[Discuss] Preventing Spam in phpBB3

[matt74]

Does the version of the style you're using match the version of the board?

[stevemaury]

Are the answers to the Q&A case sensitive? So is 6gT5W different to 6gt5w?

If I put quotes around the bit that I want a user to type in the box, does that highlight to the bots what should be typed in?

Does using symbols like £ % etc make it more difficult for bots?

1. You can configure that

2. No

3. No

[matt74]

Thanks Steve

[Albert Wiersch]

It appears as though doing the UTC-12 countermeasure results in the forum saying to the user (when the top-listed UTC-12 timezone is selected), that an email has been sent for account activation, but instead it 'silently' fails to register the user and no email is actually sent. Is that is what is suppose to happen? In the description it says an error message is shown, but it doesn't seem to show any for me when I was testing it by trying to register with the UTC-12 timezone.

[Voltrix]

Whats everyone's experence with "reCaptcha"? Can bots get past that?

[pennycsf]

I have recently been using Q&A, with User Authentication and an automatic check with the StopForumSpam database as part of the registration process.

I know if anyone gets past Q&A, because I send an e-mail on each check of SFS; but I didn't know how effective the Q&A was, so I modified the ucp_register.php file to send myself an email on every attempt to register. These e-mails, minus the ones sent on SFS checks therefore represent, almost certainly, spambots who fail the Q&A or don't fill in the normally required registration fields correctly.

I was surprised at the results, especially as my board is small (though the bots won't know or care about that).

In a 16 hour period there were 296 attempts to register that did not get past the registration page - not one of these got as far as the StopForumSpam check. I will keep the SFS check to try to stop human spammers, but to me, the results show conclusively that all you need to stop spambots in phpBB is a good set of Q&A.

[pennycsf]

Whats everyone's experence with "reCaptcha"? Can bots get past that?

Yes - easily!!

Use Q&A

[Tonttu]

A little data from the Stop Forum Spam discussion forum for anyone curious about the efficiency of SFS:

This is submissions from ONE honeypot. For a period of 6-7 weeks, I installed an IP only check against the SFS api.... See if you can guess where that time window was? There was no reCaptcha or anything other than a normal captcha and email validation, which is what most boards seem to have.

[rtfmoz]

I am getting posts on my forum from unknown usernames. I have Q&A questions in the registration profile with Admin membership approval but they are still getting in somehow. The username they are using does not appear in the user list at all. Is this a vulnerability perhaps in 3.0.2?

This post is coming up with a date in 2009? Timewarp?

[heenan73]

Q&A systems can only work if the questions are unique and frequently changed; at least one spamming software has system that allows human captcha decoders to submit their successful answers, enabling the system to maintain a live database of current answers.

It seems that spammers can learn from SFS, even if some forum members here are yet to be convinced

[Albert Wiersch]

I am getting posts on my forum from unknown usernames. I have Q&A questions in the registration profile with Admin membership approval but they are still getting in somehow. The username they are using does not appear in the user list at all. Is this a vulnerability perhaps in 3.0.2?

This post is coming up with a date in 2009? Timewarp?

Sounds like you really need to update phpBB. Though I don't know the details, I strongly suspect that 3.0.2 has security vulnerabilities.

And the 2009 date you are looking at is probably your join date, not the post date.

[Martin Truckenbrodt]

Hello heenan73,
spammers can not learn from SFS. Blacklists or databases like SFS can not been hacked or cracked. Spammers have learned to crack the Visual CAPTCHAs and they have learned to crack the default Q&A CAPTCHAs.

BTW: The ATLBL blacklist is much more effective and doesn't produce false positives in my experience. With SFS I've got some rare false positives.
Although it makes no sense to use this blacklists or databases to check usernames or email addresses. Just use them only to check the ip addresses. IP addresses are unique (in the WWW) and can not been faked like usernames or email addresses can been faked.

You can use DNS blacklists like access.atlbl.net (ATLBL) or opm.tornevall.org (SFS) to block spammers. It's very effective and founders and user administrators will have a lazy job. And if you are using it in a better way as it is realized with phpBB3 by default then you will not have any false positives.

Bye Martin

[heenan73]

spammers can not learn from SFS. Blacklists or databases like SFS can not been hacked or cracked. Spammers have learned to crack the Visual CAPTCHAs and they have learned to crack the default Q&A CAPTCHAs.

Sorry, I didn't make myself clear; I do not believe SFS has been breached, and didn't intend to give that impression; my (poor) joke was only intended to imply that spammers have learned the value of databases, in that, like SFS, they have a compiled a live database of info useful to their members.

No anti-spam database is perfect; false positives can arise from over-enthusiastic members, spammer infiltration to devalue the DB, as well as structural issues.

For me, the real weakness is an over-reliance on IP address, which is a very much a moving feast and will become more so.

However, even with that weakness, the statistical likelihood of barring potential 'good members' by banning a spammer IP is infinitessimally small, given the number of IP addresses, the number of web users, and the niche nature of most forums. But I'm sure it has happened now and then.

As posts above have shown (as well as mu albeit limited personal experience), SFS can be a major tool if used correctly and intelligently, and I'd urge members to support the option of SFS in any future builds of phpBB - as well as making it much easier for the technically challenged (like me) to install and update all antispam tools.

[xenofears]

Keycaptcha put a total end to spambots on my site, I strongly recommend it if you don't feel like making up good Q&A questions (it requires a MOD that doesn't include any file changes IIRC.) Recaptcha (as it stands) is totally cracked, I tried it and it was no better than the GD ones included, which were also useless.

Of course, Q&A also appears to be extremely successful. I never used it because I couldn't think of any decent questions

[pennycsf]

IP addresses are unique (in the WWW) and can not been faked like usernames or email addresses can been faked.

Hello Martin

Once again you claim e-mail addresses can be faked!

Once again I say that if you use standard User Authentification in phpBB than anyone using a fake e-mail address will not get the e-mail thay need to validate their registration! Hence the e-mail used must be valid, and a check on e-mail address against StopForumSpam or other blacklist database is the best check possible.

QED

Frank