*Disclaimer* wrote: You are reading the 2nd version of "Preventing SPAM - Bots and Humans". The guide below will explain the various strategies available for fighting spam. Before replying with a question, please read this entire post. Comments regarding your experiences are of course welcome. Please note that questions that are already answered in the first post will be split off and locked to keep this topic brief.
If you have a question regarding a specific MOD, please ask it in that MOD's topic, not here.
Section 1: Introduction/FAQ
- What is a spam bot?
Simply put, a spam bot (with relation to phpBB) is a script that is able to register an account and/or post spam on your board.
- Is spam a security threat?
No. While spammers may seem like they are breaking through your defenses, they actually don't do anything that a regular users couldn't do (register, post, etc). Spam is therefore not a vulnerability and should not be considered as such. - How do they work?
Spam bots do what they are programmed to do; nothing more. Not having the ability to adapt on the fly puts bots at a disadvantage when put against informed administrators such as yourself. The trick for dealing with bots is to stay one step ahead of their authors. Nearly all anti-spam MODs focus on changing the registration/posting form in order to prevent bots from being able to fill out the information properly. - Do bots fill in the form the same way humans do?
No, the majority of bots submit their responses directly, without loading the form that you set up. What this means in practical terms is that changing only the HTML form will not do anything; you need to actually change how the passed information is interpreted (that means editing the .php files). If you encounter MODs that only edit HTML, they are pointless. - Should I ban bots by IP or email TLD (.ru, .info, etc.)?
If your goal is to save time, this strategy will not help. IPs are often cycled and there are thousands of available proxies that can be found just by searching. By banning IPs, you will also end up banning legitimate users. As bots use a variety of TLDs for their email accounts (including .com, .org and .net), banning international ones like .ru may help slightly, but you will once again end up banning legitimate users (and won't ban nearly every bot). In short, you should focus on preventing as many bots as possible, while not causing legitimate users too much extra hassle. - What about human spammers?
Fighting human spammers is more difficult than fighting bots. While bots will blindly attempt to register and post on every board possible, human spammers will want to make sure that their spam is actually being seen. The trick to fighting human spammers, therefore, is to remove any incentive they would have of targeting your board. - Will following this guide stop all spam?
As I said above, human spammers are difficult to stop and some bots may be adapted to work on your site. Following this guide will, however, cause a significant decrease in the amount of spam starting from the very first day
- Below are various methods for preventing both bot and human spammers. The descriptions are written in simple terms so that you can make an educated decision of which strategies to implement.
- Updating to the latest version of phpBB
Explanation: If you are not using the latest version of phpBB, then you need to update. Apart from increased security and bug fixes, phpBB 2.0.23 requires that the SID be passed in submitted forms. This means that older versions of spam bots will be blocked.
Bottom line: You should always use the latest version of phpBB. If you're not, then the first thing you should do is update. - Guest posting
Explanation: Enabling guest posting will render the majority of anti-spam MODs useless. If you absolutely must allow guests to post, then you should install something like the Visual Confirmation for Guests MOD by Kanuck which will require guests to pass a CAPTCHA before posting. - User activation
What is it? The activation option in the administration panel => configuration allows you to determine how user activation should be handled.
If set to 'none', users will be activated (and allowed to post) right after registering. If set to 'user', new members will be required to click a link sent via email to activate their accounts. If set to 'admin', administrators will be required to click a link sent via email each time a user registers.
Target: Bots and humans
Pros: It is already built into phpBB
Cons: If set to 'admin', you will need to take the time to activate each new user.
Bottom line: Unless you want to activate users manually, I suggest setting this option to 'user'. Setting it to 'none' will make it extra easy for both humans and bots to post spam on your board. - Visual Confirmation
What is it? The Visual confirmation (or CAPTCHA) is a computer generated image with alphanumeric characters that the user is asked to enter into a text box. Here are two example images generated by the phpBB CAPTCHA:
Target: Bots
Pros: It is already built into phpBB
Cons: Because phpBB is a popular piece of software, spammers have taken the time to break the standard CAPTCHA via OCR. More advanced spam bots are able to read the phpBB CAPTCHA.
Bottom line: There are still plenty of bots that are unable to read the standard CAPTCHA. Unless you plan on installing a MOD that will change the standard CAPTCHA to a more complex version, you should leave the standard one enabled.
You should note that as this feature was added in phpBB 2.0.11; templates made for earlier versions require 2 changes to support it. More on that here: Knowledge Base - Visual Confirmation and A full list of template changes since 2.0.11 and How to add Visual Confirmation to outdated templates. - Registration Auth Code (RAC) MOD
What is it? This very simple MOD will require users to enter a code into a textbox during registration. The code is chosen by the administrator and can be placed just about anywhere for users to find (right on the registration page, in the description of the first forum, a separate topic, or just about anywhere else). The MOD can also be easily modified to ask a simple question, if you prefer that approach. Here are two examples:
Target: Bots
Pros: The MOD is extremely simple and takes less than 3 minutes to install. If spam bots are adapted to enter the correct code, all you need to do is change the code and/or the location where it is displayed to throw them off again.
Cons: The MOD only targets bots; human spammers will be able to locate the code and register.
Bottom line: As the majority of spam comes from bots, I strongly recommend this MOD. Assuming that you have taken the steps mentioned above, this should be the only anti-bot MOD you will need to install.
Download: http://www.phpbb.com/community/viewtopi ... 6&t=552845 - Hide user profiles, the memberlist and the groupcp from guests
What is it? Self explanatory. There is no reason for guests to be able to view user profiles, the memberlist and the groupcp.
Target: Mostly humans, but some bots as well
Pros: By blocking guests from those pages, you also block search engine bots. If search engines cannot index the links spammers put in their profiles, they will be less likely to target your site. This is particularly true for human spammers who usually investigate sites before spamming. The MOD is simple and easy to install
Cons: If you specifically want user profiles and the memberlist indexed by search engine bots, this may not be for you.
Bottom line: If you don't have any specific reason to leave these sections of the board open to the public, I recommend making them only to registered users.
Download: http://www.phpbb.com/community/viewtopic.php?t=213812
- Below are other anti-spam MODs that are available for phpBB 2.0.x. If what I have suggested above does not work, or you would like to try something else, you should consider looking at the MODs below.If you have never installed a MOD, you should check out the MOD installation tutorial. Always remember to make backups of any files you plan on editing (or just be like me and backup the whole directory).
If you have a question regarding a specific MOD, please ask it in that MOD's topic, not here. - Active members Only by defender-uk
Extremely simple MOD that prevents inactive users from showing up in the memberlist. - Anti-bot Guest Post Mod by otseng
If you allow guests to post on your board, this MOD will help prevent SPAM by adding a drop down to the guest posting screen. - AntiSpam Mod by deMone
Prevents instant registrations by checking the amount of time it took to fill in the form. - Block Open Proxy Registrants by TerraFrost
Blocks those attempting to register from open proxies. - Configure Member Profile Required Fields by ycl6
Allows the admin to set which fields are required during registration. - ConfusaBOT lite & ConfusaBOT ACP by espicom
This simple MOD changes the registration form URL from "...profile.php?mode=register&agreed=true" to "...profile.php?mode=register&XXX=true", allowing you to define the XXX. This will stop bots that skip the agreement and go straight to the form. The ACP version allows you to change the agreed variable in the configuration section of the administration panel, while the lite version defines the variables in the constants.php file. Which you choose to use is completely up to you. - Deter Comment Spam by TerraFrost
Provides a deterrence to so-called comment spammers by adding rel="nofollow" tags on a conditional basis. For a further explanation, see the "Author comments" in the install.txt file. - disable spambots by magenta
Checks the amount of time it took to submit the registration form. If it is less than 5 seconds, the form cannot be submitted. - Easy BotStopper by battye
Removes the website field from the registration form (still available in user profiles). If a bot supplies this information anyway (via a separate script), the registration will be denied. - Hide Zero Posters by TerraFrost
This MOD will prevent users with 0 posts from showing up in the memberlist. This is a great tool for preventing human spammers. - Note to Admin on Admin Activation by TerraFrost
How do you know, when admin activation is enabled, whether or not the person who's just signed up for your board signed up just to spam it? Letting people justify their activation can help you decide exactly who should be activated and who shouldn't be. - Textual Confirmation by olpa
Textual Confirmation (TC) asks newly registering user a question. If the answer is wrong, TC rejects the registration. Also, TC notifies the forum admin and the community spam database. The administrator can edit the questions and answers in the Administration Panel. - The humanizer by Underhill
Adds the question 'Are you human?' to the registration form which must be answered for the registration to be processed. Since this isn't a standard phpBB question, most bots will not answer it. - Redirect anonymous users to login by StefanKausL
Will prevent guests from getting your members' contact information by disallowing guests to view the memberlist, groups, profiles, etc. - Registration disable website signature by EXreaction
Removes the signature and website fields from the registration form (still available in user profiles). If a bot supplies this information anyway (via a separate script), the registration will be denied. Also has an autoban feature. - security_question by James N
The mod asks a question that requires human thought to be put in to the answer. Both question and answer are configerable from the ACP. In addition the 'public profile' fields are hidded during registration to stop human spammers who never intend to confirm their membership leaving spam URL's. - Spam Words by Joe Belmaati
Allows you to specify words in the administration panel that are not allowed to be used in posts. When a user tried to use a forbidden word, an error will be displayed. - User Shield by Wo1f
Hides usernames and corresponding profile data from all except the Administrator until activated. Manage (activate or delete) non-activated members from the memberlist. - Visual Confirmation (CAPTCHA) by Ptirhiik
This mod changes the CAPTCHA to a more solid one, even if GD is not available. It comes with random fonts, random colors, random sizes, random angles,noisy background with lines without GD, with lines and circles with GD, random chars in background, random pics in background with GD, etc. - Visual Confirmation for Guests by Kanuck
Adds the visual confirmation to the posting page for guests. If you enable guest posting, you can use this MOD to prevent spammers from having a field day. - Anti Bot Question by MagMo
This MOD replaces the standard visual confirmation with a question selected at random from a pool. You may add custom questions to the pool, which makes this MOD very dynamic.
** This MOD has not been validated by the phpBB MOD team. - Antispam for all fields by Ramon Fincken
This MOD uses the word replacement list to check all profile fields (website, interests, etc.) as well as the posting field. An extensive bad word list is provided. Also checks remote websites for bad words. Admin panel settings.
** This MOD has not been validated by the phpBB MOD team. - Anti-spam bots registration by RevJim & Anti-Spam ACP by EXreaction
Both of these MODs disable the signature and website fields for users with less than X posts. The ACP version by EXreaction adds configurable options to the administration panel.
** This MOD has not been validated by the phpBB MOD team. - Raven's Antispam by romans1423
Raven's Antispam is a lean but effective solution for preventing spam registrations and posts, ported to phpBB from a Wordpress plugin of the same name. By requiring an installation-unique variable to be filled out (automatically, if JavaScript is enabled), bots are simply blocked. Raven's Antispam does not require any database modifications or admin panel configuration.
** This MOD has not been validated by the phpBB MOD team. - Registration Auth Code (RAC) by Marshalrusty
This MOD will require users to enter an auth code during registration, which can be defined by the administrator.
** This MOD has not been validated by the phpBB MOD team. - Unique Registration Hash by pentapenguin
This MOD changes the "agreed=true" part of the registration form to a unique identifier to help stop spam bots from registering.
** This MOD has not been validated by the phpBB MOD team.
- SPAM removal tools
Admin Toolkit (mirror) - Allows you to mass delete users. Users should never be deleted straight from the database using tools such as phpMyAdmin.
Translations
Dutch: http://www.phpbb.nl/viewtopic.php?t=31511
Dutch: http://www.phpbbservice.nl/viewtopic.php?t=2
Español: http://www.tomatoma.ws/foros/viewtopic.php?t=10201
Other anti-SPAM topics - Fight the spam registration bots! by espicom
- Anti-Spam Thread! by EXreaction
- PM me if you:
- are the author of one of the MODs above and are not happy with my description (I will be happy to use yours as long as it isn't too long).
- know of a SPAM prevention MOD that belongs on the list above (I purposely didn't include some MODs).
- found a mistake in the article above.
- have something else that would best be said in private.
Please make all other comments directly in this thread. Feedback is always appreciated
1184853810 - Updated various things; added some MODs
1182314028 - Updated article to version 2
8 entries from 1155596825 to 1170909699 excluded to reduce length