[Discuss] Preventing Spam in phpBB3

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Get Involved
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
User avatar
heenan73
Registered User
Posts: 6
Joined: Wed Mar 09, 2011 2:35 pm
Location: Canterbury, UK
Name: Andrew Heenan
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by heenan73 »

pennycsf wrote:if you use standard User Authentification in phpBB than anyone using a fake e-mail address will not get the e-mail thay need to validate their registration! Hence the e-mail used must be valid, and a check on e-mail address against StopForumSpam or other blacklist database is the best check possible.
That's absolutely right - and email addresses are unique, whereas an IP may include innocents (false positives), or miss the spammer, who uses a different one each time (false negatives).

In practice, false negatives are a more serious issue - banning an IP when the spammer uses 300 different ones is little help, while banning 'innocent' potential members is a theoretical risk, and unlikely to occur much more often than the lottery Big Win.

And as virtually every forum uses email validation (and EVERY decent forum), then clearly email is a more reliable way of identifying and dealing with spammers.

But (flogging my dead horse), all will fail if the spam defences are too complex (or simply too daunting) for the average forum owner.

Voltrix
Registered User
Posts: 21
Joined: Wed Mar 09, 2011 1:58 am
Location: The Hive

Re: [Discuss] Preventing Spam in phpBB3

Post by Voltrix »

In the Q&A, what are some really clever questions and answers have you guys found that work?

xenofears
Registered User
Posts: 73
Joined: Tue Mar 08, 2011 2:17 pm

Re: [Discuss] Preventing Spam in phpBB3

Post by xenofears »

heenan73 wrote:
pennycsf wrote:if you use standard User Authentification in phpBB than anyone using a fake e-mail address will not get the e-mail thay need to validate their registration! Hence the e-mail used must be valid, and a check on e-mail address against StopForumSpam or other blacklist database is the best check possible.
That's absolutely right - and email addresses are unique, whereas an IP may include innocents (false positives), or miss the spammer, who uses a different one each time (false negatives).

In practice, false negatives are a more serious issue - banning an IP when the spammer uses 300 different ones is little help, while banning 'innocent' potential members is a theoretical risk, and unlikely to occur much more often than the lottery Big Win.

And as virtually every forum uses email validation (and EVERY decent forum), then clearly email is a more reliable way of identifying and dealing with spammers.

But (flogging my dead horse), all will fail if the spam defences are too complex (or simply too daunting) for the average forum owner.
Email validation did absolutely nothing to stop spambots. They are constantly making email accounts. A check against spam registries might be of much more value, but I doubt the best check possible.

pennycsf
Registered User
Posts: 152
Joined: Mon Feb 01, 2010 6:29 pm
Location: Pyrenees-Orientales, South of France
Name: Frank Parkinson
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by pennycsf »

xenofears wrote:
Email validation did absolutely nothing to stop spambots. They are constantly making email accounts. A check against spam registries might be of much more value, but I doubt the best check possible.
You must use something as well as User Authentication!

Q&A works wonderfully well, but requires good questions.
It's a poor day when you don't learn something!

User avatar
heenan73
Registered User
Posts: 6
Joined: Wed Mar 09, 2011 2:35 pm
Location: Canterbury, UK
Name: Andrew Heenan
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by heenan73 »

xenofears wrote:Email validation did absolutely nothing to stop spambots. They are constantly making email accounts. A check against spam registries might be of much more value, but I doubt the best check possible.
I don't thing anyone is suggesting that email validation does anything to stop spambots, simply that email validation gives you a genuine, unique identifier that can be reliably compared to registries.

xenofears
Registered User
Posts: 73
Joined: Tue Mar 08, 2011 2:17 pm

Re: [Discuss] Preventing Spam in phpBB3

Post by xenofears »

Like I said.. I'm swearing by it right now: KeyCAPTCHA. Not a SINGLE spambot since (granted, it's not a big site, but plenty came out of the woodwork when the site switched to phpBB3 from ancient Snitz, several a day.) It prevents (for now at least!) farming anything out to real people in sweat shops as well, the biggest flaw in Q&A (as is using questions that have the answer as a word in the question, and solutions getting added to a database on big/high-profile sites.) I'm sure it will be cracked eventually, like all CAPTCHA's inevitably are, but for now it seems a very tough nut to crack.

pennycsf
Registered User
Posts: 152
Joined: Mon Feb 01, 2010 6:29 pm
Location: Pyrenees-Orientales, South of France
Name: Frank Parkinson
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by pennycsf »

xenofears wrote:Like I said.. I'm swearing by it right now: KeyCAPTCHA...

I'm sure it will be cracked eventually, like all CAPTCHA's inevitably are, but for now it seems a very tough nut to crack.

I agree, KEYCaptcha is a very tough nut to crack - too hard, I think, and that is a problem in itself!

It may be a problem with my screen size or clarity, but I failed to get it right one time in three attempts.

I don't think it would be useful for my (not particularly computer literate) target audience.

For this type of visual Captcha I thought PeopleSign looked best and easiest for most people, though I still prefer Q&A.
It's a poor day when you don't learn something!

User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Erik Frèrejean »

pennycsf wrote:
xenofears wrote:Like I said.. I'm swearing by it right now: KeyCAPTCHA...

I'm sure it will be cracked eventually, like all CAPTCHA's inevitably are, but for now it seems a very tough nut to crack.

I agree, KEYCaptcha is a very tough nut to crack - too hard, I think, and that is a problem in itself!
I personally wouldn't bother a second to register on a site that runs that captcha. IMHO thats even less user friendly than the phpBB GD captcha.
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)

User avatar
Martin Truckenbrodt
Registered User
Posts: 3045
Joined: Sun Mar 23, 2003 6:22 pm
Location: Franconia
Name: Martin Truckenbrodt
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Martin Truckenbrodt »

Hello Frank aka pennycsf,
a lot of spambots are activating their accounts automatically if you have set Account Activation to User! These spammers are using real email addresses!
So you have to use Admin Activation. But then real email addresses or not needed to register.
Okay, you can use Double Activation to bring these two technics together in one good solution. ;)

Another point are guest postings. (BTW: I don't like them!). Here not any email address is needed.

@Erik Frèrejean: There are solutions where not any new user has to fill out any CAPTCHA. ;)

Bye Martin
Free tutorial: Installing MODs in phpBB 3.0
Advanced Block MOD - Prevent spam on your phpBB 3.0 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists!
My MODs
Use the official phpBB Ideas to vote missing core features!!!

User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Erik Frèrejean »

Martin Truckenbrodt wrote:@Erik Frèrejean: There are solutions where not any new user has to fill out any CAPTCHA. ;)
I know, I've developed a couple myself ;). Although the methods I'm using are pretty easy to beat but they work as they are unique to some sites (hence they aren't released as MODs).
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)

User avatar
heenan73
Registered User
Posts: 6
Joined: Wed Mar 09, 2011 2:35 pm
Location: Canterbury, UK
Name: Andrew Heenan
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by heenan73 »

Erik Frèrejean wrote:I personally wouldn't bother a second to register on a site that runs that captcha. IMHO thats even less user friendly than the phpBB GD captcha.
I don't see the problem, and I've been able to download it and install it and configure it successfully since reading the last post (about ten minutes), which is about a tenth of the time I've taken in failing to install various other plugins.

I think it's quite elegant, and I really don't see what's difficult about it (age 59, less than 20:20 vision - quite a lot less).

In fact, my only worry is that it's based in Eastern Europe ... but I guess they know a fair bit about spam!

I've installed it on one of two phpbb boards I control ... we'll see.

xenofears
Registered User
Posts: 73
Joined: Tue Mar 08, 2011 2:17 pm

Re: [Discuss] Preventing Spam in phpBB3

Post by xenofears »

heenan73 wrote:
Erik Frèrejean wrote:I personally wouldn't bother a second to register on a site that runs that captcha. IMHO thats even less user friendly than the phpBB GD captcha.
I don't see the problem, and I've been able to download it and install it and configure it successfully since reading the last post (about ten minutes), which is about a tenth of the time I've taken in failing to install various other plugins.

I think it's quite elegant, and I really don't see what's difficult about it (age 59, less than 20:20 vision - quite a lot less).

In fact, my only worry is that it's based in Eastern Europe ... but I guess they know a fair bit about spam!

I've installed it on one of two phpbb boards I control ... we'll see.
I'd be interested to know if anyone has had a rise in complaints about the keyCAPTCHA switching from other ones. I really don't see how it is not user friendly. Then again, some users can't figure out how to post. It's a CAPTCHA, they are usually a pain in the ass, but IMHO I don't see it being any less user friendly or more difficult than anything else out there. But it's not my opinion that matters.

Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Pony99CA »

heenan73 wrote:
pennycsf wrote:if you use standard User Authentification in phpBB than anyone using a fake e-mail address will not get the e-mail thay need to validate their registration! Hence the e-mail used must be valid, and a check on e-mail address against StopForumSpam or other blacklist database is the best check possible.
That's absolutely right - and email addresses are unique, whereas an IP may include innocents (false positives), or miss the spammer, who uses a different one each time (false negatives).
Actually, E-mail addresses are serially unique. They can be reused. I work at a company where E-mail addresses are basically first_name.last_name and got the E-mail address of somebody else with the same name who left the company.

Also, spammers could use your E-mail address when registering at a board. No, they wouldn't be able to post spam, but, depending on how Stop Forum Spam harvests "spam" E-mails, it might get your E-mail address listed as a spammer even though you aren't one.

If spammers poison the well enough, getting enough non-spammer addresses in there, people might stop using Stop Forum Spam's E-mail address feature.

Think of it like domain names. A domain name is unique until you stop paying for it, at which point some spammer/squatter buys it and puts up a "What you want, when you want it" site.
heenan73 wrote:In practice, false negatives are a more serious issue - banning an IP when the spammer uses 300 different ones is little help, while banning 'innocent' potential members is a theoretical risk, and unlikely to occur much more often than the lottery Big Win.
I think that you're using "false negatives" backwards. Most of us seem to use "false positive" to mean a person who is falsely identified as a spammer.

I agree that's worse than accidentally letting a spammer in, but the previous section illustrates how E-mail addresses aren't necessarily any more reliable than IP addresses.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

User avatar
peoplesignDave
Registered User
Posts: 23
Joined: Mon Jan 31, 2011 8:32 pm

Re: [Discuss] Preventing Spam in phpBB3

Post by peoplesignDave »

There are some fine CAPTCHA mods for phpBB3, but you can probably guess I'm a little biased towards Peoplesign :mrgreen:. Peoplesign is a variable difficulty object recognition CAPTCHA: insta-demo at peoplesign.com. In short, you simply click a picture(s) instead of typing in characters.

Peoplesign has been in the works for over 3 years and our bb3 mod is nearly a year old now. We have plugins/mods for 7 platforms, and bb3 is our most popular. We've had close to 1000 bb3 sites sign up so far in 2011. The bb3 community has been very helpful and patient as we've gradually stabilized the mod into it's current solid condition. Thank you!

But we're just getting started. I'm on the project for the long haul, and the team is growing. We're hard at work on some amazing new features, coming soon in April/May 2011 to a registration form near you.

User avatar
KeyCAPTCHA
Registered User
Posts: 66
Joined: Sun Nov 14, 2010 8:32 am
Contact:

Re: [Discuss] Preventing Spam in phpBB3 (KeyCAPTCHA)

Post by KeyCAPTCHA »

pennycsf wrote:
xenofears wrote:Like I said.. I'm swearing by it right now: KeyCAPTCHA...

I'm sure it will be cracked eventually, like all CAPTCHA's inevitably are, but for now it seems a very tough nut to crack.
I agree, KEYCaptcha is a very tough nut to crack - too hard, I think, and that is a problem in itself!

It may be a problem with my screen size or clarity, but I failed to get it right one time in three attempts

I don't think it would be useful for my (not particularly computer literate) target audience.
You know, my wife could not pass a squiggly-giggly-w(r)iggly-letters captcha 12 times while trying to log-in to her bank out and eventually had to desist.
And she wants to close her bank account because of it.

While KeyCAPTCHA doesn't require neither education (we checked that it is being passed by 4-years-old children) nor knowledge of any languages (to understand a math question, etc.). Though, our geo-cluster on 24*7*365 datacenters over a few countries servers feed KeyCAPTCHAs in a dozen of languages and support new ones being added by 3-5 a month.

KeyCAPTCHA is harder on first use but, I promise you, next times one passes it much faster like a breath.

The point in KeyCAPTCHA is not that it is currently not crackable but that it is easier to develop than spam bot (unlike other antispam solutions) and the pool of captchas as well as the type of captcha can be replaced without plugin reinstallation.

Also, KeyCAPTCHA team monitors spam bots development and activity on protected websites and can replace KeyCAPTCHA pool or even type preemptively.
All other existing antispam solutions are lagging a few steps behind advancement of spamming techniques.
I do not know any other solution providing the same abilities, they just follow behind spamming incidents.

KeyCAPTCHA service is free (well, it is free of charge antispam service, not "free of spam Joomla plugin" as malicious spamming webfarms repost it filling all google results) but subsribers of our fee-based "Personal CAPTCHA" service can create their own captchas from their own images with our on-line designer.

Best,
Guennadi --- Gennady --- Геннадий
(KeyCAPTCHA Team)
Tweet us: @KeyCAPTCHA
Protect published Email from bot harvesters: hidemail.at
Last edited by camm15h on Thu Mar 10, 2011 1:12 pm, edited 2 times in total.
Reason: Removed several links, please do not spam.

Locked

Return to “[3.0.x] Support Forum”