again, this is legitimate concern, hence why it was specifically mentioned in the post -- although a bit ambigiously I'm afraid. I've been considering looking into it and creating a tool that will add users to this group who meet the requirement for the groups -- perhaps I will create it as an STK module or somesuch.
Moving on, with the wind. | My Corner of the Web
Joshuaxiong1
Registered User
Posts: 87
Joined: Sun Nov 22, 2009 2:01 am
Location: Fresno, California

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by Joshuaxiong1 »

lol I was surprise to see one of those Spam food today at the store. I thought they were 1950's.
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26455
Joined: Fri Aug 29, 2008 9:49 am

Re: Preventing Spam in phpBB 3.0.6 [*Read First Post*]

Post by Mick »

Joshuaxiong1 wrote:I was surprise to see one of those Spam food today at the store. I thought they were 1950's.
LOL, no, in fact since the word 'spam' has been coined to mean the abuse of electronic messaging sales of Spam the product (since 1937) have rocketed.
  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
Locked

Return to “[3.0.x] Support Forum”