SPAM protection: easy way to fix capcha to disallow spammers

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
moszinet
Registered User
Posts: 8
Joined: Sat Dec 16, 2006 10:18 pm
Contact:

SPAM protection: easy way to fix capcha to disallow spammers

Post by moszinet »

Hello. I run 2 phpbb forums at vag-com.ro/forumro and vag-com.hu/forumhu. Unfortunately there is a flaw in phpbb which allows spammers to easily get over the confirmation code that is present on the registration form.

after examining the usercp_confirm.php i realized that there are PREDEFINED images for each letter that appears on the confirmation image, and this is really easy to hack if you know these predefined images.

All of you who have the same issue, just modify the usercp_confirm.php to generate slightly different sized pictures (35 instead of 40 for the height for example) and the spam robot won't be able to decode the image anymore.

All my best,
Moszi
Last edited by moszinet on Sat Oct 13, 2007 9:57 am, edited 1 time in total.
moszinet
Registered User
Posts: 8
Joined: Sat Dec 16, 2006 10:18 pm
Contact:

Post by moszinet »

me again :) an other solution would be to re-generate those predefined images, and i think a tool for this issue would be greatly used.
User avatar
Dogs and things
Registered User
Posts: 2114
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain
Contact:

Post by Dogs and things »

Amazing Moszi,

This sounds brillantly easy.

Are you sure bots recognize the letters and numbers because of their being programmed to recognize the predefined size and nothing else?

Did you stop spamming just by modifying image-size?

I guess this will work until the bots get programmed a little bit better?
For phpBB2 support visit phpBB2refugees.
moszinet
Registered User
Posts: 8
Joined: Sat Dec 16, 2006 10:18 pm
Contact:

Post by moszinet »

hi d&t :),

yes. i'm pretty sure. i used to get at least 3-4 letters from my forum that a new user was created. now almost 6 hours and no new users.

[ i also shortened the code by 1 digit :)) ... which is illogical, of course, but i just played around to see what & how, and i left it with 5 digits finally... and still no new users ... ]
User avatar
Dogs and things
Registered User
Posts: 2114
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain
Contact:

Post by Dogs and things »

Great thinking,

I hope it will continue working for you. :wink:
For phpBB2 support visit phpBB2refugees.
moszinet
Registered User
Posts: 8
Joined: Sat Dec 16, 2006 10:18 pm
Contact:

Post by moszinet »

heh :) mee too :) ...
safe_reader
Registered User
Posts: 105
Joined: Sun Apr 10, 2005 11:10 am

Post by safe_reader »

So... I went through hours of work trying to sort out out all the spam bots and prevent them from registering.. and just a simple thing like this would have worked?

:evil: :evil: :evil: :evil:
moszinet
Registered User
Posts: 8
Joined: Sat Dec 16, 2006 10:18 pm
Contact:

Post by moszinet »

well ... my father (actually he runs those forums) spent hours deleting the stupid spammer users :( :(

but yes... this fix is working. no spam users since.
Wo1f
Registered User
Posts: 2039
Joined: Fri Jan 28, 2005 3:20 am

Post by Wo1f »

Any new registered users since then?
moszinet
Registered User
Posts: 8
Joined: Sat Dec 16, 2006 10:18 pm
Contact:

Post by moszinet »

yes :) i got new users :p ... but no new spam users :)

[ but if you wanna say that i messed up completely the registration process, then no :)) i didn't :)) ... i tested it immediately :p ]
User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Post by drathbun »

This just goes to show that making your board unique is the best way to eliminate spammers.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image
Wo1f
Registered User
Posts: 2039
Joined: Fri Jan 28, 2005 3:20 am

Post by Wo1f »

moszinet wrote: yes :) i got new users :p ... but no new spam users :)

:D ... just checking.



@ drathbun

Yes, and the good news is that there now seems to finally be a consensus on that one, which is great to see happening.
User avatar
Dogs and things
Registered User
Posts: 2114
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain
Contact:

Post by Dogs and things »

It must be possible to turn this invention into a new mod, making the numbers and letters in the visual confirmation varying. Maybe someone...?
For phpBB2 support visit phpBB2refugees.
kpturner
Registered User
Posts: 4
Joined: Thu Oct 12, 2006 5:13 pm

Post by kpturner »

Any chance of posting up the changes you have to make - I am fed up with wasting hours deleting the spam users every day. Certainly the current method of avoiding spam registrations doesn't seem to work.
User avatar
Jim_UK
Former Team Member
Posts: 18478
Joined: Tue Oct 12, 2004 5:36 pm
Location: Darwen N.West UK

Post by Jim_UK »

Anything that makes your registration unique will stop them.
All these posts on this site on how to stop spam and one simple mod will stop all the bots. An extra field that has to be replied to in registration. I suggest the MyVIP code (not actuall mine - that is the mods name) will stop all bots and it takes just a few minutes to install.

Jim
The truth is out there.
Unfortunately they will not let you anywhere near it!
Locked

Return to “2.0.x Discussion”