Page 4 of 9

Posted: Wed Dec 14, 2005 10:37 am
by think_mac_x

I'm having a lot spam posts lately, although not in my forum. I have a guestbook mod installed spammed by bots very often. :(

(Advanced Guestbook:

I'm pretty sure your mod can help avoiding spam in the guestbook, but I don't know how to modify your mod for it, since I don't know php...

In the phpbb support forum I asked for help ( ) but they told me to ask the mod autors...

So here I am... could you please find a few minutes to modify your code for use in the Advanced Guestbook?

Many many thx in advance!!

Posted: Wed Dec 14, 2005 4:39 pm
by magenta
Basically any mod would be modified the same as Quick Reply Hack (as discussed earlier in the thread), assuming it uses posting.php to actually post the comment. It's just a matter of inserting the hidden key values into the form.

Posted: Fri Dec 30, 2005 6:21 pm
by zenofeller
just installed it, looks excellent. will keep an eye on it in the unlikely event something goes awry.

on the same line of adding more mojo into the hash, maybe you should encourage users to modify the 5 seconds in

|| ($HTTP_POST_VARS[$timekey] ^ $timepad) > time() - 5))

to some random value more to their linking ?

Posted: Sat Dec 31, 2005 3:54 am
by magenta
I chose 5 seconds because it's short enough that any reasonable reply written by a human will go through while any bot-based submission would probably fail unless it queues stuff up (and although it's fairly easy to do in principle, I've seen that comment spammers are by and large utter morons).

Posted: Fri Jan 20, 2006 6:08 am
by spacetrace
i think this mod is a bit outdated cause modern bots simulate a real user, including session and waiting a few seconds before posting

a better solution is the captha-validation-image where you have to type some letters from an image in the registration process.
it is included in phpBB since some verions (i think 2.0.11) and can be activated in the administration panel (cause you need gdlib running on your server)

but in fact this captcha-image of phpBB is already hacked by some spambots, so they can read it now and fullfill the registration process :(

i think phpBB should add a better, new captcha image, that would give some rest for a while

Posted: Fri Jan 20, 2006 7:27 am
by magenta
Actually, it's not bots which simulate an actual user - as far as I can tell, THEY ARE ACTUAL USERS. In third-world countries where labor is cheap, spammers are actually paying people to register on forums and post messages. Everything I can tell from spammers on my forum and a few others indicates that it is real people browsing around and finding places to post comments.

Obviously there is no way to technologically distinguish between hand-spammers and legitimate posters without analyzing the content of the message, and really at a certain point you just have to give up and spend more time moderating.

Or, you can do what I did and just exclude your forum via robots.txt. They can't spam what they can't find. (Obviously this only works if the forum is supplemental to the actual content and not if you want people to actually find the forum on its own merits like if it's one of those communities where the posts are what drives traffic etc.)

It's a stupid scorched-earth way of handling things but, meh, my forum is just something I want to do on the side as a supplemental thing to my site which in turn is something I do in my spare time. I don't have the time/patience to babysit it.


Stupid arms race.

So yeah. Registration-only forums excluded from search engines via robots.txt. My forum is primarily just a comment system for my weblog anyway, so all the actual comment posts show up outside of the forum anyway (but without the cues the spammers use to actually find it via Google searches or whatever). And even then I STILL get spam because the stupid porn peddlers, travel agencies in Uruguay, etc. have my site on a list of sites to spam!


Posted: Fri Jan 20, 2006 1:42 pm
by spacetrace
magenta wrote: And even then I STILL get spam because the stupid porn peddlers, travel agencies in Uruguay, etc. have my site on a list of sites to spam!

you could log the useragent and HTTP_ACCEPT_LANGUAGE of the spammers and if the language is something like korean or so , then just show them a white page:

Code: Select all

if ($HTTP_ACCEPT_LANGUAGE=="zn") die(""); ...
anyway, i think just this mod does not suffice anymore to stop the bots (not human) from passing the registerpage .

if this mod is called "disable spambots" you should add to this mod a new captha-image that replaces the original phpBB-captcha (which is simply too easy to hack and many bots can read it already), then it would really protect against the bots.

Posted: Fri Jan 20, 2006 5:03 pm
by magenta
That brings it outside the scope of this hack. If you think this hack is antiquated then don't use it. Simple as that.

Anyway, captchas are extremely easily defeated, and only get in the way of a LOT of legitimate users.

Remember, anything a legitimate human can do, a spammer can figure out how to do too. No anti-spam solution is perfect, especially in a message board context where there's just not very much information to go on. Want to filter URLs? Spammers will start using TinyURL. Want to filter words? Spammers will start putting in misspellings. And on and on it goes. The only real solution in the long term is to hand-moderate, and even THAT can be pretty difficult at times. (I've seen some spam messages which are entirely hand-crafted for the site, but just link to scam/phish/pyramid-scheme/linkfarm/porn sites.)

Posted: Sun Jan 22, 2006 4:32 am
by spacetrace
magenta wrote: captchas are extremely easily defeated
these links show, that you can get humans to read the words on the captcha if you offer them something to win or free pix if they do... this works if you have the possibility to recognize the same word.

but if you use skibberish words on your captcha, and put some
extra lines over the word like here:
and maybe even more, then it will not be easy for the spammers to get a program running, that solves the reading of the picture.

i think this is still the only solution that works.

anyway it will work against most of the bots and that would be a bonus already.

but at the moment, every script-kiddy can program a bot that starts spamming the phpBB forums, so we HAVE to do something

Posted: Sun Jan 22, 2006 6:10 am
by magenta
Yes, what "we have to do" was something like what my mod did, and my mod worked really well for a long time, but it is no longer effective, because of there being way too many ways for spammers to get around it. Anything a human can do a bot can be programmed to do, or alternatively a spammer can pay workers in third-world nations to do, or they can trick normal people into doing it for free by offering something in return, and proxying an image is WAY easier than programming image-recognition code.

If you feel that you can improve on my mod and make it more effective against spammers, be my guest. But ALL of the spam posted to my forum is posted by REAL PEOPLE (or at least, it passes the Turing test based on my comprehensive log analysis as I can't differentiate them as being by bots), and so any technological solution which tries to differentiate between humans and bots has already failed from the get-go.

The only thing you can do is filter by content, on a message-by-message basis, or somehow remove the incentive for them to spam (and none of the spammers seem to care that I make all my links have rel="nofollow" either), or prevent them from finding the forum to begin with (which doesn't work if your forum already has an established, spammed URL, as I've been finding out lately).

Another thing I've done is added *.info to my email banlist, because most of my recent spam has come from people with .info email domains. I have never seen a legitimate .info site, and I've only seen one legitimate .biz site (mine, the domain name being an attempt at cleverness) though I haven't gotten any forum spam from .biz yet anyway.

But, still. My forum is registration-only, not crawled by search engines, has a registration captcha, has a bunch of domains in the email banlist, rel="nofollow" on all untrusted links, and a filter which prevents inactive accounts from showing up in the member list, and I also use a bunch of mod_rewrite tricks to redirect obvious spammers to other websites, and I STILL get more spam than legitimate comments! If you think you have a solution, by all means, implement it, and see if it helps, but I've personally given up at this point.

A passing thought for further enhancement

Posted: Wed Jan 25, 2006 7:02 pm
by dzm
So it's basically a given that most modern browsers have JavaScript on. Everyone's too in love with "Web 2.0" and image rollovers to not have it enabled.

So ... Maybe this Mod could be enhanced to include message signing on the client side? It already generates hidden fields with MD5 sums that have to be sent back (knocking out most spam bots), but it seems that a small amount of extra security could be achieved by having JScript on the client side generate an MD5 sum of some data submitted back (the message body is likely the best candidate) and submit that back as part of the post. Then this mod could check its own fields to verify that they're in tact, but could also check the MD5 sum of the message itself.

"Why?" you're asking.

Well ... This helps verify that the message hasn't been altered in transit (probably almost 100% useless, but still - there it is), but more importantly this verifies that the user-agent is a real browser and that it's actually interracting with the form.

I'm not positive that this adds value, but it seems like it couldn't hurt too badly.

Any thoughts?

Posted: Wed Jan 25, 2006 10:32 pm
by magenta
That still doesn't help with manually-posted spam, which is probably 99% of what I'm seeing these days. And anyway it's really easy to add a JavaScript interpreter to a spambot (it's not that complex a language and there's plenty of free JS interpreters out there). The only measures you can take against bots will only either make the spammers have to be more thorough in emulating a human agent, or cause the spammers to use more human agents (and work is cheap, between third-world nations and college students looking to make some extra cash; forum spamming is the new envelope-stuffing).

The only thing that will prevent all spam is manual review. Short of that, you can make it so that people who don't have a reason to be posting on the forum don't find it to begin with.

Posted: Sun Jan 29, 2006 11:45 am
by spacetrace
i have a solution against manually entered spam:

if a user is registered new and makes his first post in the forum, there could be a check, if in the post he is making, there is an URL included - if so, then this user is deleted immediately, (or better after a timeout of a few minutes, so the user doesent notice, that he fails ;) )

sure, there should be a note in the post-page, that it is forbidden to post external urls here, that are only for advertising purposes.

so this would be the mod:
when a user posts - check the number of posts a user already had - if zero, then this is the first post and we check if there is an URL in the post - if so, then the user is marked for deletion after random(3,10) minutes in the database.
whenever the viewforum.php is called, all users marked for deletion in the database where the deletetime is reached are deleted from all tables.
(somewhere should be locked what is done, just in case)

Posted: Tue Jan 31, 2006 4:35 pm
by caped_crusader
magenta wrote: The user then can resubmit from the preview. Basically, if a legitimate user manages to trigger the spambot protection (it's possible, but unlikely) then it acts as if they pressed "preview" instead.


Just installed, but now no one can edit their posts. What did I do wrong?? Thanks!

Posted: Tue Jan 31, 2006 5:01 pm
by magenta
No idea. Make sure you put the code in the right place, since if it's not in the right place it might apply to posts but not to edits or something. You may want to try reverting to the unmodified code and trying again, or better yet, just disable anonymous posting (via forum permissions) since like the last page or so of this thread has been about, this mod is no longer effective.