Taipo wrote: Would it be true to say though Marshalrusty that many of the spammer applications, applications used by spammers to post or request data from the webserver are in fact not web browsers, but independant applications, sometimes referred to as 'bots'.
Yes probably, but what does that change?
Taipo wrote: There is most certainly a lot of concern amongst phpBB administrators, enough for modders to make at least 21 hacks to prevent default flooding. But as you know, it doesn't take much effort for a spammer with knowledge of http headers to packet capture a header and rebuild it in their spammer applications/attack tools (lets call it what it is) using any custom changes made to the default scripts by many of these anti-spam mods.
Most of these tools simply alter the way phpBB handles registration, so of course if the spammer alters the script to work with each specific site, many of the MOD will be useless. Since most spammers use premade scripts and have no idea how they actually work, MODs like the VIP code or the humanizer may be somewhat effective.
Taipo wrote: The basic ideas of course need developing. The eventual result I think, needs to be a all encompassing security class file which also handles all sanitising of inputs, timers to pick up flooding attempts etc to be required_once into the head of every php script in the phpBB system with user controls in the ACP. But its main function would be to request cookies, send expired cookies and even make javscript requests in order to determine if a the browser viewing the forums is in fact an established web browser and not some spam bot BEFORE allowing the rest of the php script to load.
This is practically impossible, unfortunately.
Back-porting the various spam prevention tools (including the new CAPTCHA) from phpBB 3.0 certainly isn't a bad idea in my opinion, however this is something that is up to the developers, and they may have very good reasons for not doing it.