[Discuss] Preventing Spam in phpBB3

[Martin Truckenbrodt]

Hello Steve,
I will look for a island there and I will buy it.

Bye Martin

[Phil]

Martin,

I think you are misunderstanding the intention of the spam prevention sticky. It is not meant to be a be-all-end-all whitepaper on the subject (though I do intend to write something of the sort at some point in the future, this is not the time nor the place); instead, it is meant to be a general overview of common techniques and their effectiveness and offer some simple to implement suggestions for forum owners.

DNSBL check - still the only solution this is catching spambots and human spammers very successfully

My own testing (as well as some testing on phpBB.com) indicated that DNSBL-type solutions (notably, SFS) are not particularly effective in preventing this generation of spam. Please feel free to contact me if you've any empirical data that says otherwise.

• some general words about user registration and user activation
• User Activation - to get the spammers which are not using real email addresses
• Double Activation - to bring the benefits of User Activation and Admin Activation together

Again, you will note that the spam prevention sticky is not an all-inclusive guide--it is not meant to be. That being said, admin activation is noted within the article as being tedious and ineffective compared to other solutions--this is entirely true. User activation is, admittedly, omitted. I will rectify that in a future version.

some words about guest posting

Again, the intent of the sticky is to provide information on spam prevention. Other than "Do not turn it on," I don't see what there is to say.

some words about pruning a spammed user database.

While useful, that is very much outside the scope of a spam prevention sticky.

the StopForumSpam and ATLBL using MODs

This is addressed above.

Although the UTC-12 check could be done in a better way. Maybe there are some very rare people living in the UTC-12 timezone. Sorry, but for me it's quite funny that the phpBB community is remembering to this feature just then most of the Visual CAPTCHAs have been broken last time.

It's not silly--simply put, at this point in time, it works. It won't permanently, of course, but it works now. What more can one ask for from a solution?

I'm waiting for spammers which are using Q&A databases to hack or to crack the Q&A CAPTCHAs.

At which time, new spam prevention strategies will be formulated, and the post will be updated

Sorry, but for me it has a bad taste

As I indicated, it seems to me that any "bad taste" is entirely the result of a misunderstanding with regard to the entire objective of the article. Simply, it is a quick overview of spam prevention methods; nothing more, nothing less. It is not meant to be a fully exhaustive list--to be frank, I'm not sure anyone would want to spend the time reading such a list if they were simply searching for a solution to a rather annoying problem That being said, while I do intend to compile such an exhaustive document in the future, I believe that the spam prevention sticky, in its current iteration, does its job quite well--and quite tastefully.

[justaquickie]

Hi,

Ive just activated the Q&A part. However, when I got to register, the part where I assume the question should be (at the bottom of the registration form) isnt there. Instead I have this:


Confirmation of registration

To prevent automated registrations the board requires you to enter a confirmation code. The code is displayed in the image you should see below. If you are visually impaired or cannot otherwise read this code please contact the %sBoard Administrator%s.

Confirmation code: (the drop down box shows here)
Enter the code exactly as it appears. All letters are case insensitive.

Can anyone help? As a side note, it doesnt show the code image either. I have just upgraded my forum, so could it be something to do wth that?

[Pony99CA]

As a side note, it doesnt show the code image either. I have just upgraded my forum, so could it be something to do wth that?

What version of phpBB did you upgrade from? If you're using a non-default style, are you sure that your style is compatible with the new CAPTCHAs? Switch to ProSilver and check.

Steve

[justaquickie]

Thanks Steve, however I am on ProSilver. Its not the captcha I want, that was just for information. I would like the Q&A to appear.

Thanks
Mark

[jsebean]

DNSBL isn't really a practical method of preventing spam in my opinion. It maybe can be improved upon but i would avoid it as much as possible, simply for the reason of false positives. I don't like the idea of IP bans/block since a lot of spammers are smart enough to use proxies or have dynamic IP addresses. Dynamic IP banning is annoying because, I remember one time an admin of a board came crying that they had members angry with them that said they were banned, and the admin and mods of that board didn't ban them. They thought it was a "bug" in the host they were using. I had a good idea what was going on, and I was right, they had a large number of (dynamic) IP addresses banned. The community was aimed for people who live in a rural area, so a vast majority of them were on the same nation wide Satellite internet provider (obviously dynamic IPs). So by having over 100 dynamic IPs banned, it didn't help any. It becomes extremely annoying, so I never ban IPs and, for the same reason I really do not want to use DNSBL, which is a list of IPs that are "black listed" and will block registration.

The best method I use to block spam is Q&A captcha, it is what I use now and works excellent if you can choose a good set of questions. I have one of Martin's mods installed (can't remember its exact name) and it does DNSBL and Timezone blocking. While I don't use DNSBL, the timezone blocking method works great.

As long as someone doesn't come and write down my question set and program the answers in their bot, I think I'll be fine. I am happy to say my phpBB install is 100% spam bot free (knock on wood!), though it took a lot of experimenting to get it like that, I used to get a fair amount of spam bots a day.

So advice to everyone from experience, look into the Q&A captcha. If you can come up with a good set of questions, easy for humans but bots don't know, then you're in the clear of spammers

[pennycsf]

The best method I use to block spam is Q&A captcha, it is what I use now and works excellent if you can choose a good set of questions.
So advice to everyone from experience, look into the Q&A captcha. If you can come up with a good set of questions, easy for humans but bots don't know, then you're in the clear of spammers

I agree that the Q&A Captcha is the best to beat spambots, but to beat humans (as far as possible) I also require a valid e-mail address (for User Activation) and check this against the StopForumSpam database automatically within the Registration process.

Since doing this I have eliminated spam, albeit on a relatively small forum (though one that was sometimes hit up to 50 times per day).

Since I send myself an e-mail for each failed SFS check I know that it is the Q&A which is doing most to stop spam, but just occasionally a human tries to register and is blocked because their e-mail is known to SFS.

Frank

[jsebean]

Human spam is almost another topic aside from spam bots. I have had a small amount of it, including a few trolls have followed me home, but usually a ban and delete takes care of it, they'll get tired of you. A good set of moderators is always needed in a fairly active board.

I have not tried to make any attempt to prevent human spam. I guess it wouldn't hurt to check stop forum spam website for email addresses in their database, I don't think i would query usernames since, again, you may have false positives. An IP that has got reported a lot and was recent it probably wouldnt hurt to "keep an eye" on that user.

[Martin Truckenbrodt]

Hello jsbean and pennycsf,
you can use DNS blacklists without any false positives. Or in other words: You can reduce the risc of false postives to Zero, Zero means 0,0%. It's only related to the way how you are using the blacklists. The phpBB3 default dnsbl check is done too much simple. So you have to use a MOD to improve it. Just try it. Then you can give a feedback for the MOD. And then you can give a feedback for the use of DNS blacklists for the prevention of spambots and human spammers.
BTW: IMO it makes no sense to use blacklists/databases like SFS to check for email addresses or usernames. I'm quite sure that this causes a lot of false positives. Just check for ip addresses and you will be happy. The combination of ip address, email address and username will show you always the same spammer. So you can look just for the ip address, too. (At the WWW) IP addresses can not been faked like email addresses and usernames can been faked.

I'm not telling you fairytales. I have my own experience taken over two years now and (e.g.) the feedback of other people that shows me that I'm right. It's a good feature. Just try it.

Bye Martin

[pennycsf]

Hello Martin

No thanks, I am perfectly happy with the Q&A, User Verification and an automatic check against StopForum Spam, so I certainly won't be adding any MOD.

By the way, you say that e-mail addresses can be faked. Certainly that can be done, but since User Verification relies upon the registering person receiving an e-mail (therefore, of course, entering a valid e-mail address) to validate the account I would like to know how this is of any use to a spammer!

I see you often promoting your MOD, and it may well be that it works - but there is always more than one way to skin a cat!

Frank

[Martin Truckenbrodt]

... but there is always more than one way to skin a cat!

Hello Frank,
I have absolutely the same opinion!

I don't mean especially you:
But I'm not one of the people whom are telling the community that this feature is a bad one or this MOD is a bad one, without having any own experience with it. These posts are written by other people!
I'm just promoting a feature. My (my? ) problem is, that I'm the MOD author, too.

As you can see it on my "alternative anti-spam whitepaper" I prefer the combination of DNSBL and UTC-12 blocking (ABM), User activation (phpBB3 default) or better Double Activataion (ADAP), User Verify ACP Page (ADAP) and Auto user pruning (ADAP) as the most administrator friendly and user friendly solution. Some people are thinking that Admin Activation or Double Activation is not user friendly. Okay, on the frist look I can understand this point. But IMO CAPTCHAs are decreasing the user friendlyness, too. Although I think that it's much more important to keep the board free of spam. Ithink if a new user don't want to wait for the account activation then the user is not really interested in the board or the board is not good enough (in the meaning of quality of information and/or communication).

Bye Martin

[matt74]

Are the answers to the Q&A case sensitive? So is 6gT5W different to 6gt5w?

If I put quotes around the bit that I want a user to type in the box, does that highlight to the bots what should be typed in?

Does using symbols like £ % etc make it more difficult for bots?

[Leandre]

Hi rubyandi,
When you say it won't let you, what is/isn't happening?

It should just be a case of ACP>>General Tab>>click Spambot Countermeasures (under Board Configuration)>>select Q&A from the dropdown box of Available Plugins>>then click the configure button to set the questions up.

I have gotten to this point, but Q&A is grayed out. How do I got about activating it? I would love a step-by-step response like the one above; it was very helpful.

Many thanks!

[matt74]

Hi Leandre,
Select Q&A anyway even though it's greyed out a Configure button should appear underneath it.

Click that and you then get the page where you enter the Questions and Answers that you want to use.

Once you've saved at least 1 question to it, next time you go back to the drop down list, Q&A shouldn't be greyed out anymore.

It's only greyed out because it's not ready for use yet because it hasn't been given any questions to ask.

[iaind]

I have added two questions with answers and it is still greyed out. Does anyone know the problem?