Spam and PHP-BB

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
kazooki
Registered User
Posts: 3
Joined: Tue Jul 17, 2012 12:50 pm

Spam and PHP-BB

Post by kazooki »

I am absolutely sick and tired of spam to the point were I am just thinking of closing my forum down.

I have spent a lot of time integrating the forum into my design and getting the whole thing up and running.
It is only a very small forum and has few visitors & posts and I have not advertised it ANYWHERE .. however it has been battered over the last few months with scummy spammers.

I have enabled spambot countermeasures, I have installed Q & A and setup around 10 different questions.
I have also enabled guest posting where I have to verify the posts before they go live.

What else can I do and how are these people finding my forum?
Do phpBB advertise my site to spam merchants in order to finance the work they do?

I have around 20-30 users signing up per day posting about NFL Jerseys, Nike etc Sportswear, Kim Kardashian Sex Tapes etc etc.

Being such a small site I just don't have the time to be constantly deleting and banning posts and users. I ban them by IP address and by email and when they use a domain rather than a gmail account I blanket ban the entire domain *@domain.com but they still persist.

.. and lately, even though I have added the guest posting option where I need to verify new member posts, a lot of new spam members are somehow completely circumventing it somehow and posting directly onto the forum.

What is the best thing to do?
If this is simply what happens and it cannot be stopped with phpBB then I think I'll just close it.

Thanks in advance for any advice.

User avatar
KevC
Support Team Member
Support Team Member
Posts: 69630
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Spam and PHP-BB

Post by KevC »

kazooki wrote:I have enabled spambot countermeasures, I have installed Q & A and setup around 10 different questions.
What questions are you using?

Having 10 is a bad idea. If one is really easy and nine are difficult, you don't know which is the one they are beating every time. Just have one question. If it's not effective you know what to change.
kazooki wrote:I have also enabled guest posting where I have to verify the posts before they go live.
I assume you mean you've enabled the post moderation queue. That's a sensible step but if you get the right question they shouldn't even get that far.
kazooki wrote:Do phpBB advertise my site to spam merchants in order to finance the work they do?
No, not at all. Your site is on the internet. They have search bots that scour it to find sites, all day every day. It costs them next to nothing to do that.
kazooki wrote:I ban them by IP address and by email and when they use a domain rather than a gmail account I blanket ban the entire domain *@domain.com but they still persist.
Banning them isn't very effective. They rarely use the same information twice and it just fills your banlist table with info that has to be checked every time someone does register. I've got a few boards and I haven't banned anything. I don't have any spam issues either. So it's not an effective solution.
kazooki wrote:and lately, even though I have added the guest posting option where I need to verify new member posts, a lot of new spam members are somehow completely circumventing it somehow and posting directly onto the forum.
That's not possible unless you have some other integrated registration page elsewhere or you have a duplicate installation without any registration protection.
kazooki wrote:What is the best thing to do?
If this is simply what happens and it cannot be stopped with phpBB then I think I'll just close it.
A good Q&A question is all you need and it'll stop. Every forum software out there has the same problem with spam. You just have to employ the right methods to stop it.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

User avatar
randomessence
Registered User
Posts: 135
Joined: Sun May 01, 2011 10:27 pm

Re: Spam and PHP-BB

Post by randomessence »

It did not occur to me at first that these spam bots google answers. so when i was thinking of questions i did not at first think to ask questions that google could not answer. a simple oversight that should maybe be mentioned when you say use a good question, since i think that is probably the soundest anti spam advice.

User avatar
AmigoJack
Registered User
Posts: 5698
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Spam and PHP-BB

Post by AmigoJack »

Bots are doing things in an automated way. Sending a request to Google and evaluating the response can be automated very well - that's quite obvious to me. It's like "it did not occur to me at first that robbers look under your door mat for the key" or "it did not occur to me at first that hackers try my birthday as password".
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Re: Spam and PHP-BB

Post by EXreaction »

There are also some mods you may want to look into, such as Akismet integration: http://lithiumstudios.org/forum/viewtop ... =31&t=1976

That should block out a large portion of the spam from at least being publicly visible

Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Spam and PHP-BB

Post by Pony99CA »

AmigoJack wrote:Bots are doing things in an automated way. Sending a request to Google and evaluating the response can be automated very well - that's quite obvious to me.
While human spammers may Google for answers, I seriously doubt that spam bots do. If they're sophisticated enough to do that and parse Google's response to find the phrase they need, they'd be more than intelligent enough to solve the questions that people here call "good" questions (like "Type the uppercase letters from the following string: "AbCdXYz"").

Remember that a CAPTCHA is supposed to distinguish bots from humans. For example, if my question was "Who won the 1968 World Series?", if you Google that, the first two results don't even mention the team that won in the response blurb -- the Detroit Tigers. While a human might click one of the links and read the article or might go to the third result and find the answer, how would a bot figure that out if it supposedly can't read the simple uppercase question that I posted above?

Look at the computing system that was required for Watson to beat human players on Jeopardy. While a bot wouldn't have to "beat" a human, it would have to do fairly well, and I doubt that many spammers (even sophisticated organizations) do that.

I think better advice is to avoid questions with common answers (like "blue" which would answer many questions like "What color is the sky?" or "What color is the ocean?").

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

User avatar
DionDesigns
Registered User
Posts: 515
Joined: Sun Feb 26, 2012 11:22 pm
Location: Uncertain due to momentum.
Contact:

Re: Spam and PHP-BB

Post by DionDesigns »

The current phpBB product is quite susceptible to automated spamming, and the problem will continue until the registration and post forms are more dynamic.

There's another group of spammers, and I suspect they're the most prevalent these days...humans who use Greasemonkey scripts to fill out forms. These people can click one button on their system, and it will fill out a registration form or post form, and submit it. They don't even need to know the language of the page they're on -- they only need to recognize the page layout.

The way to beat both of these types of spammers is to dynamically change the names/IDs on the post and registration pages to something other than "submit", "postform", "register", whatever. Meaning...these names should be in the _config table, set in templates through variables, and most important, randomly created at the time phpBB is installed. This would make the DOM on the registration and post pages different on every phpBB installation -- thereby making it nearly impossible for any form of automated spamming.

User avatar
A_Jelly_Doughnut
Former Team Member
Posts: 34457
Joined: Sat Jan 18, 2003 1:26 am
Location: Where the Rivers Run
Contact:

Re: Spam and PHP-BB

Post by A_Jelly_Doughnut »

DionDesigns wrote:This would make the DOM on the registration and post pages different on every phpBB installation -- thereby making it nearly impossible for any form of automated spamming.
This may be the case now, but such a defense could be broken in an afternoon by the maintainers of the spambots, simply by parsing the HTML.
Pony99CA wrote: While human spammers may Google for answers, I seriously doubt that spam bots do.
It isn't necessarily that Google is being used (although I cannot prove or disprove this), but I do know that spambots have a built in database of answers to common questions (what color is the sky, what is the capital of England, etc)
A Donut's Blog
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish

User avatar
DionDesigns
Registered User
Posts: 515
Joined: Sun Feb 26, 2012 11:22 pm
Location: Uncertain due to momentum.
Contact:

Re: Spam and PHP-BB

Post by DionDesigns »

A_Jelly_Doughnut wrote:
DionDesigns wrote:This would make the DOM on the registration and post pages different on every phpBB installation -- thereby making it nearly impossible for any form of automated spamming.
This may be the case now, but such a defense could be broken in an afternoon by the maintainers of the spambots, simply by parsing the HTML.
If each phpBB installation has a different DOM on the registration page, I fail to see what parsing the HTML would accomplish...other than the spambot being able to auto-register on the one page where the algorithm would work.

I realize what I'm suggesting flies in the face of standardized coding, but...I hope developers realize that standardized coding is a big reason why spammers have been able to get so far, so fast. It's time to think outside the box if one wants to put a dent in the spammers!

User avatar
AmigoJack
Registered User
Posts: 5698
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Spam and PHP-BB

Post by AmigoJack »

DionDesigns wrote:If each phpBB installation has a different DOM on the registration page, I fail to see what parsing the HTML would accomplish
Really? One regexp to find all FORMs and then one to find all INPUTs and such - that easily I don't care of element names at all. And don't come up with a JavaScript solution, since that breaks accessibility and on top can be executed by i.e. the MSIE engine (which bots can easily acquire) and then also be explored by enumerating all DOM elements. No. Don't get me started writing bots just to have a proof of concept.

Bots will always be an annoyance just like other people in reality, since they're also software. If you find a solution to "think outside the box" then you also found a way to separate good people from evil people. In other words: I consider a potential solution to this problem to be a revolution.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
Gork
Registered User
Posts: 81
Joined: Sun Jul 22, 2007 9:36 pm
Location: Alaska!
Contact:

Re: Spam and PHP-BB

Post by Gork »

I'm finding misspellings and grammatical errors in QA questions to be working well - for now...

Instead of (I know this is a bad example):
What color is the sky?

I'd do something like:
Teh kuloor uv duh skie iz wut?

People have been able to figure out what I'm asking, but I haven't been hit with a spam bot for a few months now. Granted, I do have a very small site.

User avatar
Arty
Former Team Member
Posts: 16654
Joined: Wed Mar 06, 2002 2:36 pm
Name: Vjacheslav Trushkin
Contact:

Re: Spam and PHP-BB

Post by Arty »

If you have a niche forum, set question specific to that niche.

For example, I'm helping out client with sewing forum. Their Q&A question is "needle and ..." with multiple valid answers such as "thread" that are obvious to all visitors of that forum, but not so obvious to spammers.

That question has been there since creation of forum over a year ago, there were only 2 spam messages posted. Forum is very active with more than 150k posts and 10k members.
Vjacheslav Trushkin / Arty.
Free phpBB 3.1 styles | New project: Iconify - modern SVG framework

User avatar
DionDesigns
Registered User
Posts: 515
Joined: Sun Feb 26, 2012 11:22 pm
Location: Uncertain due to momentum.
Contact:

Re: Spam and PHP-BB

Post by DionDesigns »

AmigoJack wrote:Really? One regexp to find all FORMs and then one to find all INPUTs and such - that easily I don't care of element names at all. And don't come up with a JavaScript solution, since that breaks accessibility and on top can be executed by i.e. the MSIE engine (which bots can easily acquire) and then also be explored by enumerating all DOM elements. No. Don't get me started writing bots just to have a proof of concept.

Bots will always be an annoyance just like other people in reality, since they're also software. If you find a solution to "think outside the box" then you also found a way to separate good people from evil people. In other words: I consider a potential solution to this problem to be a revolution.
This is classic structured, black-and-white thinking. And it's why you cannot see a solution, because the solution will be, to you, "poor coding".

When it dawns on developers (not picking on phpBB here, Wordpress is much worse in this regard) that the registration page MUST be designed in a way that is against everything they have been taught and believe to be correct, only then will they get the advantage over spambots. Why? Because great, structured code is nirvana to spambots -- it makes their life so simple. "Poorly-written" code will make their life much more difficult.

I'm sure you can design a great bot...but it's going to be structured, as is XRumer. I could, however, design a page that would break your bot (and XRumer), because I would use intentionally-poorly-written javascript and HTML. I'm also sure you (and Xrumer) could eventually find a way to register. But the goal is NOT to break bots permanently (that's black-and-white thinking), because that is never going to be possible. The goal is to make the solution so complex that the bots will flag the page and move on to the next victim.

Look, I'm not going to post the method here in such a public place. I'm happy to discuss this privately, but as I said above, it breaks all the rules.

In the meantime, here's something to think about that doesn't break any rules. What if the FormData interface and CANVAS-based CAPTCHA images were used on registration forms? FormData and CANVAS require javascript and a newer browser, you say? You betcha. If people want to register, they will use a real browser and take off their tinfoil hats. XRumer uses the Trident3 engine for performance reasons, but to support FormData and CANVAS, it will need the (very large) IE10 Trident6 engine to execute the script. Not gonna happen.

User avatar
AmigoJack
Registered User
Posts: 5698
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Spam and PHP-BB

Post by AmigoJack »

DionDesigns wrote:FormData and CANVAS require javascript and a newer browser
AmigoJack wrote:that breaks accessibility
Think of people who are not able to choose because of their inabilities. I'd rather use strict code to help handicapped people than just to prevent some spam issues.

The current anti spambot features work quite good in my opinion, because in the end it's a human again who has to come up with a good question. And to be honest: how many bad/unprofessional board admins have you encountered?
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Spam and PHP-BB

Post by Pony99CA »

A_Jelly_Doughnut wrote:
Pony99CA wrote: While human spammers may Google for answers, I seriously doubt that spam bots do.
It isn't necessarily that Google is being used (although I cannot prove or disprove this), but I do know that spambots have a built in database of answers to common questions (what color is the sky, what is the capital of England, etc)
That I believe. But it may require a hybrid spamming setup, where humans solve CAPTCHAs and populate the database and the bots do all of the nasty posting. Using humans increases the cost of spamming. If we can increase the cost so much that spamming becomes unprofitable, we win. (I'm talking about spamming for sales here; spamming for phishing and identity theft probably has a higher payback than selling replica watches and phony Viagra -- at least I hope it does or there are a LOT of morons buying spammed crap. :cry: )

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

Post Reply

Return to “phpBB Discussion”