Abuse: Random users with invalid emails and Russian URLs

[Bjørn Lindeijer]

Lately I've had an increasing number of users signing up with invalid email addresses. They also had numbers in their name and their URL set to some commercial Russian website. It's been 15 users now, that I have subsequently removed.

I'm worried that there might be some kind of crawler detecting forums (or at least phpBB) and automatically signing up, adding "@hotmail.com" to the random username to create an email address. I think this because my site is rather low traffic, and wouldn't be interesting enough to go and add these accounts manually.

I think the problem is caused by phpBB showing the new user even if it hasn't properly activated its account. Hence I would suggest only showing members that have clicked their activation link in the next release, to make this kind of abuse pointless.

[Draegonis]

Alterntivley, you can use the amasingly simple Visual Confirmation MOD that's in the /contrib dir of your phpBB download.

[Bjørn Lindeijer]

I don't like adding visual confirmation, and the activation turning out quite useless, I've turned that off too now. It's all the more hassle for people trying to sign up. Good to know there's a resolution close at hand when things get worse though!

I still think unactivated users showing up in the member list and "newest user" area is faulty behaviour. I could fix that locally, but that doesn't stop this kind of abuse. Fixing it in the next release will make this kind of abuse less interesting worldwide.

[Draegonis]

Uh, I didn't say anything about activation. The VC MOD doesn't require any effort on your part, bar to upload a few files from the zip file, and it will prevent these bots from registering at all.

[Bjørn Lindeijer]

I know, it's the effort from the users I was worrying about. I don't like to have to copy a number if it isn't necessary. Until now, we have been fine for 2 years without this. I'm only adding this when the above kind of abuse increases too much.

[Heimidal]

I know, it's the effort from the users I was worrying about. I don't like to have to copy a number if it isn't necessary. Until now, we have been fine for 2 years without this. I'm only adding this when the above kind of abuse increases too much.

And according to your first post, the level of abuse has increased to a sufficient amount to warrant this action, or you wouldn't be complaining in the first place.

Huge sites use this technique and it takes an extra 15 seconds (max) to sign up. What's the problem, exactly?

[Arty]

I had the same problem on my forum. And I also don't like visual confirmation, so I solved problem differently - don't show website url for users who have 0 posts, and don't show memberlist to search engines (makes whole registration spamming thing pointless). Also I added hidden variable to registration form and if form is submitted without that variable then registration fails (keeps registration bots away from forum).

[Bjørn Lindeijer]

Huge sites use this technique and it takes an extra 15 seconds (max) to sign up. What's the problem, exactly?

The problem exactly is that phpBB encourages these kind of bots because it will show username and url even if the accounts are not activated. The problem with copying a random code is that I think it's an ugly and unnecessary counter measure. 15 of these fake users is enough to get me posting here, but not enough to get me to add that kind of thing to the forum.

Thanks CyberAlian for your suggestions, I'll at least think about the doing hidden variable thing and will be looking into adding memberlist to robots.txt file.

[Heimidal]

The problem exactly is that phpBB encourages these kind of bots because it will show username and url even if the accounts are not activated. The problem with copying a random code is that I think it's an ugly and unnecessary counter measure. 15 of these fake users is enough to get me posting here, but not enough to get me to add that kind of thing to the forum.

Thanks CyberAlian for your suggestions, I'll at least think about the doing hidden variable thing and will be looking into adding memberlist to robots.txt file.

We do not encourage bots - we simply operate in a way that makes sense. Some people might get confused if they never get the email they were supposed to get from registration, don't see their username in the memberlist, and can't register again.

And I get it... it's good enough for Ticketmaster, who gets thousands of hits and orders a day, but not good enough for your forum..

Good luck finding a reliable safeguard that isn't user-facing and failproof. The functionality of the forum will not be changed anytime soon.

[Arty]

The problem exactly is that phpBB encourages these kind of bots because

All other forum software have similar features. But phpBB is the most popular forum software and because of that spammers are attracted to phpBB. In phpBB 2.2 list of users is shown only to registered users, so it also makes registration spamming useless. You can wait for phpBB 2.2 that will be released later this year, or you can apply one of solutions posted above (visual confirmation or hidden items in form + hide users list).

[Bjørn Lindeijer]

I don't understand the level of hostility here. I'm just voicing some concern, asking for a change that might reduce the problem, and interested in ways to prevent it without bothering new users.

I'm glad at least part of the problem is taken into account in 2.2. As far as I'm concerned now, I'll just wait and see how many fake users sign up next week and go on from there.

[Techie-Micheal]

I don't understand the level of hostility here. I'm just voicing some concern, asking for a change that might reduce the problem, and interested in ways to prevent it without bothering new users.

I'm glad at least part of the problem is taken into account in 2.2. As far as I'm concerned now, I'll just wait and see how many fake users sign up next week and go on from there.

Hostility begets hostility. You weren't exactly very nice to us when we answered your question.

You have a couple of choices here.

1. Use the visual confirmation, which 2.2 makes use of by the way.
2. Edit the registration template so that registering users will not have the opportunity to input their homepage, ICQ, MSN, etc. until they are approved by the admin, and log in again. Rather simple to do actually. And in fact, 2.2 makes use of this as well.

[Mike Panic]

im in the same boat... tons of new bogus registers all w/ numbers and all pointing to the same url... choppy.com/something-something, they are all differant.

im at the point where im about to call the person who owns the domain name and ream him out... then call their host and put in a formal spam complaint

ive disallowed *.hotmail email addy's from registering, but its still allowing them for some odd reason... so frikkin annoying

btw Techie-Micheal - took a look at your site... your more then welcomed to come join http://www.iphotoforum.com

[globetrotting]

... Edit the registration template so that registering users will not have the opportunity to input their homepage, ICQ, MSN, etc. until they are approved by the admin, and log in again. Rather simple to do actually.

Would it also be "rather simple" to explain how to do it?
I'd appreciate an explanation very much, as my board is infected as well

[Harriers9]

The same here.

I am also getting spam registrations from this Chopoy w**ker and would like it stopped.

Not being a php expert I would like to know how to modify the registration template.

I tried to update my board from 2.0.8 to 2.0.10 last week but failed due to the lack of simple advice from the experts on here. We are not all tech heads that can understand complicated instructions or just told to change some obscure code without being told how to achieve that.

Good example at the end of this:

http://www.phpbb.com/phpBB/viewtopic.ph ... highlight=