Spam and PHP-BB

[kazooki]

I am absolutely sick and tired of spam to the point were I am just thinking of closing my forum down.

I have spent a lot of time integrating the forum into my design and getting the whole thing up and running.
It is only a very small forum and has few visitors & posts and I have not advertised it ANYWHERE .. however it has been battered over the last few months with scummy spammers.

I have enabled spambot countermeasures, I have installed Q & A and setup around 10 different questions.
I have also enabled guest posting where I have to verify the posts before they go live.

What else can I do and how are these people finding my forum?
Do phpBB advertise my site to spam merchants in order to finance the work they do?

I have around 20-30 users signing up per day posting about NFL Jerseys, Nike etc Sportswear, Kim Kardashian Sex Tapes etc etc.

Being such a small site I just don't have the time to be constantly deleting and banning posts and users. I ban them by IP address and by email and when they use a domain rather than a gmail account I blanket ban the entire domain *@domain.com but they still persist.

.. and lately, even though I have added the guest posting option where I need to verify new member posts, a lot of new spam members are somehow completely circumventing it somehow and posting directly onto the forum.

What is the best thing to do?
If this is simply what happens and it cannot be stopped with phpBB then I think I'll just close it.

Thanks in advance for any advice.

[KevC]

I have enabled spambot countermeasures, I have installed Q & A and setup around 10 different questions.

What questions are you using?

Having 10 is a bad idea. If one is really easy and nine are difficult, you don't know which is the one they are beating every time. Just have one question. If it's not effective you know what to change.

I have also enabled guest posting where I have to verify the posts before they go live.

I assume you mean you've enabled the post moderation queue. That's a sensible step but if you get the right question they shouldn't even get that far.

Do phpBB advertise my site to spam merchants in order to finance the work they do?

No, not at all. Your site is on the internet. They have search bots that scour it to find sites, all day every day. It costs them next to nothing to do that.

I ban them by IP address and by email and when they use a domain rather than a gmail account I blanket ban the entire domain *@domain.com but they still persist.

Banning them isn't very effective. They rarely use the same information twice and it just fills your banlist table with info that has to be checked every time someone does register. I've got a few boards and I haven't banned anything. I don't have any spam issues either. So it's not an effective solution.

and lately, even though I have added the guest posting option where I need to verify new member posts, a lot of new spam members are somehow completely circumventing it somehow and posting directly onto the forum.

That's not possible unless you have some other integrated registration page elsewhere or you have a duplicate installation without any registration protection.

What is the best thing to do?
If this is simply what happens and it cannot be stopped with phpBB then I think I'll just close it.

A good Q&A question is all you need and it'll stop. Every forum software out there has the same problem with spam. You just have to employ the right methods to stop it.

[randomessence]

It did not occur to me at first that these spam bots google answers. so when i was thinking of questions i did not at first think to ask questions that google could not answer. a simple oversight that should maybe be mentioned when you say use a good question, since i think that is probably the soundest anti spam advice.

[AmigoJack]

Bots are doing things in an automated way. Sending a request to Google and evaluating the response can be automated very well - that's quite obvious to me. It's like "it did not occur to me at first that robbers look under your door mat for the key" or "it did not occur to me at first that hackers try my birthday as password".

[EXreaction]

There are also some mods you may want to look into, such as Akismet integration: http://lithiumstudios.org/forum/viewtop ... =31&t=1976

That should block out a large portion of the spam from at least being publicly visible

[Pony99CA]

Bots are doing things in an automated way. Sending a request to Google and evaluating the response can be automated very well - that's quite obvious to me.

While human spammers may Google for answers, I seriously doubt that spam bots do. If they're sophisticated enough to do that and parse Google's response to find the phrase they need, they'd be more than intelligent enough to solve the questions that people here call "good" questions (like "Type the uppercase letters from the following string: "AbCdXYz"").

Remember that a CAPTCHA is supposed to distinguish bots from humans. For example, if my question was "Who won the 1968 World Series?", if you Google that, the first two results don't even mention the team that won in the response blurb -- the Detroit Tigers. While a human might click one of the links and read the article or might go to the third result and find the answer, how would a bot figure that out if it supposedly can't read the simple uppercase question that I posted above?

Look at the computing system that was required for Watson to beat human players on Jeopardy. While a bot wouldn't have to "beat" a human, it would have to do fairly well, and I doubt that many spammers (even sophisticated organizations) do that.

I think better advice is to avoid questions with common answers (like "blue" which would answer many questions like "What color is the sky?" or "What color is the ocean?").

Steve

[DionDesigns]

The current phpBB product is quite susceptible to automated spamming, and the problem will continue until the registration and post forms are more dynamic.

There's another group of spammers, and I suspect they're the most prevalent these days...humans who use Greasemonkey scripts to fill out forms. These people can click one button on their system, and it will fill out a registration form or post form, and submit it. They don't even need to know the language of the page they're on -- they only need to recognize the page layout.

The way to beat both of these types of spammers is to dynamically change the names/IDs on the post and registration pages to something other than "submit", "postform", "register", whatever. Meaning...these names should be in the _config table, set in templates through variables, and most important, randomly created at the time phpBB is installed. This would make the DOM on the registration and post pages different on every phpBB installation -- thereby making it nearly impossible for any form of automated spamming.

[A_Jelly_Doughnut]

This would make the DOM on the registration and post pages different on every phpBB installation -- thereby making it nearly impossible for any form of automated spamming.

This may be the case now, but such a defense could be broken in an afternoon by the maintainers of the spambots, simply by parsing the HTML.

While human spammers may Google for answers, I seriously doubt that spam bots do.

It isn't necessarily that Google is being used (although I cannot prove or disprove this), but I do know that spambots have a built in database of answers to common questions (what color is the sky, what is the capital of England, etc)

[DionDesigns]

This would make the DOM on the registration and post pages different on every phpBB installation -- thereby making it nearly impossible for any form of automated spamming.

This may be the case now, but such a defense could be broken in an afternoon by the maintainers of the spambots, simply by parsing the HTML.

If each phpBB installation has a different DOM on the registration page, I fail to see what parsing the HTML would accomplish...other than the spambot being able to auto-register on the one page where the algorithm would work.

I realize what I'm suggesting flies in the face of standardized coding, but...I hope developers realize that standardized coding is a big reason why spammers have been able to get so far, so fast. It's time to think outside the box if one wants to put a dent in the spammers!

[AmigoJack]

If each phpBB installation has a different DOM on the registration page, I fail to see what parsing the HTML would accomplish

Really? One regexp to find all FORMs and then one to find all INPUTs and such - that easily I don't care of element names at all. And don't come up with a JavaScript solution, since that breaks accessibility and on top can be executed by i.e. the MSIE engine (which bots can easily acquire) and then also be explored by enumerating all DOM elements. No. Don't get me started writing bots just to have a proof of concept.

Bots will always be an annoyance just like other people in reality, since they're also software. If you find a solution to "think outside the box" then you also found a way to separate good people from evil people. In other words: I consider a potential solution to this problem to be a revolution.

[Gork]

I'm finding misspellings and grammatical errors in QA questions to be working well - for now...

Instead of (I know this is a bad example):
What color is the sky?

I'd do something like:
Teh kuloor uv duh skie iz wut?

People have been able to figure out what I'm asking, but I haven't been hit with a spam bot for a few months now. Granted, I do have a very small site.

[Arty]

If you have a niche forum, set question specific to that niche.

For example, I'm helping out client with sewing forum. Their Q&A question is "needle and ..." with multiple valid answers such as "thread" that are obvious to all visitors of that forum, but not so obvious to spammers.

That question has been there since creation of forum over a year ago, there were only 2 spam messages posted. Forum is very active with more than 150k posts and 10k members.

[DionDesigns]

Really? One regexp to find all FORMs and then one to find all INPUTs and such - that easily I don't care of element names at all. And don't come up with a JavaScript solution, since that breaks accessibility and on top can be executed by i.e. the MSIE engine (which bots can easily acquire) and then also be explored by enumerating all DOM elements. No. Don't get me started writing bots just to have a proof of concept.

Bots will always be an annoyance just like other people in reality, since they're also software. If you find a solution to "think outside the box" then you also found a way to separate good people from evil people. In other words: I consider a potential solution to this problem to be a revolution.

This is classic structured, black-and-white thinking. And it's why you cannot see a solution, because the solution will be, to you, "poor coding".

When it dawns on developers (not picking on phpBB here, Wordpress is much worse in this regard) that the registration page MUST be designed in a way that is against everything they have been taught and believe to be correct, only then will they get the advantage over spambots. Why? Because great, structured code is nirvana to spambots -- it makes their life so simple. "Poorly-written" code will make their life much more difficult.

I'm sure you can design a great bot...but it's going to be structured, as is XRumer. I could, however, design a page that would break your bot (and XRumer), because I would use intentionally-poorly-written javascript and HTML. I'm also sure you (and Xrumer) could eventually find a way to register. But the goal is NOT to break bots permanently (that's black-and-white thinking), because that is never going to be possible. The goal is to make the solution so complex that the bots will flag the page and move on to the next victim.

Look, I'm not going to post the method here in such a public place. I'm happy to discuss this privately, but as I said above, it breaks all the rules.

In the meantime, here's something to think about that doesn't break any rules. What if the FormData interface and CANVAS-based CAPTCHA images were used on registration forms? FormData and CANVAS require javascript and a newer browser, you say? You betcha. If people want to register, they will use a real browser and take off their tinfoil hats. XRumer uses the Trident3 engine for performance reasons, but to support FormData and CANVAS, it will need the (very large) IE10 Trident6 engine to execute the script. Not gonna happen.

[AmigoJack]

FormData and CANVAS require javascript and a newer browser

that breaks accessibility

Think of people who are not able to choose because of their inabilities. I'd rather use strict code to help handicapped people than just to prevent some spam issues.

The current anti spambot features work quite good in my opinion, because in the end it's a human again who has to come up with a good question. And to be honest: how many bad/unprofessional board admins have you encountered?

[Pony99CA]

While human spammers may Google for answers, I seriously doubt that spam bots do.

It isn't necessarily that Google is being used (although I cannot prove or disprove this), but I do know that spambots have a built in database of answers to common questions (what color is the sky, what is the capital of England, etc)

That I believe. But it may require a hybrid spamming setup, where humans solve CAPTCHAs and populate the database and the bots do all of the nasty posting. Using humans increases the cost of spamming. If we can increase the cost so much that spamming becomes unprofitable, we win. (I'm talking about spamming for sales here; spamming for phishing and identity theft probably has a higher payback than selling replica watches and phony Viagra -- at least I hope it does or there are a LOT of morons buying spammed crap. )

Steve