[Discuss] Preventing Spam in phpBB3

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
matt74
Registered User
Posts: 59
Joined: Wed Feb 23, 2011 10:31 pm

Re: [Discuss] Preventing Spam in phpBB3

Post by matt74 »

Does the version of the style you're using match the version of the board?

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 51104
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by stevemaury »

matt74 wrote:Are the answers to the Q&A case sensitive? So is 6gT5W different to 6gt5w?

If I put quotes around the bit that I want a user to type in the box, does that highlight to the bots what should be typed in?

Does using symbols like £ % etc make it more difficult for bots?
1. You can configure that

2. No

3. No
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

matt74
Registered User
Posts: 59
Joined: Wed Feb 23, 2011 10:31 pm

Re: [Discuss] Preventing Spam in phpBB3

Post by matt74 »

Thanks Steve

Albert Wiersch
Registered User
Posts: 145
Joined: Sat Dec 11, 2004 6:00 pm
Location: Dallas, TX
Name: Albert Wiersch
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Albert Wiersch »

It appears as though doing the UTC-12 countermeasure results in the forum saying to the user (when the top-listed UTC-12 timezone is selected), that an email has been sent for account activation, but instead it 'silently' fails to register the user and no email is actually sent. Is that is what is suppose to happen? In the description it says an error message is shown, but it doesn't seem to show any for me when I was testing it by trying to register with the UTC-12 timezone.

Voltrix
Registered User
Posts: 21
Joined: Wed Mar 09, 2011 1:58 am
Location: The Hive

Re: [Discuss] Preventing Spam in phpBB3

Post by Voltrix »

Whats everyone's experence with "reCaptcha"? Can bots get past that?

pennycsf
Registered User
Posts: 152
Joined: Mon Feb 01, 2010 6:29 pm
Location: Pyrenees-Orientales, South of France
Name: Frank Parkinson
Contact:

Effectiveness of Q&A Captcha

Post by pennycsf »

I have recently been using Q&A, with User Authentication and an automatic check with the StopForumSpam database as part of the registration process.

I know if anyone gets past Q&A, because I send an e-mail on each check of SFS; but I didn't know how effective the Q&A was, so I modified the ucp_register.php file to send myself an email on every attempt to register. These e-mails, minus the ones sent on SFS checks therefore represent, almost certainly, spambots who fail the Q&A or don't fill in the normally required registration fields correctly.

I was surprised at the results, especially as my board is small (though the bots won't know or care about that).

In a 16 hour period there were 296 attempts to register that did not get past the registration page - not one of these got as far as the StopForumSpam check. I will keep the SFS check to try to stop human spammers, but to me, the results show conclusively that all you need to stop spambots in phpBB is a good set of Q&A.
It's a poor day when you don't learn something!

pennycsf
Registered User
Posts: 152
Joined: Mon Feb 01, 2010 6:29 pm
Location: Pyrenees-Orientales, South of France
Name: Frank Parkinson
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by pennycsf »

Voltrix wrote:Whats everyone's experence with "reCaptcha"? Can bots get past that?
Yes - easily!!

Use Q&A
It's a poor day when you don't learn something!

Tonttu
Registered User
Posts: 17
Joined: Sat Aug 08, 2009 7:34 am

Re: [Discuss] Preventing Spam in phpBB3

Post by Tonttu »

A little data from the Stop Forum Spam discussion forum for anyone curious about the efficiency of SFS:

Image
SFS admin wrote:This is submissions from ONE honeypot. For a period of 6-7 weeks, I installed an IP only check against the SFS api.... See if you can guess where that time window was? There was no reCaptcha or anything other than a normal captcha and email validation, which is what most boards seem to have.

rtfmoz
Registered User
Posts: 4
Joined: Wed Jul 01, 2009 2:30 am

Re: [Discuss] Preventing Spam in phpBB3

Post by rtfmoz »

I am getting posts on my forum from unknown usernames. I have Q&A questions in the registration profile with Admin membership approval but they are still getting in somehow. The username they are using does not appear in the user list at all. Is this a vulnerability perhaps in 3.0.2?

This post is coming up with a date in 2009? Timewarp?

User avatar
heenan73
Registered User
Posts: 6
Joined: Wed Mar 09, 2011 2:35 pm
Location: Canterbury, UK
Name: Andrew Heenan
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by heenan73 »

Q&A systems can only work if the questions are unique and frequently changed; at least one spamming software has system that allows human captcha decoders to submit their successful answers, enabling the system to maintain a live database of current answers.

It seems that spammers can learn from SFS, even if some forum members here are yet to be convinced ;)

Albert Wiersch
Registered User
Posts: 145
Joined: Sat Dec 11, 2004 6:00 pm
Location: Dallas, TX
Name: Albert Wiersch
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Albert Wiersch »

rtfmoz wrote:I am getting posts on my forum from unknown usernames. I have Q&A questions in the registration profile with Admin membership approval but they are still getting in somehow. The username they are using does not appear in the user list at all. Is this a vulnerability perhaps in 3.0.2?

This post is coming up with a date in 2009? Timewarp?
Sounds like you really need to update phpBB. Though I don't know the details, I strongly suspect that 3.0.2 has security vulnerabilities.

And the 2009 date you are looking at is probably your join date, not the post date.

User avatar
Martin Truckenbrodt
Registered User
Posts: 3045
Joined: Sun Mar 23, 2003 6:22 pm
Location: Franconia
Name: Martin Truckenbrodt
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Martin Truckenbrodt »

Hello heenan73,
spammers can not learn from SFS. Blacklists or databases like SFS can not been hacked or cracked. Spammers have learned to crack the Visual CAPTCHAs and they have learned to crack the default Q&A CAPTCHAs.

BTW: The ATLBL blacklist is much more effective and doesn't produce false positives in my experience. With SFS I've got some rare false positives.
Although it makes no sense to use this blacklists or databases to check usernames or email addresses. Just use them only to check the ip addresses. IP addresses are unique (in the WWW) and can not been faked like usernames or email addresses can been faked.

You can use DNS blacklists like access.atlbl.net (ATLBL) or opm.tornevall.org (SFS) to block spammers. It's very effective and founders and user administrators will have a lazy job. And if you are using it in a better way as it is realized with phpBB3 by default then you will not have any false positives.

Bye Martin
Free tutorial: Installing MODs in phpBB 3.0
Advanced Block MOD - Prevent spam on your phpBB 3.0 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists!
My MODs
Use the official phpBB Ideas to vote missing core features!!!

User avatar
heenan73
Registered User
Posts: 6
Joined: Wed Mar 09, 2011 2:35 pm
Location: Canterbury, UK
Name: Andrew Heenan
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by heenan73 »

Martin Truckenbrodt wrote:spammers can not learn from SFS. Blacklists or databases like SFS can not been hacked or cracked. Spammers have learned to crack the Visual CAPTCHAs and they have learned to crack the default Q&A CAPTCHAs.
Sorry, I didn't make myself clear; I do not believe SFS has been breached, and didn't intend to give that impression; my (poor) joke was only intended to imply that spammers have learned the value of databases, in that, like SFS, they have a compiled a live database of info useful to their members.

No anti-spam database is perfect; false positives can arise from over-enthusiastic members, spammer infiltration to devalue the DB, as well as structural issues.

For me, the real weakness is an over-reliance on IP address, which is a very much a moving feast and will become more so.

However, even with that weakness, the statistical likelihood of barring potential 'good members' by banning a spammer IP is infinitessimally small, given the number of IP addresses, the number of web users, and the niche nature of most forums. But I'm sure it has happened now and then.

As posts above have shown (as well as mu albeit limited personal experience), SFS can be a major tool if used correctly and intelligently, and I'd urge members to support the option of SFS in any future builds of phpBB - as well as making it much easier for the technically challenged (like me) to install and update all antispam tools.

xenofears
Registered User
Posts: 73
Joined: Tue Mar 08, 2011 2:17 pm

Re: [Discuss] Preventing Spam in phpBB3

Post by xenofears »

Keycaptcha put a total end to spambots on my site, I strongly recommend it if you don't feel like making up good Q&A questions (it requires a MOD that doesn't include any file changes IIRC.) Recaptcha (as it stands) is totally cracked, I tried it and it was no better than the GD ones included, which were also useless.

Of course, Q&A also appears to be extremely successful. I never used it because I couldn't think of any decent questions :D

pennycsf
Registered User
Posts: 152
Joined: Mon Feb 01, 2010 6:29 pm
Location: Pyrenees-Orientales, South of France
Name: Frank Parkinson
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by pennycsf »

Martin Truckenbrodt wrote:
IP addresses are unique (in the WWW) and can not been faked like usernames or email addresses can been faked.
Hello Martin

Once again you claim e-mail addresses can be faked!

Once again I say that if you use standard User Authentification in phpBB than anyone using a fake e-mail address will not get the e-mail thay need to validate their registration! Hence the e-mail used must be valid, and a check on e-mail address against StopForumSpam or other blacklist database is the best check possible.

QED

Frank
It's a poor day when you don't learn something!

Locked

Return to “[3.0.x] Support Forum”