Preventing Spam in phpBB3

Get help with installation and running phpBB 3.1.x here. Please do not post bug reports, feature requests, or extension related questions here.
Get Involved
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

NOTE: phpBB 3.1.x is at its End of Life stage and support will NOT be provided after July 1st, 2018.
Locked
User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Preventing Spam in phpBB3

Post by Phil »

Recent updates to common spamming software have led to severe shortcomings in the stock, image-based CAPTCHAs. The below information has been updated in light of this. Do note that any and all specifics are written for phpBB 3.0.6 and above; they will not work with older versions. Techniques for phpBB 3.0.5 and older are available here; however, they are no longer supported. An archive of the previous anti-spam topic is available here.

This topic discusses common methods for spam prevention. For a brief overview of what spam is, see our spam FAQ.

Stopping Spam - Techniques and Strategies
  1. Effective Solutions
    At this time, the below solutions seem to be most effective when fighting spambots.
    • Q&A CAPTCHA
      At this time, the Q&A CAPTCHA plugin seems to be the most effective single solution against spambots (and some human spammers). For this technique to be effective, you must use simple but non-obvious question and answer combinations. For instance, "Who do you see in the mirror?" is an effective question, while "What colour is the sky?" or "2+2 = ?" are not. These questions are particularly effective on niche forums where one can ask a question that is not immediately obvious to the general populace.

      One type of question that appears effective is of the type"

      What are the first three letters in the name (or URL) of this Board?

      Also very effective are questions of the type:

      Q: What are the first three and last three characters of this board's URL ?
      A: phpity

      Q: Grass is to lawn as __________ is to forest.
      A: tree

      Or:

      Q:Forest is to lawn as grass is to ______________.
      A: trees

      To enable the Q&A CAPTCHA, browse to Spambot countermeasures on the General tab of the Administration Control Panel (ACP), then select "Q&A" under "Installed Plugins". Select "Configure", setup your question and answer pairs, then submit the forum. Notice you may need separate Q&As for each language you use.
    • Blocking UTC-12 Registrations NOTE: Although reasonably effective when this was first written, it is no longer particularly effective.

      Though generally hesitant to suggest specific MODs or changes, this particular change has proven to be mostly effective against the current generation of spambots. The below change will simply show an error message to bots that attempt to register using the UTC-12 timezone (many bots select it as it is 0 on the list index; it is an uninhabited timezone so there is no harm in blocking this timezone).

      The change is quite simple:

      Code: Select all

      #
      #-----[ OPEN ]------------------------------------------
      #
      includes/ucp/ucp_register.php
      
      #
      #-----[ FIND ]------------------------------------------
      #
      
             $data = array(
               'username'         => utf8_normalize_nfc(request_var('username', '', true)),
               'new_password'      => request_var('new_password', '', true),
               'password_confirm'   => request_var('password_confirm', '', true),
               'email'            => strtolower(request_var('email', '')),
               'email_confirm'      => strtolower(request_var('email_confirm', '')),
               'lang'            => basename(request_var('lang', $user->lang_name)),
               'tz'            => request_var('tz', (float) $timezone),
            );
      
      #
      #----[ AFTER, ADD ]------------------------------------------
      #
      
               if ($data['tz'] == -12)
               {
      				$message = $user->lang['ACCOUNT_INACTIVE'];
      				$message = $message . '<br /><br />' . sprintf($user->lang['RETURN_INDEX'], '<a href="' . append_sid("{$phpbb_root_path}index.$phpEx") . '">', '</a>');
      				trigger_error($message);
               }
      
      #
      #-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
      #
      # EoM
    • Downloadable CAPTCHA Plugins
      The key to effective spam prevention is making your forum unique. An effective way to do this is to utilize a third-party CAPTCHA plugin, made possible by phpBB 3.0.6's CAPTCHA architecture change. A list of validated CAPTCHA plugins (and other antispam MODs) is available here. Do note that all antispam MODs are not equally effective--you should review feedback in each item's Support area in the Customisation Database before deciding on the solution that is right for you.
    • Sortables CAPTCHA https://www.phpbb.com/customise/db/mod/ ... ha_plugin/
    • Newly Registered Users Group - phpBB 3.0.6 also sees the introduction of the "Newly Registered Users" group. This feature, which may be enabled via the User Registration Settings page of the Administration Control Panel (ACP), allows the administrator to define a minimum post count; if a user is below this limit they will be a member of the Newly Registered Users group. Permissions may be set on this group much like any other group -- an example use is to place the Newly Registered Users group on the moderation queue for all forums. The user is automatically removed from the group when they reach the defined post amount. Be aware that this feature is not retroactive -- users who registered prior to a board's upgrade to phpBB 3.0.6 will not be placed in the Newly Registered Users group, regardless of their post count.
  2. Other Solutions
    • Custom Profile Fields - There is an article in the Knowledge Base detailing utilising Custom Profile Fields as a spam deterrent. This seems to be effective against most bots.
    • Admin Activation - This is not practical on most boards, but is an excellent option on smaller, less-trafficked boards. Many spam registrations utilise Gmail addresses or .cn domains, and use a seemingly random combination of letters and numbers for their username.
    • The McGirr Method - NOTE that this method is not available in the 3.1.x line, as it has no email confirmation field -This will remove the "confirm your email address" from the registration settings and if a bot tries to automagically insert the email confirm, an error will trigger and deny registration. So here we go

      OPEN

      includes/ucp/ucp_register.php

      FIND

      Code: Select all

                  'email_confirm'      => array('string', false, 6, 60),
      REPLACE WITH

      Code: Select all

                  'email_confirm'      => array('string', true, 6, 60),
      FIND

      Code: Select all

                  if ($data['email'] != $data['email_confirm'])
                  {
                     $error[] = $user->lang['NEW_EMAIL_ERROR'];
                  }
      REPLACE WITH

      Code: Select all

                  if (!empty($data['email_confirm']))
                  {
                     $error[] = 'You are a spam bot...go away!';
                  }
                  /*if ($data['email'] != $data['email_confirm'])
                  {
                     $error[] = $user->lang['NEW_EMAIL_ERROR'];
                  }
                  */
      OPEN

      styles/prosilver/template/ucp_register.html

      FIND

      Code: Select all

         <dl>
            <dt><label for="email_confirm">{L_CONFIRM_EMAIL}:</label></dt>
      
      REPLACE WITH

      Code: Select all

         <dl style="display:none;">
            <dt><label for="email_confirm">{L_CONFIRM_EMAIL}:</label></dt>
      
      and you can apply the same to any style, just take note of the style="display:none;" part in the code above.
    • Broken Visual CAPTCHA Plugins
      These CAPTCHAs are included in the stock install but have been broken by spambots. They are ineffective and should not be used.
      • CAPTCHA Without GD
        Image
      • GD 3D CAPTCHA
        Image
      • reCAPTCHA
        Image
      • GD CAPTCHA
        Image
These steps, used individually or together, should work to slow or stop your spam problem. Please seek support for the MODs listed above in their respective topic.

Please use this topic to discuss this information.

Changelog
1298750321 - Rewritten - Phil
1354381122 - Added note re UTC -12 and added question examples - stevemaury
1369438616 - Added the McGirr Method and changed the "1st 3, last 3" example - stevemaury
1385134392 - Changed "What programming language is phpBB written in?" - stevemaury
1385134793 - Added Sortables CAPTCHA - stevemaury
1406545860 - Expanded ACP acronym - Oyabun1
1458815040 - Edited to note McGirr method not available in 3.1.x - stevemaury
1460846074 - Edited to add the "What are the first letters in the board's name" type of question - stevemaury
Last edited by stevemaury on Mon Sep 22, 2014 3:13 am, edited 15 times in total.
Moving on, with the wind. | My Corner of the Web
Locked

Return to “[3.1.x] Support Forum”