Preventing Spam in 3.0.5 and Lower [*Read First Post*]

[bbrunnrman]

I have set phpbb to use the Administrator activation for new user accounts. I have also added 3 different required fields for registrations to answer to help eliminate spambots. I have been getting several spam accounts created that skip the entire registration approval and sometimes don't catch them until they have posted many spam posts on the boards. I don't even get a new user account created email as I do with valid users.

The simplest explanation would be that your email account has been compromised; i.e., someone has stolen your email password. Thus, the spammer is intercepting your email, including the activation emails from phpBB, and therefore activating their own accounts.

Therefore, the first thing you might try is changing your email password (but you might do this from a different computer than you use normally, in case that computer has been otherwise compromised, e.g., with a keystroke logger).

Meanwhile, this illustrates a problem with phpBB3 that I've noticed previously, although it didn't seem serious enough to report as a bug: When a board is configured for Admin activation, the activation links sent to the Admins actually work when clicked by anyone--not just an Admin (so if the email gets intercepted by an unauthorized person, they can activate the account). I seem to recall that in phpBB2, the activation links sent to Admins (when a board uses Admin activation) only worked when used by an Admin who was logged in to the board. That's really how it should work in phpBB3 too.

Also, Neomorte, another thing to do on your board is implement "Post Queueing" -- technique #3 in the opening post of this thread so, even if a spammer can activate their own account, their initial post(s) will require moderator approval.

[Mick]

@Neomorte: I would suggest try setting registration to 'by user'. That way the spam bots cannot get back to your site to complete registration without first going to the email address they have supplied and clicking the registration link. As we know all these mail addresses are bogus and only supplied to enable the bot to fill in the required information to try and register, being as they are non-existent they can do nothing.

This works for me and I don't understand why it doesn't work for other users unless something else has been compromised

[tffnguy]

As we know all these mail addresses are bogus and only supplied to enable the bot to fill in the required information to try and register, being as they are non-existent they can do nothing.

I've found that a lot of the email addresses are for real or there is something going on that I don't understand. Could be that email sent to those addresses goes in to a black hole and don't have a chance to bounce. Most bogus addresses will cause the registrations to bounce, but the ones I'm talking about never do. They are clearly spam bot accounts from all of the settings though. I think what they hope for is that registration isn't set to admin or by user so they can just sign up and be activated when they do.

[Mick]

Most bogus addresses will cause the registrations to bounce, but the ones I'm talking about never do. They are clearly spam bot accounts from all of the settings though. I think what they hope for is that registration isn't set to admin or by user so they can just sign up and be activated when they do.

I agree with you, I have thought similar myself.

Maybe the mail goes to a catch all account of some sort or another, but then you'd think they would be clever enough to grab that information and use it against us

Do you think we'll ever be able to outwit these buggers for ever?

[tffnguy]

Do you think we'll ever be able to outwit these buggers for ever?

I don't have any doubts that we will if in the next upgrade the custom fields are upgraded correctly. Say multiple wrong answers and that sort of thing.

Someone is making a few changes to the spambot software and trying different defaults because I had to change mine up some. They were still getting one of the numerous wrong answers, but since only one wrong answer is allowed now then they were able to create the accounts by dodging the wrong answers.

[Mick]

Has anyone tried this EasyCAPTCHA?

Fortunately I have no need for it but it seems OK from the write up. If anyone has can they post the results on here please?

[Paul]

I haven't used it myself, but from what I see it looks pretty easy to use with a OCR, so if enough boards use it it probarly will not work.
I personally still think a custom solution for a board, like adding a custom profile field with a requirement, is the best.

[bbrunnrman]

@Neomorte: I would suggest try setting registration to 'by user'. That way the spam bots cannot get back to your site to complete registration without first going to the email address they have supplied and clicking the registration link. As we know all these mail addresses are bogus and only supplied to enable the bot to fill in the required information to try and register, being as they are non-existent they can do nothing.

This is an interesting question: Do spammers specify only bogus email addresses? I'm convinced that an awful lot of spam registrations include functional email addresses, so the spammers can activate their accounts if the board is set to activation By User.

I'll start with some historical information from my board: We started our board (using phpBB2) in October 2005 and, initially, we didn't use any activation. (At that time, simply limiting posting to registered users seemed to be adequate to avoid spam.) By August 2006, we were finding quite a few spam registrations, but it seemed the email addresses were always fictitious, so we enabled activation by user. At first, this worked well. We'd get spam registrations but they never activated, so I could just delete the inactive spam accounts. By early 2007, however, we were getting registrations from spammers who activated their accounts and posted on the board. Evidently, these spammers had working email addresses. So we switched to Admin activation (and we've continued using Admin activation after upgrading from phpBB2 to phpBB3 last year).

Consider: If spammers were already using live email addresses and activating their accounts in early 2007, do you really think they've gone back to using only bogus email addresses now?

Another point to consider involves supply of email addresses. Note that in addition to cracking the CAPTCHA in phpBB, the authors of spambots have also, at various times, cracked the CAPTCHAs on sites such as Gmail and Hotmail. This enabled them to obtain huge numbers of working email addresses in respectable domains, which they could use for not only sending spam email, but also for registering in message boards.

Meanwhile, on the topic of Admin activation, we've been using it for a long time, in both phpBB2 and phpBB3, and we've never encountered a user who could bypass the admin activation process, which leads me to think Neomorte's email account may have been compromised

[Mick]

Consider: If spammers were already using live email addresses and activating their accounts in early 2007, do you really think they've gone back to using only bogus email addresses now?

You're points are all valid but . . .

That being the case how come everyone who has made the changes suggested at the top of this forum isn't getting spammed to death? If the spam bots were using valid email addresses they would dive straight in to every site they have a go at which is set to 'by user' which would be hundreds or thousands of users that comes on here and, probably, tens of thousands of others.

I was getting upwards of fifty inactive users a day on each of four sites I was looking after. I also have to say, before I did the mods I had never had a bot manage to register and post, they would only be 'inactive' so I had to manually delete them. After doing the mods I have not had one succesful spam bot hit. That says to me that the mods work?

[bbrunnrman]

how come everyone who has made the changes suggested at the top of this forum isn't getting spammed to death? If the spam bots were using valid email addresses they would dive straight in to every site they have a go at which is set to 'by user' which would be hundreds or thousands of users that comes on here and, probably, tens of thousands of others.

The changes suggested at the top of the thread are aimed at stopping spammers (mainly spambots actually) from registering successfully in the first place--i.e., cut them off at an early stage, before the issue of 'activating' their account would come up. (Or in other words, you don't need to worry about account 'activation' if no account was created in the first place.) The changes at the top of this thread are very important and, since the CAPTCHA has been broken currently, all board operators need to choose some of these techniques and implement them.

The point regarding email addresses is just that, because spammers are using functional email addresses, spammers who succeed in creating an account (in spite of all our anti-spam mechanisms) can activate their own accounts if the board is set to activation By User. Their accounts would still remain inactivate (need to be activated by an Admin) if the board is set to activation By Admin.

I'm not saying that every board should be using Admin Activation, which is method #2 in the post at the top of this thread. As it says there, "This is not practical on most boards..." It depends on the size of your board and how many people you have to serve as Admins.

On my board, I've implemented enough of the anti-bot techniques that the system is nearly 100% effective at rejecting bots automatically (so they never create accounts in the first place). A few human spammers do succeed in creating accounts, but because we're using Admin Activation, we usually catch them while their accounts are still inactive.

Meanwhile, even if Admin activation isn't practical for your board, I highly recommend Post Queueing, which is technique #3 in the post at the top of this thread. This way, even if a spammer succeeds in registering and activating their account, their first post goes into the Moderation Queue, where you'll catch it before it can appear publicly on your board.

[rysham]

The way I've found to keep spammers at bay is to charge for registration. I've re-worked the "register" link to direct them to a simple webpage that has a paypal button on it. Once the registrant has paid, paypal will then re-direct them to the actual registration page. I implemented this yesterday and have already seen a huge drop off in spam registrants (I was getting at least 20 per day).

The only problem with this is, if you already know the default URLs of an average board, it's fairly simple to figure out how to get around that.

Is there any way I can move the registration files into a new directory? Does anybody know what that would entail? I have no programming experience, but I have installed plenty of mods in the past, so I ain't scared of digging through php files and changing a few settings, I just don't know which ones to change.

[syrlinus]

So, I have a question: how much longer before this is addressed and we don't have to sit and tweak and twiddle to prevent spam from entering the forums? Queuing is great and catches 100% but you need a team of mods approving at all hours on larger forums and even the MODs from the top aren't 100% effective.

[onehundredandtwo]

There are a lot more techniques available than just Post Review. Have you tried using Custom Profile Fields or any of the MODs listed on the first page?

BTW to use many of the MODs and techniques you will need to upgrade to phpBB 3.0.4.

[barryoneoff]

I cannot believe this thread has gone on so long! Are users actually reading the first post? Or can't be bothered?
I was getting 20 or 30 bots a day a couple of months ago. As I have said before in this thread I just have a custom profile field that gives five double-figure numbers, and ask the registrant to type in the middle one. Not a spam bot since.
Why does everyone need to install complicated methods when the simple inbuilt one works fine? Read the first post!

[krisCrash]

Because we LOVE discussing spam!

And while previously phpBB3 has been capable of keeping most bots from even activating themselves, they are now getting smarter. Which brings me to a question;

I looked into Knowledge Base - Custom Profile Fields as an Anti-Spammer Tool, and I'm confused why he hasn't checked "Display at registration screen", yet it displays on his registration screen. When duplicating his shown moves, I do not get it to display. I am assuming it is a version difference, and that I should just check it?

The reason I am asking is 1) I'm still trying to wrap my head around it and 2) years ago there was some system with denying signups who actually FILLED certain hidden fields (I can explain if it matters).

Thinking of something clever to ask for the number thing