[ALPHA] Checkbox Challenge 0.5.0 (2007-05-11)

A place for MOD Authors to post and receive feedback on MODs still in development. No MODs within this forum should be used within a live environment! No new topics are allowed in this forum.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

IMPORTANT: MOD Development Forum rules

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

[ALPHA] Checkbox Challenge 0.5.0 (2007-05-11)

Post by drathbun » Sun Apr 15, 2007 1:25 am

MOD Title: Checkbox Challenge
MOD Description: A new tactic for combatting registration bots (spammers), full description and screen shots below
MOD Version: 0.5.0

MOD Download: Download 0.5.0 ALPHA (Zip)
Last Stable version: N/A

Demo Board: http://www.phpbb2mods.com

This MOD incorporates the EZ Registration MOD which truncates the list of fields visible during registration. If you have already installed that MOD (released here) then the install instructions for this MOD need to be adjusted. I will provide notes for how to do that eventually, but they are not present as of this download. This MOD will probably be incompatible with other MODs that use switches to show / hide fields during the registration process.

Edit History
2007-05-11
  • released ALPHA 0.5.0
  • added download
  • updated screenshots
Original Post Below
There are a lot of different options already out there to combat registration robots (regbots), and this is yet another. I am in the process of testing it now on a board that gets almost 100% spam registrations. I will consider this a success if I can block most (if not all) of the spammers. If it doesn't work, I will not bother to release this MOD. So why start the topic now? Good question. :-)

Mainly because I wanted to post it for feedback at the moment. I have a blog as well as several phpbb boards. My blog was getting hammered by comment spammers, and over time I developed what seems to be an effective way to combat the comment bots. At first I added a simple checkbox that says "Please click the checkbox to confirm your comment" and that worked for quite a few bots, but I still got a lot of spam posted. Then I added four checkboxes, and marked one of them as the "validation" checkbox. I still got a lot of spam. Then I thought to actually check the status of the checkboxes, and learned something very interesting.

The comment bots did one of two things. They either ignored the checkboxes entirely, or they marked them all. :shock: It makes sense, when you think about it. The bot-writer would not know about the confirmation checkbox since it was custom code of my own. So they ignore it. Or the bot-writer could be a little more flexible and look for checkboxes and simply mark them, ensuring that everything on the form is filled out. But only very rarely did a bot have the smarts (or perhaps it was a human) to mark exactly one checkbox out of a set of four. To make life more interesting, the "valid" checkbox position changes randomly from one comment to another.

Long story short: I have converted this into a reg-bot stopper for phpBB. During the registration process a user sees only four fields: username, email address, password, and password confirmation. Under those fields are a number of checkboxes. The exact number of checkboxes is determined by an ACP (Admin Control Panel) entry. Even the names of the checkboxes on the form are controlled by the ACP. The way you mark the "valid" checkbox is settable on the ACP. And finally, I am considered (but have not implemented) a banning step.

ACP for 0.5.0
Image

Registration Screen for 0.5.0
Image

Temporary Ban (new in 0.5.0)
Image

This MOD is fairly simple to install. I have it installed on one board right now, and will be adding it to two others over the weekend. If testing seems to indicate that this is working, I will go through the full release process here. If testing seems to indicate that it's not as bot-proof as I hope, then I probably won't bother.

This will be for phpBB2 only to start with.

Comments, feature requests, or suggestions cheerfully accepted at this time. :-)
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
Dogs and things
Registered User
Posts: 2114
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by Dogs and things » Sun Apr 15, 2007 7:12 am

Smart simplism. :razz:

Sounds very effective.
For phpBB2 support visit phpBB2refugees.

User avatar
akis123321
Registered User
Posts: 62
Joined: Mon Nov 20, 2006 12:10 pm
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by akis123321 » Sun Apr 15, 2007 1:34 pm

So when will that MOD be available
Have a question, feel free to pm me
My fav sites: http://www.npsari.com & http://www.zortin.com & http://www.yavrim.com

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Sun Apr 15, 2007 3:20 pm

I am testing it now on one board, will be installing it on two more today. If the MOD proves to be effective I will complete the development / release process. If the MOD doesn't prove to be effective there's not much point. :-) I expect it will be a minimum of a week before I post any code for downloading.

It's a quite simple MOD, actually. There are changes to the admin/admin_board.php (and associated template), includes/usercp_register.php (and associated template), and some new files to includes along with an edit to includes/functions.php in order to load the language file. Not too bad, I don't think.

Thanks for your interest and comments so far.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Sun Apr 15, 2007 5:31 pm

In the 36 hours since I installed this I've had zero spam registrations. It's hardly conclusive, but it's promising. :-) I added some debug code that will log registration attempts that fail so that I'll know something is actually happening. I will log the date/time, attempted username, attempted email address, and the reason for the rejection.

Stay tuned for details. 8)
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Sun Apr 15, 2007 6:02 pm

In the 20 minutes since I added logging of failed attempts I have logged / blocked two spammer registration bots. :-P One from a .ru email address and one from .ro. The logging process is in place since I have not turned on banning. I haven't turned it on because I haven't written that part yet. :lol:

I won't give hourly updates, that would be a bit much. I will report back in a few days. When I used this on my blog to block comment spam I did not get 100% blockage. But in the last 90 days it blocked 98% of the comment spammers. If you get 100 spammer registrations a month (like I do on one of my boards) that takes the workload from 100 users to delete down to 2.

I'm willing to live with that, especially since this is a very simple MOD.

More details in a few days.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Mon Apr 16, 2007 1:11 pm

In the past 19 hours I have blocked 19 unwanted registrations. Part of what I did was remove the ban entries for every email address / full domain that I've blocked over the past months, so there are probably more registrations that are being processed. For example, "mail.ru" is a fairly typical domain to block, and I have unblocked it. 6 of the 19 blocked registrations are from that domain.

On the other hand, your board is more efficient if you don't have a lot of ban records, so being able to use banning only for users that actually break the rules, and so on, rather than blocking wholesale domains just to avoid registration spammers should be a good thing.

There have been zero successful spammer registrations since I installed this MOD.

As a side note for discussion: the main thing that (I believe) has to be done in order to stop registration by reg-bots is to make the registration page for your site different from anyone else. And it has to be different in such a way that bots can't get around it with some generic coding techniques. That's the primary function of this MOD; if a bot skips the set of checkboxes they can't register. If a bot checks all of the checkboxes they can't register. And since the MOD allows you to rename the checkbox controls, alter the number of checkboxes, and even alter the way the checkbox is "marked" as to which is valid, it is my hope that even if a lot of phpBB boards use this MOD it will still prove to be effective.

So, a question: are there other things that anyone can think of that could be used to provide more variety to this MOD?

I thought about having the user click more than one checkbox, and making that a parameter, but that increases the complexity of the code quite a bit so I skipped it for now. Something like "Click all of the marked checkboxes below:" and then show this:

Code: Select all

 []  *[]*  []  []  *[]*  []  []
The user would have to click both of the marked checkboxes. The number to click could be random, or could be assigned on the admin panel. I might still experiment with that, or perhaps leave it for version 2.

Can anyone think of another way to allow board admins to make this unique that could be coded into the admin panel?

BTW, you might notice that in the screenshot above the "confirm" checkbox has the same name as the "challenge" checkbox. That's fine. The challenge checkboxes get numbered and the confirm checkbox does not. So the checkboxes in the case above would be confirm_01, confirm_02, confirm, and confirm_04. That's assuming that the randomly selected checkbox number was 3. So if you wanted to disguise the checkbox names a bit more you could determine how many checkboxes there are (4 in my example) and then name your confirm checkbox using the same pattern, but a higher number, like confirm_05. That way all of the checkboxes would have the same (similar) name patterns, which would make it even more difficult for a generic bot to figure this out.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
bonelifer
Community Team Member
Community Team Member
Posts: 3479
Joined: Wed Oct 27, 2004 11:35 pm
Name: William
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by bonelifer » Tue Apr 17, 2007 3:40 am

I really can't see anything else. As you've said it is the simpleness of this mod that is its genius. Also tying to many techniques into one mod will make each technique less effective and make it harder for admins to install other complimenting mods to further enhance the effectiveness of their anti-spam approach. For example on one board I admin, we have the Anti-SpamACP mod installed. We currently have the version just before Excreation added his own captcha. The reason we haven't updated is that we already use the Freecap VC and it works. If it stops working we can remove it and add a different one without losing the advantages we had(ie uniqueness). So now we're looking for alternates that don't include a built-in captcha and fulfill our needs and would have future support. By keeping each SPAM & Security mod produced specific to a particular problem(combating a specific spam technique/security aspect) mod authors are allowing for other mods to be installed to deal with other specific problems. This all allows for the UNIQUENESS that mod authors and phpBB staff keeping preaching about.

Nice work so far. :)
Knowledge Base | phpBB Board Rules | Search Customisation Database
Image
Please don't contact me via PM or email for phpBB support .

User avatar
Dogs and things
Registered User
Posts: 2114
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by Dogs and things » Tue Apr 17, 2007 6:20 am

Something I can think of would be to give several options,

One would make a random number of checkboxes mandatory, show four boxes and make from one to three mandatory as one method.

Another option to make only one mandatory, a static option.

And a third option would make one checkbox mandatory, but this box would be randomly picked.

These diferent options can be selected in the ACP.

Get my drift? :razz:

Allthough I wouldn´t be surprised if you had figured all these options allready. (Reading back I see that at least one of those three has been thought about, if I understand you right)
For phpBB2 support visit phpBB2refugees.

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Tue Apr 17, 2007 1:45 pm

Dogs and things wrote: One would make a random number of checkboxes mandatory, show four boxes and make from one to three mandatory as one method.

Yup, that was considered and not implemented as being overly complicated at this time. :-)
Another option to make only one mandatory, a static option.

Making things static is possible, but would (in my opinion) reduce the effectiveness of the MOD.
And a third option would make one checkbox mandatory, but this box would be randomly picked.

That's the standard behavior of the MOD. :-) What I have right now to "randomize" the MOD is the ability for the board moderator to alter the number of checkboxes that are displayed as well as the actual checkbox (form element) name. So far it seems to be effective. I have had zero... nada... zilch... nary a one :-) spam registration on this board since I implemented it. I have had two successful registrations because I asked some folks to try it out and report back on the "user experience". One of the users failed the first time because they hit the "enter" key to go to the next field and they got a message about having to click a checkbox, and they simply clicked the Back button and re-entered their password, clicked the checkbox, and moved on from there.

I have completely emptied my "banlist" table, so anyone and everyone (and everybot ;-)) is able to try to register. I would actually prefer this, as the longer the banlist gets the more time various things take. It would be nice to only have to use the ban table for legitimate purposes instead of as a shotgun approach to taking out entire domains.

This board (as I have mentioned previously in this topic) gets an average of 5 spammers a day. Since noon on Sunday (not quite 48 hours) I have received zero successful spammer registrations and blocked 29 regbots. I am quite certain they are regbots based on the email addresses being used.

The banning option is not complete. Would anyone be interested in trying this MOD out before that's ready? If so, I can post code in a few days.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Tue Apr 17, 2007 1:53 pm

bonelifer wrote: By keeping each SPAM & Security mod produced specific to a particular problem(combating a specific spam technique/security aspect) mod authors are allowing for other mods to be installed to deal with other specific problems. This all allows for the UNIQUENESS that mod authors and phpBB staff keeping preaching about.

Yes, I agree... but in case you missed it, one thing that I have done is to combine this with my EZ Registration MOD. I think there are some conflicts with that MOD and some of the other MODs out there, because what it does is remove every non-essential field from the registration form. This is done, of course, with template switches. There are some other MODs that use the same technique. I am not familiar with the ones that you mentioned.

By doing this, I know for certain that I don't have to worry about a user picking an avatar during the registration process. That makes the code a lot easier, as I don't have to worry about someone going out to the avatar selection screen and back, and losing their checkbox settings. If you look at the standard registration code there is logic to pass every single registration form field value into the avatar selection routine and back again. It's messy, and I don't like it. :-) So to make this MOD easier I simply remove the option to select an avatar during registration... and enter anything else, like a website and so on.

I don't know if that will conflict with the other MODs that you mentioned.

I have turned off the phpBB CAPTCHA on the board I'm using to test. I don't think it has any affect on the results. And frankly I would rather not have to use it.
Nice work so far. :)

Thanks. :-)

So far 100% of the regbots have failed to click any checkboxes. I'm still waiting to find the one that clicks all of the checkboxes. On my Wordpress implementation of this same code I get about 1/3 of my comments blocked because the bot clicks every checkbox but it seems the phpBB regbots are not using the same techniques. Yet. :-D
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Tue Apr 17, 2007 11:08 pm

Code: Select all

+-------------+----------+
| reject_date | count(*) |
+-------------+----------+
| 2007-04-15  |       11 |
| 2007-04-16  |       14 |
| 2007-04-17  |       14 |
+-------------+----------+
Total rejects: 39
Total registrations (valid): 2

MOD Success rate: 100%

I am going to install it on another one of my boards tonight, and start right this time with the log in place when it starts so I have a complete picture of what's going on. This other board does get some actual legitimate registrations, so it will be interesting. It will also be interesting to see how many people get it wrong at the first attempt; I had one of those on the first test board where there was a rejected attempt followed by a successful registration.

More details in a few days. I am encouraged so far.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51870
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by Brf » Tue Apr 17, 2007 11:17 pm

Very nice :D

another way to help it is to use images to mark your checkboxes...

or maybe require a random number of boxes to be checked. Maybe you could randomly generate which
box(es) need checks and store the answer similar to the way the visual confirmation answer is stored.

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Wed Apr 18, 2007 2:33 am

Brf wrote: another way to help it is to use images to mark your checkboxes...

or maybe require a random number of boxes to be checked. Maybe you could randomly generate which
box(es) need checks and store the answer similar to the way the visual confirmation answer is stored.

Both nice ideas, both will probably wait for Version 2. I had thought about the random number of checkboxes, but one is easier to code for and seems to be (for the moment) effective enough. I appreciate the comments.

I am getting ready to install on my second, third, and if I'm really energetic, fourth board for testing purposes tonight.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: [DEV] Checkbox Challenge for Registration

Post by drathbun » Thu Apr 19, 2007 12:46 pm

I added to the logging done by this MOD, and I have noticed that some folks are having some difficulty in figuring out what they're supposed to do. :-) In the log there was one poor person that tried five different times to get registered (and I do assume it was a person based on the timing of the events, the username, and the email address) and eventually they gave up.

I have changed the text in the language file to see if that helps.

Also I have never really been excited about the banning piece of this, and I was given an excellent reason to drop it from evil<3 on his board, where he said:
evil<3 wrote: But then there's something you need to see: this gives anybody the power to ban email addresses! Anybody could go to the registration form, enter an email address, hit the wrong checkbox, and already he has banned somebody's email. And that's just not right.

There are some things I could probably do to avoid this, but no matter what you do there is always the option for someone with nefarious intent :-) to do exactly what evil<3 has suggested. I will be removing the banning option from the MOD.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

Post Reply

Return to “[2.0.x] MODs in Development”