[Discuss] Preventing Spam in phpBB3

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
User avatar
Lumpy Burgertushie
Registered User
Posts: 63196
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by Lumpy Burgertushie » Sun Feb 07, 2016 2:34 pm

some of those are pretty good questions. however, you only need one good question. if a bot breaks one you will not know which one it was and will have to start over with all new questions etc.

any of the yes/no questions will be broken at least 50% of the time.

any math type question is no good.

any question that you can get the answer from google is no good.

also, there are a few of those that I would not be able to answer without some research etc.

pick one good question and it will work just fine for you .

robert
I am available for custom work on a donation basis. Please send me a PM with your needs.
Premium phpBB 3.2 Styles by PlanetStyles.net

New phpbb 3.0 support site

Po Lu
Registered User
Posts: 4
Joined: Mon Nov 30, 2015 9:38 am

Re: [Discuss] Preventing Spam in phpBB3

Post by Po Lu » Mon Feb 08, 2016 5:50 am


also, there are a few of those that I would not be able to answer without some research etc.



robert
What is the filename of the phpBB index page?

User avatar
KevC
Support Team Member
Support Team Member
Posts: 67100
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by KevC » Mon Feb 08, 2016 9:33 am

It depends what your target audience is. If they know computers or know phpBB a lot, they will know the answer to that. If your site was about..... pet hamsters.... they wouldn't have a clue how to answer it.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2150
Joined: Wed May 14, 2014 9:10 am
Name: James
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by HiFiKabin » Mon Feb 08, 2016 10:21 am

Don't try to over think things.
An example of a hard question but easy answer:-
  • Q: Hydrogen appears at what position in the periodic table ?
    A: 1

An example of a easy question but hard answer for (say) a car marque forum:-
  • Q: What is this forum main content?
    A: Ford Mustang
taken from http://phpbb.hifikabin.me.uk/viewtopic.php?f=8&t=34

User avatar
pjdm
Registered User
Posts: 33
Joined: Thu Aug 07, 2008 9:27 pm
Location: Calgary eh?
Name: Paul Miller

Re: [Discuss] Preventing Spam in phpBB3

Post by pjdm » Wed Mar 02, 2016 5:20 pm

I have a 3.0.14 board and the Q&A has worked really well for blocking spammer registrations. In the last few days I got hammered with new fake registrations which tells me my questions need to be changed. When I reviewed the last 100 pages of USER LOGs I see that valid registrants and the spammers are hitting the CAPTCHA/Q&A multiple times but there is no lockout or timeout. It looks like they can just hammer away until they break a Q&A. I would have expected that at some point of abuse an ip and/or username should get blocked. Either permanently or temporarily.

Is this the way it is supposed to work or should there be a timeout or username lockout for [5] failed CAPTCHA attempts? Example attached for reference. I will update my Q&A to logo specific questions to help block spammers. I do each registration manually and I have never had a spammer reach my board since inception 3+ years ago. I use a username renaming technique which is an additional roadblock but it is successful as a second line of defense. I also use a first / last name custom field which the spammers always fill in a particular way so I can tell immediately if it is a real user.

[edit]
I changed the Q&A to to tougher logo questions and it stopped registrations but not the attempts. This latest today from Ukraine, so I looked up the IP and clearly someone is making attempts all over. If I could, I would try to add this data somewhere to assist blocking that IP. It appears Anti-Spam ACP is a mod that uses this site to help block spammers but I only want to use it for registration attempts.
2016_03_02_15_11_42.png
2016-03-02 15_11_14.png
I had a thought that if I could log the spammer attempts at the Q&A and determine which work and which ones are weak it might help design a tougher Q&A.
Attachments
2016_03_02_08_31_47.png

User avatar
edgar davids
Registered User
Posts: 370
Joined: Mon Jan 19, 2009 7:15 am

Re: [Discuss] Preventing Spam in phpBB3

Post by edgar davids » Thu Mar 31, 2016 5:16 am

I've just been hit several hundred spam users on my phpBB board. Albeit I've left the board to it's own vices over the last 6 months or so, I had some good Q&A's which have worked well for 2 or so years until the last few months. What are others using as Q&A's (PM not in here)

http://www.bertiestreet.com/forum

User avatar
AmigoJack
Registered User
Posts: 4888
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by AmigoJack » Thu Mar 31, 2016 6:39 am

pjdm wrote:If I could, I would try to add this data somewhere to assist blocking that IP.
...
I had a thought that if I could log the spammer attempts at the Q&A and determine which work and which ones are weak it might help design a tougher Q&A.
I could give instructions on how to modify the code of a 3.0.14 board to log those attempts to a file, along with IP address, useragent and so on. It'd require you to edit PHP files and create a new file on your server that has write access permissions.
The worst thing about censorship is ███████████

User avatar
pjdm
Registered User
Posts: 33
Joined: Thu Aug 07, 2008 9:27 pm
Location: Calgary eh?
Name: Paul Miller

Re: [Discuss] Preventing Spam in phpBB3

Post by pjdm » Thu Mar 31, 2016 9:38 am

I think I'd like to do that. I can modify the files, I have some mods I've done myself and would appreciate the code to log as suggested. I have a cloned testing board I can made the edits on and test the results.

Since posting my problem, I have changed the CAPTCHA questions and that has really stopped the attempts except the occasional (once per month) attempt. I changed the questions where the answers would require looking at my board logo and finding the colors and text of items in the logo (what is third word in yellow). I also grabbed offending IPs who had been repeating attempts in my log and banned them for a month. If I could get your code I could do that last step automatically. TIA.

User avatar
AmigoJack
Registered User
Posts: 4888
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by AmigoJack » Thu Mar 31, 2016 11:57 am

  1. Open /includes/captcha/plugins/phpbb_captcha_qa_plugin.php and find:

    Code: Select all

        /**
        *  API function - see what has to be done to validate
        */
        function validate()
    Before, add:

    Code: Select all

        /*** 2016-03-31 BEGIN AmigoJack
            https://www.phpbb.com/community/viewtopic.php?p=14395951#p14395951 ***/
        var $sAnswer;  // Collect given user input
        var $aSolution= array();  // Collect possible correct choices
        function log_to_file( $sPosition ) {
            // Get all possible IP addresses
            $aIp= array();
            if( isset( $_SERVER['REMOTE_ADDR'] ) ) $aIp[]= $_SERVER['REMOTE_ADDR'];
            foreach( apache_request_headers() as $sName=> $sValue ) {
                $sValue= trim( $sValue );
                if( preg_match( '#^(http[-_])?(via|for)$|forward[a-z]*([-_]for|$)|origin|[-_](ip|addr)$|proxy#i', $sName ) ) $aIp[]= $sValue;
            }
    
            // Clean IP addresses
            foreach( $aIp as $iIp=> $sIp ) {
                $aIp[$iIp]= trim( preg_replace( '# {2,}#', ' ', str_replace( ',', ' ', $sIp ) ) );
            }
    
            // Prepare log entry
            $sText= "
     Position: $sPosition
     IP addr:  ". implode( '; ', $aIp ). "
     Answer:   $this->sAnswer
     Solution: ". implode( '; ', $this-> aSolution );
            if( isset( $_SERVER['HTTP_USER_AGENT'] ) ) $sText.= "\n Agent:    $_SERVER[HTTP_USER_AGENT]";
            if( isset( $_SERVER['REQUEST_URI'] ) ) $sText.= "\n URI:      $_SERVER[REQUEST_URI]";
            if( isset( $_SERVER['HTTP_HOST'] ) ) $sText.= "\n Host:     $_SERVER[HTTP_HOST]";
            if( isset( $_SERVER['HTTP_REFERER'] ) ) $sText.= "\n Referer:  $_SERVER[HTTP_REFERER]";
            $sUsername= utf8_normalize_nfc( request_var( 'username', '', TRUE ) );
            if( $sUsername ) $sText.= "\n Username: $sUsername";
            $sEmail= request_var( 'email', '' );
            if( $sEmail ) $sText.= "\n Email:    $sEmail";
    
            // Add to log file
            $hLog= fopen( $_SERVER['DOCUMENT_ROOT']. '/phpBB3014/store/phpbb_captcha_qa_plugin.log', 'ab' );
            fwrite( $hLog, "\n\n". date( 'Y-m-d H:i:s O' ). $sText );
            fclose( $hLog );
    
            // Reset
            $this-> sAnswer= '';
            $this-> aSolution= array();
        }
        /*** 2016-03-31 END ***/
    You have to modify '/phpBB3014/store/phpbb_captcha_qa_plugin.log' to your correct server path. Most probably it'll be '/store/phpbb_captcha_qa_plugin.log'.

    Find:

    Code: Select all

            if (!$this->confirm_id)
            {
                $error = $user->lang['CONFIRM_QUESTION_WRONG'];
    After, add:

    Code: Select all

                /*** 2016-03-31 BEGIN AmigoJack
                    https://www.phpbb.com/community/viewtopic.php?p=14395951#p14395951 ***/
                $this-> log_to_file( 'no confirm_id' );
                /*** 2016-03-31 END ***/
    Find:

    Code: Select all

                if ($this->check_answer())
                {
                    // $this->delete_code(); commented out to allow posting.php to repeat the question
                    $this->solved = true;
    After, add:

    Code: Select all

                    /*** 2016-03-31 BEGIN AmigoJack
                        https://www.phpbb.com/community/viewtopic.php?p=14395951#p14395951 ***/
                    $this-> log_to_file( 'solved' );
                    /*** 2016-03-31 END ***/
    Find:

    Code: Select all

                }
                else
                {
                    $error = $user->lang['CONFIRM_QUESTION_WRONG'];
    After, add:

    Code: Select all

                    /*** 2016-03-31 BEGIN AmigoJack
                        https://www.phpbb.com/community/viewtopic.php?p=14395951#p14395951 ***/
                    $this-> log_to_file( 'wrong answer' );
                    /*** 2016-03-31 END ***/
    Find:

    Code: Select all

            $answer = ($this->question_strict) ? utf8_normalize_nfc(request_var('qa_answer', '', true)) : utf8_clean_string(utf8_normalize_nfc(request_var('qa_answer', '', true)));
    After, add:

    Code: Select all

            /*** 2016-03-31 BEGIN AmigoJack
                https://www.phpbb.com/community/viewtopic.php?p=14395951#p14395951 ***/
            $this-> sAnswer= $answer;
            /*** 2016-03-31 END ***/
    Find:

    Code: Select all

            while ($row = $db->sql_fetchrow($result))
            {
                $solution = ($this->question_strict) ? $row['answer_text'] : utf8_clean_string($row['answer_text']);
    After, add:

    Code: Select all

                /*** 2016-03-31 BEGIN AmigoJack
                    https://www.phpbb.com/community/viewtopic.php?p=14395951#p14395951 ***/
                $this-> aSolution[]= $solution;
                /*** 2016-03-31 END ***/
    (Your file should now look like the attached one.)
  2. Create a file /store/phpbb_captcha_qa_plugin.log with write access.
  3. You have to test it yourself to verify
    1. the server path is the correct one to the file (look in my code for '/phpBB3014/store/phpbb_captcha_qa_plugin.log' which you will have to set to the correct one), and
    2. the log file can really be written to.
    It will also show you what gets logged.
Tested successfully.
Attachments
phpbb_captcha_qa_plugin.php
(25.71 KiB) Downloaded 8 times
The worst thing about censorship is ███████████

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 47783
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by stevemaury » Thu Mar 31, 2016 4:15 pm

It is senseless and unnecessary to have more than one Q&A question. If a question gets cracked, you will not know which one, so you will have to change all of them. One good question is all that is needed.
For REALLY good and VERY inexpensive hosting CLICK HERE

All unsolicited PMs will be ignored.

User avatar
pjdm
Registered User
Posts: 33
Joined: Thu Aug 07, 2008 9:27 pm
Location: Calgary eh?
Name: Paul Miller

Re: [Discuss] Preventing Spam in phpBB3

Post by pjdm » Tue Apr 05, 2016 1:18 pm

stevemaury wrote:It is senseless and unnecessary to have more than one Q&A question.
That statement is not correct on my site. My question(s) are specific and intended to be answered by users with specific knowledge of parts and airframes. If I get a user who is interested but not yet intimately familiar they may fail one question but pass another. I designed half dozen questions that someone interested in my site probably could answer. I doubt they could get 100% of them correct if they are novice, legitimate registrants.

User avatar
pjdm
Registered User
Posts: 33
Joined: Thu Aug 07, 2008 9:27 pm
Location: Calgary eh?
Name: Paul Miller

Re: [Discuss] Preventing Spam in phpBB3

Post by pjdm » Tue Apr 05, 2016 1:22 pm

AmigoJack many thanks for that code above. I was just going through my logs and see that I am still getting the same pattern of repetitive attempts and they fail the CAPTCHA question(s) but are permitted to continue hammering away without my knowledge. I will test it out today and I think the idea it is a great addition to security.

User avatar
david63
Jr. Extension Validator
Posts: 12818
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: [Discuss] Preventing Spam in phpBB3

Post by david63 » Tue Apr 05, 2016 2:29 pm

pjdm wrote:hat statement is not correct on my site. My question(s) are specific and intended to be answered by users with specific knowledge of parts and airframes. If I get a user who is interested but not yet intimately familiar they may fail one question but pass another. I designed half dozen questions that someone interested in my site probably could answer. I doubt they could get 100% of them correct if they are novice, legitimate registrants.
The problem with multiple questions is that if a "spammer" does get in you will not know which question failed.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email or as they will be ignored

User avatar
pjdm
Registered User
Posts: 33
Joined: Thu Aug 07, 2008 9:27 pm
Location: Calgary eh?
Name: Paul Miller

Re: [Discuss] Preventing Spam in phpBB3

Post by pjdm » Tue Apr 05, 2016 2:37 pm

david63 wrote:The problem with multiple questions is that if a "spammer" does get in you will not know which question failed.
Can't we (collectively) code that as an addition to what AmigoJack is suggesting the code above? I mean:

1) Log repeated attempts that fail.
2) Log attempts that pass.

I spot the registrations that are fake before they get approved. It is obvious. I cannot currently stop them from passing the Captcha by hammering 1000 times. AmigoJack's code above will stop most of them I believe because I can set a small limit now. A nice addition would be to log the successful CAPTCHA attempts. I like the idea.

Thanks to all for the comments.


Locked

Return to “[3.0.x] Support Forum”

Who is online

Users browsing this forum: gio73, kim902, Majestic-12 [Bot] and 68 guests