Preventing Spam in 3.0.5 and Lower [*Read First Post*]

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Ideas Centre

Preventing Spam in 3.0.5 and Lower [*Read First Post*]

Postby Phil » Wed Feb 11, 2009 4:01 am

As phpBB 3.0.6 contains many new spam prevention features, a new spam prevention topic has been created here. Please direct all discussion regarding spam prevent in phpBB 3.0.6 to that topic.

I am going to close this topic as only the latest phpBB release (at the time of this writing is phpBB 3.0.6) is supported. At this time, any spam prevention posts will be met with a suggestion to upgrade to phpBB 3.0.6.

This topic will be preserved for the sake of archiving.

Thank you.

Preventing Spam in phpBB 3.0.6

------------------------------------------

Though phpBB 3.0.5 does include various changes to the CAPTCHA that help deter spambots, it is an unfortunate fact that any fix that is included in the standard software package will quickly be broken. As a result of that, your best bet is to make your board unique (relative to the standard package). The MODs and other tweaks below will aid you with this.

FAQ
  • What is a spam bot?
    Simply put, a spam bot (with relation to phpBB) is a script that is able to register an account and/or post spam on your board.
    Image
  • Is spam a security threat?
    No. While spammers may seem like they are breaking through your defenses, they actually don't do anything that a regular users couldn't do (register, post, etc). Spam is therefore not a vulnerability and should not be considered as such.
  • How do they work?
    Spam bots do what they are programmed to do; nothing more. Not having the ability to adapt on the fly puts bots at a disadvantage when put against informed administrators such as yourself. The trick for dealing with bots is to stay one step ahead of their authors. Nearly all anti-spam MODs focus on changing the registration/posting form in order to prevent bots from being able to fill out the information properly.
  • Do bots fill in the form the same way humans do?
    No, the majority of bots submit their responses directly, without loading the form that you set up. What this means in practical terms is that changing only the HTML form will not do anything; you need to actually change how the passed information is interpreted (that means editing the .php files). If you encounter MODs that only edit HTML, they are pointless.
  • Should I ban bots by IP or email TLD (.ru, .info, etc.)?
    If your goal is to save time, this strategy will not help. IPs are often cycled and there are thousands of available proxies that can be found just by searching. By banning IPs, you will also end up banning legitimate users. As bots use a variety of TLDs for their email accounts (including .com, .org and .net), banning international ones like .ru may help slightly, but you will once again end up banning legitimate users (and won't ban nearly every bot). In short, you should focus on preventing as many bots as possible, while not causing legitimate users too much extra hassle.
  • What about human spammers?
    Fighting human spammers is more difficult than fighting bots. While bots will blindly attempt to register and post on every board possible, human spammers will want to make sure that their spam is actually being seen. The trick to fighting human spammers, therefore, is to remove any incentive they would have of targeting your board.
  • Will following this guide stop all spam?
    As I said above, human spammers are difficult to stop and some bots may be adapted to work on your site. Following this guide will, however, cause a significant decrease in the amount of spam starting from the very first day :)
Stopping Spam - Techniques and Strategies
  1. CAPTCHA - While some bots have been able to break the stock CAPTCHA, it does remain effective at stopping poorly written bots. The changes in 3.0.5 enable some additional settings that make the CAPTCHA slightly more effective. Do keep in mind, however, that these settings make the CAPTCHA more difficult to read, also impacting human users. Therefore, it is recommended that you tweak the CAPTCHA slightly and enable another form of spam protection to stop bots that are not stopped by the CAPTCHA. An effective CAPTCHA setup will have the CAPTCHA background X and Y axis lowered. Additionally, 3D-noise objects should be enabled and an alternate font should be selected.
  2. Custom Profile Fields - There is an article in the Knowledge Base detailing utilising Custom Profile Fields as a spam deterrent. This seems to be effective against most bots.
  3. Admin Activation - This is not practical on most boards, but is an excellent option on smaller, less-trafficed boards. Many spam registrations utilise Gmail addresses or .cn domains, and use a seemingly random combination of letters and numbers for their username.
  4. Post Queueing - phpBB 3.0.3 introduced a new feature which allows admins to queue posts if the users post count is lower than a defined value.
    Administration Control Panel > General > Post Settings > Enable queued posts.
    This means that your users will not see the first X number of posts by spam accounts and you can remove them and deactivate the accounts without disruption to your members, but legitimate users will be free to post once that number of posts has been approved.
  5. MODs - The best option to stop spam is to make your board somewhat unique, by using deterrents like MODs that are not implemented in a stock phpBB3 install. Below are a list of MODs that do just this. If you are a MOD Author and believe your MOD should be listed here, please PM me or another Support Team Member. Please note that many anti-spam MODs will cease functioning following the release of phpBB 3.0.6 due to changes in the CAPTCHA/registration architecture.
    • Advanced Block MOD by Martin Truckenbrodt - "Adds multiple DNS Blacklists, Adds timezone check (UTC -12 trick), adds Block log for block actions"
    • Advanced Visual Anti Bot by lsjames - "Advanced Visual Anti Bot is an effective solution for preventing spambot. It replace the default visual confirmation background with a random picture. So spambot can not check them out by OCR. The background pictures are replaceable. Advanced Visual Anti Bot does not require any database modifications or admin panel configuration."
    • Anti-Bot Question by CoC - "Add an Admin controlled anti-bot question to the registration page and ACP."
    • Anti-Spam ACP by EXreaction - "Anti-Spam ACP adds many powerful anti-spam features to your forum such as an IP Search tool, Spam Word list, control over profile fields, flagging suspicious users (for logging their actions), and an easy one click ban link from their profile which clears out their profile and posts."
    • daroPL_AntiSpam by daroPL - "MOD blocks spambot registrations on board via change name of confirm code field to unique hash. In addition, it changes size of confirm code field to random."
    • Javascript Anti Bot by SyntaxError90 - "Adds a hidden field escaped with JavaScript to prevent non-JavaScript browsers from registering. Also adds an option for legitimate users without JavaScript on to register for your forum."
    • Automatic Spammer Detection by mtotheikle - "This MOD uses Stop Forums Spam and Bot Scout to check username, email and IP for potential spammer. If anything is returned, all the founders receive a PM notify them about the user. Has ACP settings to disable/enable mod and set what sites to check." *This MOD has NOT been validated by the MOD Team*
    • Prime Anti-bot by primehalo - "Implements a text-based human validation system in order to verify that a form submitter is human and not a SPAM robot. It will remember a successful validation so the user won't have to re-validate each time. The validation phrases/questions and responses are fully customizable; you can put as many or as few as you want (one is picked from the list at random each time it's needed). Can be configured to validate on new registrations and guest postings." *This MOD has NOT been validated by the MOD Team*

These steps, used individually or together, should work to slow or stop your spam problem. Please seek support for the MODs listed above in their respective topic, and utilize this topic only to discuss techniques.

Changelog
1234323325 - iWisdom - original version
1234408584 - iWisdom - add AntiSpamBot by Timezone to MODs
1234517666 - Kevin Clark - add 3DCaptcha Olympus to MODs
1234865852 - Kevin Clark - add daroPL_AntiSpam to MODs
1236071812 - Kevin Clark - add post queueing info
1238031183 - iWisdom - remove abandoned MODs
1239761265 - iWisdom - add Advanced Visual Anti Bot to MODs
1242837505 - stevemaury - daroPL AntiSpam now validated
1243094851 - stevemaury - corrected "Exreacion"
1243799509 - iWisdom - add note on CAPTCHA due to 3.0.5 update
1243801592 - iWisdom - add JScript Anti Bot to MODs
1246215400 - iWisdom - move Javascript Anti Bot to validated
1248315477 - iWisdom - add note with regards to CAPTCHA architecture and 3.0.6 breaking existing MODs
1249185906 - iWisdom - move Antispam ACP to validated
1252280498 - iWisdom - add Advanced Block MOD to MODs
1258587752 - iWisdom - retired
Last edited by stevemaury on Wed May 20, 2009 3:39 pm, edited 1 time in total.
Moving on, with the wind. | My Corner of the Web
User avatar
Phil
Former Team Member
 
Posts: 10402
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby hewmac06 » Wed Feb 11, 2009 5:41 am

Thanks Wisdom,

A timely post. The Custom Profile Fields worked brilliantly for me - stopped them dead. 8-)
User avatar
hewmac06
Former Team Member
 
Posts: 751
Joined: Sat Apr 08, 2006 12:04 pm
Location: Bellarine Peninsula, Australia
Name: Hugh

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby modderguy » Wed Feb 11, 2009 3:33 pm

Thanks a lot mate. My forum has been "attacked" by spambots too,
starting this month immediately with like 10-50 new users per day...
modderguy
Registered User
 
Posts: 2
Joined: Wed Feb 11, 2009 3:14 pm

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby howard_hopkinso » Wed Feb 11, 2009 6:33 pm

The recent spate of spam registrations was caused by the built in captcha having been cracked. having only ever had 3 spam registrations in over 12 months, I suddenly found I was getting 6 or more per day.

I installed a new captcha and have had no further spam registrations since. I even temporarily disabled my htaccess file to test the new captcha's effectiveness and saw lots of known bots, some of which had previously registered trying to register again, with no success.

Photo Visual Captcha
howard_hopkinso
Registered User
 
Posts: 35
Joined: Mon Feb 18, 2008 3:03 am

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby z2z » Wed Feb 11, 2009 6:42 pm

iWisdom wrote:Custom Profile Fields - There is an article in the Knowledge Base detailing utilising Custom Profile Fields as a spam deterrent. This seems to be effective against most bots.


In First method (drop down) is its possible have multiple acceptable or incorrect answer?

Like Last football world cup was won by : ...country list...
z2z
Registered User
 
Posts: 63
Joined: Sat Nov 25, 2006 9:35 am

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby Double R » Wed Feb 11, 2009 6:57 pm

I have stopped the bots registering via a simple 'custom field' question.

Is there a way to add a custom field question to the post page?
I need to add a question before people can post as I allow guest posts in certain forums.
Double R
Registered User
 
Posts: 30
Joined: Tue Feb 13, 2007 7:58 am
Location: London

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby tffnguy » Wed Feb 11, 2009 7:35 pm

z2z wrote:In First method (drop down) is its possible have multiple acceptable or incorrect answer?

Like Last football world cup was won by : ...country list...

It appears that there are no custom profile fields that you can have more than one wrong answer. You can have multiple answers, but only one will cause an error (which can stop the bots dead in their track) You about have to set some up and check the accounts to see what the bots do and which options they always use and then make sure the wrong answer is the one they always pick. (The text and drop down work for me) If they get updated to handle that then just keep watching and change which answer is the wrong one. If the phpBB3 team would add a couple more custom Fields where you could have more than one right or wrong answer it would probably be impossible for the bots to crack it. Hint Hint Hint! :twisted:
Some people question my sanity because of the way I run my site. I question my sanity because I do run it.
-David T. Smith-

The Ford Falcon News
Living Off Grid in Terlingua Texas
tffnguy
Registered User
 
Posts: 449
Joined: Mon Aug 18, 2003 10:55 am

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby Red Prince » Wed Feb 11, 2009 7:38 pm

I wonder how a 3D captcha (such as seen here) would stop the bots in their tracks. Generally, OCR technology works on scanning 2D text, even fuzzy and distorted (as faxes and photocopies often are) but not on scanning 3D text.
User avatar
Red Prince
Registered User
 
Posts: 66
Joined: Tue Feb 24, 2004 9:04 pm
Location: Red Prince Castle

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby z2z » Wed Feb 11, 2009 8:12 pm

tffnguy wrote:It appears that there are no custom profile fields that you can have more than one wrong answer. You can have multiple answers, but only one will cause an error (which can stop the bots dead in their track) You about have to set some up and check the accounts to see what the bots do and which options they always use and then make sure the wrong answer is the one they always pick. (The text and drop down work for me) If they get updated to handle that then just keep watching and change which answer is the wrong one. If the phpBB3 team would add a couple more custom Fields where you could have more than one right or wrong answer it would probably be impossible for the bots to crack it. Hint Hint Hint! :twisted:

may be in 3.0.5! ;) :lol:

This method actually has reduce human spammer registration too ..i have very specific questions + i keep changing them antispm_a antispam_b so on ..simply activate/deactivate ;)
z2z
Registered User
 
Posts: 63
Joined: Sat Nov 25, 2006 9:35 am

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby James N » Wed Feb 11, 2009 8:28 pm

custom profile fields>select 'numbers' call the field 'antispam' >create new field>

Display profile field yes

Display on registration screen yes

Required field yes

Field description 'what is 20x30' (or whatever your question is)>profile type specific options>

set the lowest and the highest number to the answer to your question>save
James N
Registered User
 
Posts: 1737
Joined: Sat May 20, 2006 12:57 pm

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby kevb8ll » Wed Feb 11, 2009 9:24 pm

By a combination of using the custom fields and excluding Baker Island time on sign up - I've stopped them dead. Looking forward to a fix with 3.0.5 though.
kevb8ll
Registered User
 
Posts: 196
Joined: Mon Jan 30, 2006 10:08 am

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby Swanny » Thu Feb 12, 2009 2:27 am

I too have the major spambot problem (multiple phpBB3 installs). I found the custom field at signup has helped tremendously. In fact I've thought of removing the CAPTCHA since they can crack it anyway...

Just a thought. Are you guys able to integrate Akismet somehow to detect spammers? My wordpress blog uses Akismet to identify spam comments and it's VERY effective. If you could tie the akismet in there to the main registration page it would be fantastic! http://akismet.com/
Swanny
Registered User
 
Posts: 121
Joined: Sun Apr 14, 2002 2:11 am
Location: Canada

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby 3Di » Thu Feb 12, 2009 5:23 pm

Red Prince wrote:I wonder how a 3D captcha (such as seen here) would stop the bots in their tracks. Generally, OCR technology works on scanning 2D text, even fuzzy and distorted (as faxes and photocopies often are) but not on scanning 3D text.

I'm actually working on port this 3D captcha to phpbb3 in my 'localhost'. Hopefully I'll be able to put up a package very soon to post for downloads.

I'm going there in the MODs in development forum in order to open a DEV Topic you could subscribe.

Regards.
User avatar
3Di
Registered User
 
Posts: 8557
Joined: Mon Apr 04, 2005 11:09 pm
Location: Italia - Germany
Name: Marco

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby Dogs and things » Thu Feb 12, 2009 7:27 pm

Some time ago we detected an increased number of spambot registrations on a phpBB3 board I administer.

What I did was add a custom profile field to the registration form and de-activate the captcha.
This custom profile field just asks for a word to be introduced. The word that is required appears next to the field where it needs to be entered.

Since then spam registrations dropped to almost zero instantly. :P

The very occasional spammer that registers must be human, meaning that they would have passed through with the captcha just as well.
For phpBB2 support visit phpBB2refugees.
User avatar
Dogs and things
Registered User
 
Posts: 2108
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain

Re: Preventing Spam in 3.0 [*Read First Post*]

Postby tucsondrivers » Fri Feb 13, 2009 12:09 am

In another Preventing Spam thread (which I can't seem to find...it was very lengthy) there was talk of a feature in 3.0.4 that set it so that new members had to get their first X posts approved by a moderator prior to their display on the forum.

I can't seem to find this function :?

Can someone point it out to me in the ACP--should it even exist? :mrgreen: thank you!
http://tucsondrivers.com -- Hyundai Tucson Forum & Community
tucsondrivers
Registered User
 
Posts: 161
Joined: Sat Mar 10, 2007 7:57 pm
Location: toronto, ontario

Next

Return to 3.0.x Support Forum

Who is online

Users browsing this forum: Bing [Bot], gwax23, MSNbot Media, saidbakr, Vikestart and 45 guests