Preventing Spam in phpBB 3.0.6 and Above [*Read First Post*]

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby aliqot » Thu Dec 30, 2010 10:02 am

Anyone else getting deluged with spam over the last few days? I think we're going to have to persuade our site owner to install captcha.
aliqot
Registered User
 
Posts: 2
Joined: Thu Dec 30, 2010 9:54 am

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby Phil » Fri Dec 31, 2010 6:53 am

If a forum doesn't have any sort of CAPTCHA present, it is going to be deluged with spam regardless of the time of year ;)
Moving on, with the wind. | My Corner of the Web
User avatar
Phil
Former Team Member
 
Posts: 10402
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby Martin Truckenbrodt » Fri Dec 31, 2010 10:05 am

Hello,
CAPTCHA is not the only one successfull way to prevent spam! I have it disabled completely.

Bye Martin
Free tutorial: Installing MODs in phpBB3
Advanced Block MOD - Prevent spam on your phpBB3 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists!
My MODs
Use the official phpBB Ideas to vote missing core features!!!
User avatar
Martin Truckenbrodt
Registered User
 
Posts: 3006
Joined: Sun Mar 23, 2003 6:22 pm
Location: Franconia
Name: Martin Truckenbrodt

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby cebu » Sun Jan 02, 2011 7:12 am

last 4 days i deactivated lots of spammers on my site. i have 2 site and got hit the same time with spammers. i have the recaptcha installed for quite sometime now. its just now that this has happened.
cebu
Registered User
 
Posts: 34
Joined: Tue Feb 23, 2010 6:38 am

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby aliqot » Mon Jan 03, 2011 9:50 am

At the moment we have email activation installed, instead of the system we had before. We now have a list of inactive newly registered users - most of whom are clearly spam, but I guess they can't do a thing unless we activate them. Is the only downside the fact we need to check and activate any who seem genuine? We're not very lively at the mo in any case, so that is reasonably practical as a strategy.
aliqot
Registered User
 
Posts: 2
Joined: Thu Dec 30, 2010 9:54 am

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby dixieboy » Mon Jan 03, 2011 3:48 pm

Even with Captcha enabled you will be hammered with spam. reCaptcha was cracked months ago. What spammers are doing now is registering an account and then flooding the board with spam. Every morning when I wake up I check my board and find 101 spam posts with thousands of outgoing links. You know what's going to happen? Google is going to kill my site my in the rankings because of all the outgoing spam links!

I want visual verification required for every post whether the visitor is a guest or registered user. There is no such capability in PHPBB. What I really want to know is how you PHPBB developers cannot see this coming. Of course spammers are going to exploit the obvious and register an account manually then hammer the board with spam using a bot. The only saving grace is the spam posts all occur using one user name which makes deleting it rather easy--but not until after the posts have been crawled by all the search engines.

PHPBB = spam. You will always be hammered with spam if you use PHPBB. PHPBB has been around for years and the developers haven't figured out how to stop spam and never will. The only solution is a custom Q&A (which I use) and to require the question to be answered for every post whether the user is registered or not (for which PHPBB does not have the capability). Just because a user registers an account does not mean they can be trusted nor that they are not a spambot.
dixieboy
Registered User
 
Posts: 20
Joined: Fri Nov 21, 2008 2:29 pm

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby Pony99CA » Mon Jan 03, 2011 4:42 pm

dixieboy wrote:Even with Captcha enabled you will be hammered with spam. reCaptcha was cracked months ago. What spammers are doing now is registering an account and then flooding the board with spam. Every morning when I wake up I check my board and find 101 spam posts with thousands of outgoing links. You know what's going to happen? Google is going to kill my site my in the rankings because of all the outgoing spam links!

That's why you should enable the Newly registered users group. The spam posts won't be visible to anybody until they're approved, and it's far less onerous than a CAPTCHA on every post.

dixieboy wrote:I want visual verification required for every post whether the visitor is a guest or registered user.

If they break your registration CAPTCHA, why do you think a posting CAPTCHA will be any more effective?

dixieboy wrote:PHPBB = spam. You will always be hammered with spam if you use PHPBB.

Puh-lease. :roll: With phpBB 2, that was true, but I get almost no spam since I switched to phpBB 3.x -- and I do get spam bots at my board. In fact, I actually conducted an experiment to check spam. Since adding a required custom profile field, I've had maybe 6-8 spammers actually sign up and the worst only posted 2-3 times before I deleted him.

dixieboy wrote: PHPBB has been around for years and the developers haven't figured out how to stop spam and never will.

So who has figured out how to stop spam? :roll:

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
User avatar
Pony99CA
Registered User
 
Posts: 4535
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby Ag2000CO » Mon Jan 03, 2011 5:01 pm

dixieboy wrote:PHPBB = spam. You will always be hammered with spam if you use PHPBB. PHPBB has been around for years and the developers haven't figured out how to stop spam and never will.

This sound like the Windows/Mack argument over spam and for the same reasons.

Spammers like Willy Sutton go "where the money is" whither its Windows or phpBB. "Uncle Bill" and all of Redmond WA haven't figured it out either.
Say what you will about Sisyphus. He always has work.
User avatar
Ag2000CO
Registered User
 
Posts: 245
Joined: Thu Oct 14, 2010 5:19 pm
Location: CO, US
Name: Lou

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby Lumpy Burgertushie » Mon Jan 03, 2011 5:31 pm

even phpbb2 became virtually spam bot free once a simple question and answer was added to the registration process.

as far as I know, no bot has broken that method in phpbb2 boards yet much less the phpbb3 boards.

spam is a fact of life and unfortunately is something you have to deal with when you are online.

phpbb is certainly not alone in having to deal with this problems.

every bulletin board software , blog software, etc. etc has the same problems.


robert
User avatar
Lumpy Burgertushie
Registered User
 
Posts: 51596
Joined: Mon May 02, 2005 3:11 am

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby Martin Truckenbrodt » Mon Jan 03, 2011 10:14 pm

Hello,
BTW: Microsoft is the market leader for operating systems, internet browsers and standard office and email server software. phpBB is the leader for free Bulletin Board Software. The market leader position is the most important point for spammers and hackers. The vendor doesn't matter! ;)

Just compare forum spam with email spam:

Both can been sent by programs (spam bots) automatically and by human spammers manually.

Both email sender email addresses and forum user email addresses may be faked.
For email spam you simply can check if the email has been send via the official SMTP server (DNS MX record) for this email domain or not. If it's not been sent via the offical SMTP server then at least you can put the email into quarantine or you can block it (if you are a hard guy). The phpBB3 DNS MX check just looks if there is a MX record for the email domain. I think this is okay. A lot of "good" people whom are not using a SMARTHOST in the right way are sending emails directly via internet. This is not good but it is working. So you can not block this. It's a big problem. But we can not solve it.
For forum spam prevention you can set Account Activation to User or to User+Admin (Double Activation) to force the use of real and working email addresses.

To prevent email spam you can use (DNS) blacklists and content filtering. There are some other technics, too. But these can not been used if you are communicating with private people whom are using freemail accounts, SMTP tools and so on.
The phpBB3 default dnsbl check is done in a too much simple way. And it is using a DNS blacklist (spamhaus.org) which is well known for a lot of false positives. With Advanced Block MOD this feature has been improved and the number of false positives has been decreased to Zero.
You can use a little bit of content filtering in phpBB3 with Phils ATLBL Antispam or with Exreactions Anti Spam ACP. These MODs are using some kind of blacklists (databases) which are not only checking for the IP address.

phpBB users always are been told to use CAPTCHAs and Q&As for user registration and guest posting. Supporters and others always are telling this is the best way and it's the only one way. But they are saying you can not prevent human spammers with this methods. This is a big problem. In the time of phpBB2 there have been only a rare number of human spammers. But this has been changed since phpBB3 has been released. Today there are a lot of human spammers filling out registration forms manually.
You can use DNSBL check very successfully to prevent most of the human spammers. IMO this is the only one successfull way to get human spammers automatically.
What's the official phpBB answer for this problem? Make your board individually and use the Newly Registered Users group. IMO it would have been better to include (or to finish) the Double Activation (User+Admin) into phpBB3 to get nearly the same but a easier to handle result insteat. As you can see it in ./language/en/acp/board.php devs have been thinking about it. But since about four years it has not been done. Only the never ending story CAPTCHA thing has been improved by the devs for the core package. ... Double Activation still needs to install the Advanced Double Activation Pack.

To prevent email spam you can block spam emails automatically e.g. with IP DNS BLs and Domain DNS BLs. But in phpBB3 (without Advanced Block MOD) you can not block user registrations or guest postings automatically. In phpBB3 the registration form and the posting form always are displayed. It doesn't matter if you are a spammer or not. You can use banning. But this feature is only usefull to fight against single annoying people.

phpBB(3) core package needs to have automatically working true blocking features included and it needs to have more anti spam features included by default. The CAPTCHA plugin system is just only one of these possible features and IMO it's more like a workaround and it's not really a fully satisfying solution.

If you are interested you can read more about these things in my MOD FAQs.

Please don't tell me again the fairytales about problems with board performance and false positives!

Bye Martin
Free tutorial: Installing MODs in phpBB3
Advanced Block MOD - Prevent spam on your phpBB3 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists!
My MODs
Use the official phpBB Ideas to vote missing core features!!!
User avatar
Martin Truckenbrodt
Registered User
 
Posts: 3006
Joined: Sun Mar 23, 2003 6:22 pm
Location: Franconia
Name: Martin Truckenbrodt

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby gkmac » Tue Jan 04, 2011 8:32 pm

cebu wrote:last 4 days i deactivated lots of spammers on my site. i have 2 site and got hit the same time with spammers. i have the recaptcha installed for quite sometime now. its just now that this has happened.

My forum has been up (with reCaptcha) for about two and a half years and up until now only had one spam every two months or so, but during the past 48 hours I have had a sudden rise in account registrations on my forum, about one every three hours or so!

I require e-mail confirmation to activate accounts; so far they never seem to be activated by the time I discover and delete them (longest about 8 hours), and I've been getting a lot of "activate your account" e-mail bounced back to me as about half of them are putting in false e-mail addresses.
dixieboy wrote:reCaptcha was cracked months ago.

Well this is news to me. Have the bots found a certain "magic" way to read the words that reCaptcha's own OCR software can't?
gkmac
User avatar
gkmac
Registered User
 
Posts: 10
Joined: Sun Mar 02, 2008 9:16 pm

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby dixieboy » Tue Jan 04, 2011 10:53 pm

Pony99CA wrote:
dixieboy wrote:Even with Captcha enabled you will be hammered with spam. reCaptcha was cracked months ago. What spammers are doing now is registering an account and then flooding the board with spam. Every morning when I wake up I check my board and find 101 spam posts with thousands of outgoing links. You know what's going to happen? Google is going to kill my site my in the rankings because of all the outgoing spam links!

That's why you should enable the Newly registered users group. The spam posts won't be visible to anybody until they're approved, and it's far less onerous than a CAPTCHA on every post.

dixieboy wrote:I want visual verification required for every post whether the visitor is a guest or registered user.

If they break your registration CAPTCHA, why do you think a posting CAPTCHA will be any more effective?


They aren't breaking my custom Q&A Captcha via code. They are entering it once, then making hundreds of spam posts with a bot. Why? Because PHPBB only requires the successful entry of the Catpcha one time--and there are no more anti-spam challenge after that. That is the problem. Spammers get one challenge then free reign.

I do not want to have to manually approve posts. Everything was going fine until last week.

Pony99CA wrote:
dixieboy wrote:PHPBB = spam. You will always be hammered with spam if you use PHPBB.

Puh-lease. :roll: With phpBB 2, that was true, but I get almost no spam since I switched to phpBB 3.x -- and I do get spam bots at my board. In fact, I actually conducted an experiment to check spam. Since adding a required custom profile field, I've had maybe 6-8 spammers actually sign up and the worst only posted 2-3 times before I deleted him.


And you would enjoy having to delete spammers every morning, and for me more than once a day as of yesterday?

Pony99CA wrote:
dixieboy wrote: PHPBB has been around for years and the developers haven't figured out how to stop spam and never will.

So who has figured out how to stop spam? :roll:

Steve


The solution is simple: an anti-spam challenge with EVERY post regardless of whether the visitor is registered, a long-time member with hundreds of posts, or not. To make 101 spam posts, the spammer has to answer my custom Q&A only one time currently. They should be presented with questions with each attempted post. With almost 50 questions unique to my board, no spammer is going to sit and answer all of them.
Last edited by dixieboy on Tue Jan 04, 2011 10:58 pm, edited 1 time in total.
dixieboy
Registered User
 
Posts: 20
Joined: Fri Nov 21, 2008 2:29 pm

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby dixieboy » Tue Jan 04, 2011 10:57 pm

gkmac wrote:
cebu wrote:last 4 days i deactivated lots of spammers on my site. i have 2 site and got hit the same time with spammers. i have the recaptcha installed for quite sometime now. its just now that this has happened.

My forum has been up (with reCaptcha) for about two and a half years and up until now only had one spam every two months or so, but during the past 48 hours I have had a sudden rise in account registrations on my forum, about one every three hours or so!


reCaptcha has been cracked. I use custom question and answers.

gkmac wrote:I require e-mail confirmation to activate accounts; so far they never seem to be activated by the time I discover and delete them (longest about 8 hours), and I've been getting a lot of "activate your account" e-mail bounced back to me as about half of them are putting in false e-mail addresses.

dixieboy wrote:reCaptcha was cracked months ago.

Well this is news to me. Have the bots found a certain "magic" way to read the words that reCaptcha's own OCR software can't?


When I disabled reCaptcha and went to a custom Q&A, my spam from bots dropped to none. Until last week, when spammers were manually registering an account and using that same account to make 101 spam posts.

Finding spam every day makes me dread visiting my own board. :evil:
dixieboy
Registered User
 
Posts: 20
Joined: Fri Nov 21, 2008 2:29 pm

Re: Preventing Spam in phpBB 3.0.6 and Above [*Read First Po

Postby Pony99CA » Wed Jan 05, 2011 12:03 am

dixieboy wrote:
Pony99CA wrote:
dixieboy wrote:I want visual verification required for every post whether the visitor is a guest or registered user.

If they break your registration CAPTCHA, why do you think a posting CAPTCHA will be any more effective?

They aren't breaking my custom Q&A Captcha via code. They are entering it once, then making hundreds of spam posts with a bot. Why? Because PHPBB only requires the successful entry of the Catpcha one time--and there are no more anti-spam challenge after that. That is the problem. Spammers get one challenge then free reign.

I do not want to have to manually approve posts. Everything was going fine until last week.

I know that you don't want to have to approve posts, but that's the only way to do it for now (without a MOD). Remember, if you sent the limit to one post, that's one approved post, so spammer's who posted 100 posts still wouldn't have any of them show up. When you delete their accounts, all of those posts would vanish.

Are you getting so many valid new members that turning post approval on would be that bad? If so, have you tried increasing the flood interval?

Also, don't you think that your users would get very annoyed having to answer a CAPTCHA with every post?

dixieboy wrote:
Pony99CA wrote:
dixieboy wrote:PHPBB = spam. You will always be hammered with spam if you use PHPBB.

Puh-lease. :roll: With phpBB 2, that was true, but I get almost no spam since I switched to phpBB 3.x -- and I do get spam bots at my board. In fact, I actually conducted an experiment to check spam. Since adding a required custom profile field, I've had maybe 6-8 spammers actually sign up and the worst only posted 2-3 times before I deleted him.

And you would enjoy having to delete spammers every morning, and for me more than once a day as of yesterday?

Of course not. Unfortunately, that's the cost of doing business with losers like them on the Internet.

And, of course, even if they can't post, they'll still register and you'll still have to delete them.

dixieboy wrote:
Pony99CA wrote:
dixieboy wrote: PHPBB has been around for years and the developers haven't figured out how to stop spam and never will.

So who has figured out how to stop spam? :roll:

The solution is simple: an anti-spam challenge with EVERY post regardless of whether the visitor is registered, a long-time member with hundreds of posts, or not. To make 101 spam posts, the spammer has to answer my custom Q&A only one time currently. They should be presented with questions with each attempted post. With almost 50 questions unique to my board, no spammer is going to sit and answer all of them.

As I said above, I don't think that's a good solution.

First, it will tick off your real users. You want to make life easy on them even if it costs you a little extra time. I've seen one board that did that and I found it extremely annoying.

Second, if a human can register, a human can spam. It won't be as cost-effective, but they can still post several posts instead of 100.

Maybe you should try looking into one of the spam blocking MODs that uses blacklists.

That said, I don't think it would be a horrible idea for the developers to at least make it an option in the ACP. One way that might be acceptable to you and your users would be to present the CAPTCHA on posts if the user had violated the flood limit. That would give spambots one free post, but they'd then get the CAPTCHA because they tried to post too fast. Your normal users probably wouldn't get it very often.

Finally, if you want this now, I bet I could give you code changes to do that. PM me if you're interested.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
User avatar
Pony99CA
Registered User
 
Posts: 4535
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve

Custom profile field ends up in profile page, not registrati

Postby AlternativePhoto » Thu Jan 06, 2011 10:26 am

Newbie question - please help...
I've read the article here:
http://www.phpbb.com/kb/article/custom- ... mmer-tool/
And set up 2 Custom profile fields, one yes/no question like described and one textfield with the question "What is the name of this website".
The fields does not end up on the registration page, but in the profile page.
The question is: How do i make the fields appear on the registration page?
Appreciate any help! :-)
AlternativePhoto
Registered User
 
Posts: 18
Joined: Mon Dec 28, 2009 11:28 am

PreviousNext

Return to 3.0.x Support Forum

Who is online

Users browsing this forum: Google Adsense [Bot], Yahoo [Bot] and 81 guests