Preventing Spam in 3.0.5 and Lower [*Read First Post*]

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
XtremeD63
Registered User
Posts: 208
Joined: Tue Oct 04, 2005 3:52 pm
Contact:

Re: Preventing Spam in 3.0

Post by XtremeD63 »

XtremeD63 wrote:I made a custom code (I think) which tells the registrant to enter three numbers in order:

Image
Is there currently a way for spambots to break into this security measure? I thought I was being clever, but I just got 2 new registrations that I'm a little suspicious of. I'm still waiting for replies from a couple of Private Messages of authentication.

When I chose the "View Source" option, I found no giveaway for the "358" that's required for registration, but I don't really know just how the bots work. Can they break this "code" I'm using?

User avatar
onehundredandtwo
Registered User
Posts: 1228
Joined: Fri Nov 14, 2008 8:07 am

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by onehundredandtwo »

There is probably a setting you haven't enabled so it isn't compulsory for anyone to get in. Make sure you re-read this article - Knowledge Base - Custom Profile Fields as an Anti-Spammer Tool.

I believe you would have to be running phpBB 3.0.4 to use some of these techniques, so if you aren't already at the latest version I would recommend upgrading.
Need help preventing spam? Read Preventing spam in phpBB 3.0.6 and above

XtremeD63
Registered User
Posts: 208
Joined: Tue Oct 04, 2005 3:52 pm
Contact:

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by XtremeD63 »

onehundredandtwo wrote:There is probably a setting you haven't enabled so it isn't compulsory for anyone to get in. Make sure you re-read this article - Knowledge Base - Custom Profile Fields as an Anti-Spammer Tool.

I believe you would have to be running phpBB 3.0.4 to use some of these techniques, so if you aren't already at the latest version I would recommend upgrading.
I am running 3.0.4. All settings are enabled. Those last 2 registrations were valid. So the Custom Field seems to be working! Maybe I am clever after all... :roll:

serola
Registered User
Posts: 10
Joined: Thu May 07, 2009 10:48 am

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by serola »

Succesfully used custom field (one simple math task) for two weeks and only one new spammer being able to go through (spambot or human, no idea?). Although the forum I administrate is relatively small (currently aproximately 1500 members).

I was also told it's a good idea to prune all "old" inactive accounts (something like older than one month).

Moreover, I have also used this site http://www.stopforumspam.com/ to track down active accounts created by spambots. 99% of accounts registered using .ru mail addresses are created by spambots! But certainly this is a tedious task to do! I wish there could be a way to search accounts according IP addresses :(

bbrunnrman
Registered User
Posts: 80
Joined: Sun Dec 24, 2006 9:19 pm

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by bbrunnrman »

onehundredandtwo wrote:There is probably a setting you haven't enabled so it isn't compulsory for anyone to get in. Make sure you re-read this article - Knowledge Base - Custom Profile Fields as an Anti-Spammer Tool.
I ought to remind people again, when citing this Knowledge Base article, that it still includes some out-of-date screenshots (really needs to be updated!). Correct screenshots for phpBB 3.0.4 are shown in my post at http://www.phpbb.com/community/viewtopi ... 5#p9260725 Note that the "Visibility options" are checkboxes now, meaning they can be selected individually, and you need to select both "Display on registration screen" and "Required field".
XtremeD63 wrote:Is there currently a way for spambots to break into this security measure? I thought I was being clever, but I just got 2 new registrations that I'm a little suspicious of. I'm still waiting for replies from a couple of Private Messages of authentication.

When I chose the "View Source" option, I found no giveaway for the "358" that's required for registration, but I don't really know just how the bots work. Can they break this "code" I'm using?
It's quite possible that your two 'suspicious' registrations were from human spammers rather than spambots. But if you're using the "Numbers" type custom field, then in addition to setting it up in the ACP, you really need to make the code change (editing of language file) illustrated near the end of the Knowledge Base article. Without that change, the error message (when somebody enters the wrong number) gives away the correct answer. I don't know whether spambots have been programmed yet to make use of this, but in principle, it would be straightforward for them to do so.

XtremeD63
Registered User
Posts: 208
Joined: Tue Oct 04, 2005 3:52 pm
Contact:

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by XtremeD63 »

I did edit the language file. Those two new registrations were legitimate. I haven't had any bots or spammers since I started using that custom field. I recommend it. Thanks guys for all the help!

JohnnyComeLately
Registered User
Posts: 4
Joined: Tue Aug 07, 2007 6:24 pm

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by JohnnyComeLately »

Maybe I'm misunderstanding, but in the 10-15 pages I've read, it seems like we're limited in our custom fields capability. For example, I can't say, "Type in the color of white rice" and then have it check to make sure they typed in "white". It appears we can only set a default, and what it CAN"T be when entered. Is this correct? So from the screen shots, you tell them to pick the middle number, but as long as they DONT pic the default it works.

Both of these seem extremely easy to script around for the spammers at a later date. Modifying the error is a great idea and can negate the scripting quite a bit.

XtremeD63
Registered User
Posts: 208
Joined: Tue Oct 04, 2005 3:52 pm
Contact:

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by XtremeD63 »

I didn't use the drop-down menu for this. I used the numbers field. I typed "Enter the numbers - three, five and eight - in that order". The registrant has to type "358" in the box, or he/she cannot register.

kq76
Registered User
Posts: 32
Joined: Sun Jun 20, 2004 2:49 am

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by kq76 »

bbrunnrman wrote:
Bdonj wrote:I just yesterday upgraded from 3.0.0 to 3.0.4. The upgrade went fine without a hitch. However, I am now getting more spammers than ever. I added a custom question to my registration about 10 days ago (before the upgrade) and that stopped all attempts at robot spammers log ins.

As soon as I did the upgrade, I got 6 attempts within the first hour. Now I am getting 10 per hour. I added a second question with the numbers response as indicated in this thread and it is still going on.
If you had a custom profile field that was working well, it's possible that upgrading to 3.0.4 has "broken" your custom field, although it should be easy to fix. As indicated in some of the previous posts, some of the settings for custom profile fields changed in recent phpBB upgrades. In fact, in the announcement for the 3.0.4 upgrade at http://www.phpbb.com/community/viewtopi ... &t=1352565 note the item:
  • [Change] Better handling and finer control for custom profile fields visibility options.
For correct settings after the 3.0.4 upgrade for a custom field intended to deter spambots, see screen captures below:
custom_profile_settings_1.png
custom_profile_settings_2.png
where the first image shows main settings for the particular custom field, and the second shows load related settings under ACP > General > Load settings.

Remember to make up your own custom fields; i.e., don't copy any of the examples you find on this board. These custom fields are effective only if every board has different ones.
I wanted to say thank you for this post and note that I don't think it's necessary for the load setting to be set to no. I was using the numbers part of the anti-spammer tool and it was working perfectly. I then added some other custom profile fields and edited the memberlist page and the load settings to all yes and soon after found that we were getting some spambot signups again. I don't know if that extra customization did it or if something else did, but I checked our registration page and the antispammer was no longer there. After fiddling with the settings I couldn't get it to come back until I saw your post and made my settings the same as your top graphic. My load settings are all left at yes though.

bbrunnrman
Registered User
Posts: 80
Joined: Sun Dec 24, 2006 9:19 pm

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by bbrunnrman »

Setting those load settings to No is basically for cosmetic reasons and has no effect on operation of the custom fields to reject spambots. I originally wrote about those load settings in my post at http://www.phpbb.com/community/viewtopi ... 5#p8814015 in response to tffnguy's claim that his custom fields were getting viewed by other users in places where it didn't seem appropriate.

Actually, I've just done some experimenting, and found that it didn't seem to make any difference whether those load settings were set to Yes or No. But note that the description of the first of those load settings says, "Allow styles to display..." Thus, it probably depends on what styles you're using (I was just using the standard prosilver style in these tests).

Anyway, if you have several custom fields, some intended for antispam and some for other purposes, you may need to set those load settings to Yes for the sake of your "other" custom fields. In that case, to prevent your antispam custom fields from displaying inappropriately, you might try selecting "Hide profile field" for your antispam fields, as in the following screenshot:
custom_profile_field_hide.png
custom_profile_field_hide.png (45.5 KiB) Viewed 3387 times
I've done some experimenting indicating that this seems to work (at least, it doesn't stop the field from showing up and working on the registration screen), so this can probably be considered another valid configuration for an antispam custom field.

Meanwhile, the first setting in the above screenshot ("Display profile field") appears to refer directly to the items in the load settings, so you'd think setting this to No would be the simplest way of countering the "Yes" load settings for this profile field. Unfortunately, in the current version of phpBB, setting this to No also inhibits display on the registration screen. This is a bug which will, I believe, be fixed in phpBB 3.0.5.

bbrunnrman
Registered User
Posts: 80
Joined: Sun Dec 24, 2006 9:19 pm

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by bbrunnrman »

JohnnyComeLately wrote:Maybe I'm misunderstanding, but in the 10-15 pages I've read, it seems like we're limited in our custom fields capability. For example, I can't say, "Type in the color of white rice" and then have it check to make sure they typed in "white". It appears we can only set a default, and what it CAN"T be when entered. Is this correct?
Currently, the "Numbers" type custom field is probably the best one for antispam purposes because it's the only one where you can set a specific required answer (but for best results, you should also edit the language file as indicated previously so the error message doesn't give away the answer).

You're right that with the "Dropdown box" field, all you can do is specify one possibility (usually the default) as the WRONG answer, and any other answer will be accepted. I pointed out in my earlier post at http://www.phpbb.com/community/viewtopi ... 5#p8935075 that this is probably too easy for spambots to defeat.

You cannot, in the current version of phpBB, create a custom TEXT field with specific required answer (such as the word "white"). You could, however, do it with a simple code change, as follows:

Code: Select all

In file includes/functions_profile_fields.php
Find the lines:

			case FIELD_STRING:
			case FIELD_TEXT:
				if (empty($field_value) && !$field_data['field_required'])
				{
					return false;
				}
				else if (empty($field_value) && $field_data['field_required'])

Then change the last of the above lines to:

				else if ($field_data['field_required'] && strtolower($field_value) !== 'white')
Here, the intended answer (white) would be hard-wired into the code. Use of the strtolower function allows the user's answer to be case-independent (e.g., answers of "WHITE" and "White" will also be accepted). With this change, you'd be limited to only one text-type required custom field on your board, although you could still have other non-required custom text fields.

If you want a great deal more flexibility for custom antispam questions, install the Anti-Bot Question MOD referenced at the beginning of this thread.

some blind fool
Registered User
Posts: 409
Joined: Sat Aug 19, 2006 5:28 pm

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by some blind fool »

bbrunnrman wrote:You're right that with the "Dropdown box" field, all you can do is specify one possibility (usually the default) as the WRONG answer, and any other answer will be accepted. I pointed out in my earlier post at http://www.phpbb.com/community/viewtopi ... 5#p8935075 that this is probably too easy for spambots to defeat.
speaking of the drop downs,

Code: Select all

			case FIELD_DROPDOWN:
				if ($field_value == $field_data['field_novalue'] && $field_data['field_required'])
if we change the == to !=, will it instead work for selecting one correct answer?

bbrunnrman
Registered User
Posts: 80
Joined: Sun Dec 24, 2006 9:19 pm

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by bbrunnrman »

some blind fool wrote:speaking of the drop downs,

Code: Select all

			case FIELD_DROPDOWN:
				if ($field_value == $field_data['field_novalue'] && $field_data['field_required'])
if we change the == to !=, will it instead work for selecting one correct answer?
Yes, that would reverse the meaning of "Option equal to non entered value" so it becomes the one correct answer instead of the value for a non-entry.

Even with this change, the dropdown box might not be as effective as some of the other types because a dropdown box has only a finite number of options, and a bot might systematically try all of them. Even so, we might try to overwhelm the bots by using a dropdown box modified this way, together with another custom field (Numbers type or Text type modified to require definite answer), and also continue using the CAPTCHA.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 22345
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by Mick »

bbrunnrman wrote:Meanwhile, the first setting in the above screenshot ("Display profile field") appears to refer directly to the items in the load settings, so you'd think setting this to No would be the simplest way of countering the "Yes" load settings for this profile field. Unfortunately, in the current version of phpBB, setting this to No also inhibits display on the registration screen. This is a bug which will, I believe, be fixed in phpBB 3.0.5.

If you read about ten posts back you will see the settings that work correctly: http://www.phpbb.com/community/viewtopi ... 5#p9620705
"The more connected we get the more alone we become" - Kyle Broflovski

Please read: “Am I In The Right Place?” before posting.

bbrunnrman
Registered User
Posts: 80
Joined: Sun Dec 24, 2006 9:19 pm

Re: Preventing Spam in 3.0 [*Read First Post*]

Post by bbrunnrman »

Mixstar wrote:
bbrunnrman wrote:Meanwhile, the first setting in the above screenshot ("Display profile field") appears to refer directly to the items in the load settings, so you'd think setting this to No would be the simplest way of countering the "Yes" load settings for this profile field. Unfortunately, in the current version of phpBB, setting this to No also inhibits display on the registration screen. This is a bug which will, I believe, be fixed in phpBB 3.0.5.
If you read about ten posts back you will see the settings that work correctly: http://www.phpbb.com/community/viewtopi ... 5#p9620705
My comment about the "Display profile field" setting was actually a reference to bug reports http://www.phpbb.com/bugs/phpbb3/41385 and http://www.phpbb.com/bugs/phpbb3/44625 That bug has been fixed in SVN, so it ought to be corrected in phpBB 3.0.5. Currently, custom profile fields don't work unless you set "Display profile field" to Yes. But in 3.0.5, they should also work if you set it to No.

As for "settings that work," those in your post at http://www.phpbb.com/community/viewtopi ... 5#p9620705 are the same as the first screenshot in my post at http://www.phpbb.com/community/viewtopi ... 5#p9260725 My more recent post at http://www.phpbb.com/community/viewtopi ... 0#p9659425 shows other settings (with "Hide profile field" checked) that also appear to work.

Locked

Return to “[3.0.x] Support Forum”