[Discuss] Preventing Spam in phpBB3

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Ideas Centre
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Pony99CA » Thu Dec 06, 2012 10:18 pm

njfail wrote:I saw that most visual captchas are broken. I was searching the phpbb board for captchas and saw this: https://www.phpbb.com/customise/db/mod/keycaptcha/
Does anyone know if keycaptcha is effective? Anyone here use it?
Did you do a search for KeyCAPTCHA? If so, you'll find some information (from somebody who supposedly worked there or represented them) that the organization is not benign. I have no idea whether that's true or not, though.
njfail wrote:I've been using the Q&A with: Type the hidden word: 92Epic3ka25r
Epic being the answer
But I'm still getting spam bots in (maybe one every other day).

Do you think its spam bots that are getting the question right? Or do you think its real people that answer the question and then spam my site?

I figured that if real people are logging the Q&A that I have, then a captcha would be good because it would change everytime.
You misunderstand what a CAPTCHA is. A CAPTCHA is any system designed to be solvable by humans but not computers (at least not today's computers). That can be Q&A, Sortables, ReCAPTCHA, etc.; a CAPTCHA does not have to be image-based. (Technically, some people claim that the CAPTCHA has to change everytime, which Q&A doesn't in most cases, but I have proposed a system where it would.)

Read the above Wikipedia link for more information.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

suebriquet
Registered User
Posts: 2
Joined: Fri Jan 18, 2008 10:45 am

Re: [Discuss] Preventing Spam in phpBB3

Post by suebriquet » Fri Dec 21, 2012 3:15 pm

This may be a stupid question, but I am having trouble on this issue somehow. I have installed phpBB 3.0.11. I heard that it has a built in Captcha so you don't have to install any plugins. The default templates prosilver and subsilver2 both have Captcha pages in their template folder. My question is, how do you activate this Captcha? Somehow it doesn't just appear on default. Many thanks to whoever answers my question.

suebriquet
Registered User
Posts: 2
Joined: Fri Jan 18, 2008 10:45 am

Re: [Discuss] Preventing Spam in phpBB3

Post by suebriquet » Fri Dec 21, 2012 3:21 pm

Never mind. I think I have answered my own question. Instead of an image captcha, it's a question people have to answer. That's brilliant!

User avatar
Eddie11
Registered User
Posts: 17
Joined: Fri Dec 28, 2012 10:17 pm
Location: Louisiana, USA
Name: Eddie
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Eddie11 » Sun Dec 30, 2012 5:19 pm

I like and use the Q&A for spam control. However, unlike other peoples thoughts on only 1 question, I like to use 5 or 6 questions.
I try and change them up every few days, but normally happens on week ends.
Again, I agree with using questions that are not easily found out by a google or other search engine. I also agree that math questions in general are a bad idea. I like word problems though.
I do allow advertising on my board, but only in one forum. I have that set up to prune messages seven days after posted.
As of now my forums is very small and very new. Some how the spammers found me a couple weeks after starting it.
My methods at the moment work for me but I suspect there will be a time for me to change tactics.

I would love to here other peoples thoughts on this.
Eddie

ugoto6
Registered User
Posts: 9
Joined: Mon Sep 17, 2012 5:32 pm

Re: [Discuss] Preventing Spam in phpBB3

Post by ugoto6 » Sun Dec 30, 2012 6:40 pm

I've been using phpbb for almost 8 years and had the same problem
A few years ago, I created a REQUIRED custom profile field with a drop down menu box
I haven't had a problem with spammers since!!


Custom Profile Fields with a drop down menu
https://www.phpbb.com/kb/article/custom ... mmer-tool/

User avatar
Eddie11
Registered User
Posts: 17
Joined: Fri Dec 28, 2012 10:17 pm
Location: Louisiana, USA
Name: Eddie
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Eddie11 » Tue Jan 01, 2013 2:18 pm

ugoto6 wrote:I've been using phpbb for almost 8 years and had the same problem
A few years ago, I created a REQUIRED custom profile field with a drop down menu box
I haven't had a problem with spammers since!!


Custom Profile Fields with a drop down menu
https://www.phpbb.com/kb/article/custom ... mmer-tool/
When I followed the link, I read that the method was broken.
Thanks for the input and the idea, but for now I am sticking with my methods.
I will keep an eye out for other peoples ideas that would work for me.
Eddie

User avatar
Martin Truckenbrodt
Registered User
Posts: 3045
Joined: Sun Mar 23, 2003 6:22 pm
Location: Franconia
Name: Martin Truckenbrodt
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Martin Truckenbrodt » Tue Jan 01, 2013 3:49 pm

Hello Eddie,
the phpBB3 Anti Spam Guide doesn't tell you all features to prevent spam. There are some more very effective features to prevent spam. Have a look to the modification database.
A lot of other web applications are using blacklists to prevent spam. In my experience it's a very good way to prevent spam user registations and spam guest postings in phpBB3.

Bye Martin
Free tutorial: Installing MODs in phpBB 3.0
Advanced Block MOD - Prevent spam on your phpBB 3.0 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists!
My MODs
Use the official phpBB Ideas to vote missing core features!!!

User avatar
Eddie11
Registered User
Posts: 17
Joined: Fri Dec 28, 2012 10:17 pm
Location: Louisiana, USA
Name: Eddie
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Eddie11 » Tue Jan 01, 2013 4:04 pm

[quote="A lot of other web applications are using blacklists to prevent spam. In my experience it's a very good way to prevent spam user registations and spam guest postings in phpBB3.[/quote]

I don't like the idea of using an outside source for blacklisting.
In my opinion the blacklist source can be given false data and also the data could become outdated.

Thanks for the suggestion though. :)
Eddie

User avatar
Martin Truckenbrodt
Registered User
Posts: 3045
Joined: Sun Mar 23, 2003 6:22 pm
Location: Franconia
Name: Martin Truckenbrodt
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Martin Truckenbrodt » Tue Jan 01, 2013 10:25 pm

Hello Ediie,
the risc of false positives is more a theoretical risc than a practical risc. Also with good implementations it's possible to reduce the risc to a minimum very near to zero. And e.g. in combination with a contact form you can be informed about false positives very easily.

Bad implementations of blacklists - like the phpBB3 default check - are the reason for their bad reputation, not (most of) the blacklists themselves.

Using a automatically maintained remote blacklist (they are using policies for this job) is always better than filling the not maintained phpBB BAN_TABLE with entries like *@mail.ru or *@gmail.com. For a lot of boards these entries will or would produce false positives.
And legal users whom feel annoyed by CAPTCHAs or whom are not able to fill out the CAPTCHAs are also false positives. I think here the risc is much more higher.

My boards are free of spam and they are free of CAPTCHA for user registration and guest posting. And spammers can not hack the used anti spam features.

But it's your board. And it's your decision. So it's okay.

Bye Martin
Free tutorial: Installing MODs in phpBB 3.0
Advanced Block MOD - Prevent spam on your phpBB 3.0 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists!
My MODs
Use the official phpBB Ideas to vote missing core features!!!

User avatar
shagimuratov
Registered User
Posts: 56
Joined: Thu Mar 10, 2011 5:05 pm
Name: Denis Shagimuratov
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by shagimuratov » Tue Feb 19, 2013 5:45 am

If you use public blacklists you should look at Frequency of record and Last seening time. Those two parameters can reduce false/positive rate.

For example, if Frequency for IP > 12 and Last seeing time < 1 day it very likely it's a spam bot. If Frequency for Email > 3 it's also a spam bot.
Extensions to prevent spam registrations and comments https://cleantalk.org.

User avatar
Martin Truckenbrodt
Registered User
Posts: 3045
Joined: Sun Mar 23, 2003 6:22 pm
Location: Franconia
Name: Martin Truckenbrodt
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Martin Truckenbrodt » Tue Feb 19, 2013 9:35 pm

Hello Denis,
not all HTTP blacklists are offering these values.
Standard IP-RBL and Domain-RBL DNS Blacklists never are offering these values. Some of them just are categorizing the type of spammer or spam.
An alternative way is to block spammers with HTTP blacklists only if IP and username are listed or if IP and e-mail address are listed. In my experience this is working very well without false positives.
The next step is to weight blacklists. So the spammer will be blocked only if it is successfully listed on at least two blacklists.

Feel free to analyse my code and to read my FAQs. ;) I'm interested in every feedback! But please use the related support forums for posting your feedback.

Bye Martin
Free tutorial: Installing MODs in phpBB 3.0
Advanced Block MOD - Prevent spam on your phpBB 3.0 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists!
My MODs
Use the official phpBB Ideas to vote missing core features!!!

User avatar
shagimuratov
Registered User
Posts: 56
Joined: Thu Mar 10, 2011 5:05 pm
Name: Denis Shagimuratov
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by shagimuratov » Wed Feb 20, 2013 8:43 am

Martin Truckenbrodt wrote:Hello Denis,
not all HTTP blacklists are offering these values.
Thanks, usefull info for me :)
Martin Truckenbrodt wrote: Standard IP-RBL and Domain-RBL DNS Blacklists never are offering these values. Some of them just are categorizing the type of spammer or spam.
An alternative way is to block spammers with HTTP blacklists only if IP and username are listed or if IP and e-mail address are listed. In my experience this is working very well without false positives.
The next step is to weight blacklists. So the spammer will be blocked only if it is successfully listed on at least two blacklists.
Every HTTP blacklists service give us an additional delay to process registration/post, I think it's no good. May be will be better use blacklist test and someone else, for example JavaScript test?
Extensions to prevent spam registrations and comments https://cleantalk.org.

User avatar
Martin Truckenbrodt
Registered User
Posts: 3045
Joined: Sun Mar 23, 2003 6:22 pm
Location: Franconia
Name: Martin Truckenbrodt
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Martin Truckenbrodt » Fri Feb 22, 2013 12:15 pm

Hello Denis,
IMO it's not recommended to allow guest posting. At least you should use it very rarely.
If you have disabled guest posting then we are just talking about user registration.

My strategy is to use IP-RBL DNS blacklists check first. This is a very fast check. If no spammer have been blocked with this check then I'm using a tiny Domain-RBL DNS blacklist check and a DNS MX record check for the e-mail domain (it's not very effective - there are no really usefull Domain-RBLs) and then a HTTP blacklist check. Yes, HTTP blacklists are not fast really. But together for all tests I have a delay of about two or three seconds for legitimate users. I think for one registration process it's absolutely okay. I'm catching all spammers this way. So I don't need any spam check for postings of registered users. So posting doesn't have a delay.

Bye Martin
Free tutorial: Installing MODs in phpBB 3.0
Advanced Block MOD - Prevent spam on your phpBB 3.0 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists!
My MODs
Use the official phpBB Ideas to vote missing core features!!!

Ashforums
Registered User
Posts: 1
Joined: Sun Mar 17, 2013 9:58 pm

Re: [Discuss] Preventing Spam in phpBB3

Post by Ashforums » Sun Mar 17, 2013 10:09 pm

In case it's of any interest to anyone, i started using the Q&A captcha which proved helpful for a while, but i'm back to hundreds of spam registrations again as they seem to not only have cracked the captcha, but can also somehow 'see' the answers. For instance, as a test one question was 'what number am i thinking of right now?' and they still managed to crack it, even though there's no possible way to guess correctly. They can't post as reg's are admin activated, but it's still a pain.

One thing i wish phpbb would do is have some way of selecting all newly registered or non-posting members and marking those that are obvious (like...ahuyythppj or whatever) and being able to ban by IP and email, all in one go.

This would really help delete all the existing spam accounts that have registered before a decent captcha was put in place. As it is, i have to go through the members list, pick out those iffy looking ones, and spend a couple of minutes banning by IP, banning by email, deleting etc etc. When you have a thousand of the buggers, it can take some time!

Never understood why the idiots bother either. Such a waste of their time, as well as mine and my moderators!

User avatar
HGN
Former Team Member
Posts: 4706
Joined: Wed Dec 03, 2008 1:53 pm
Location: The Netherlands
Name: Alfred
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by HGN » Mon Mar 18, 2013 1:32 am

Ashforums wrote:In case it's of any interest to anyone, i started using the Q&A captcha which proved helpful for a while, but i'm back to hundreds of spam registrations again as they seem to not only have cracked the captcha, but can also somehow 'see' the answers. For instance, as a test one question was 'what number am i thinking of right now?' and they still managed to crack it, even though there's no possible way to guess correctly. They can't post as reg's are admin activated, but it's still a pain.
Most probably there is a logical reason why spammers seem to be able to register. We have seen no prove that the Q&A is really cracked by the spambots. They can resolve easy questions by maintaining a database with common questions. So it is important to have a good question specific for your board and it is best to have one question only.
We also saw these kind of claims on boards that have a bridge with other software providing ways to register or multiple copies of a board sharing the same database.
To resolve the issue you may have, you'd best fill out the Support Request Template Generator and post it in a new support topic to enable us to assist you best.

Locked

Return to “[3.0.x] Support Forum”