[Discuss] Preventing Spam in phpBB3

[heenan73]

if you use standard User Authentification in phpBB than anyone using a fake e-mail address will not get the e-mail thay need to validate their registration! Hence the e-mail used must be valid, and a check on e-mail address against StopForumSpam or other blacklist database is the best check possible.

That's absolutely right - and email addresses are unique, whereas an IP may include innocents (false positives), or miss the spammer, who uses a different one each time (false negatives).

In practice, false negatives are a more serious issue - banning an IP when the spammer uses 300 different ones is little help, while banning 'innocent' potential members is a theoretical risk, and unlikely to occur much more often than the lottery Big Win.

And as virtually every forum uses email validation (and EVERY decent forum), then clearly email is a more reliable way of identifying and dealing with spammers.

But (flogging my dead horse), all will fail if the spam defences are too complex (or simply too daunting) for the average forum owner.

[Voltrix]

In the Q&A, what are some really clever questions and answers have you guys found that work?

[xenofears]

if you use standard User Authentification in phpBB than anyone using a fake e-mail address will not get the e-mail thay need to validate their registration! Hence the e-mail used must be valid, and a check on e-mail address against StopForumSpam or other blacklist database is the best check possible.

That's absolutely right - and email addresses are unique, whereas an IP may include innocents (false positives), or miss the spammer, who uses a different one each time (false negatives).

In practice, false negatives are a more serious issue - banning an IP when the spammer uses 300 different ones is little help, while banning 'innocent' potential members is a theoretical risk, and unlikely to occur much more often than the lottery Big Win.

And as virtually every forum uses email validation (and EVERY decent forum), then clearly email is a more reliable way of identifying and dealing with spammers.

But (flogging my dead horse), all will fail if the spam defences are too complex (or simply too daunting) for the average forum owner.

Email validation did absolutely nothing to stop spambots. They are constantly making email accounts. A check against spam registries might be of much more value, but I doubt the best check possible.

[pennycsf]

Email validation did absolutely nothing to stop spambots. They are constantly making email accounts. A check against spam registries might be of much more value, but I doubt the best check possible.

You must use something as well as User Authentication!

Q&A works wonderfully well, but requires good questions.

[heenan73]

Email validation did absolutely nothing to stop spambots. They are constantly making email accounts. A check against spam registries might be of much more value, but I doubt the best check possible.

I don't thing anyone is suggesting that email validation does anything to stop spambots, simply that email validation gives you a genuine, unique identifier that can be reliably compared to registries.

[xenofears]

Like I said.. I'm swearing by it right now: KeyCAPTCHA. Not a SINGLE spambot since (granted, it's not a big site, but plenty came out of the woodwork when the site switched to phpBB3 from ancient Snitz, several a day.) It prevents (for now at least!) farming anything out to real people in sweat shops as well, the biggest flaw in Q&A (as is using questions that have the answer as a word in the question, and solutions getting added to a database on big/high-profile sites.) I'm sure it will be cracked eventually, like all CAPTCHA's inevitably are, but for now it seems a very tough nut to crack.

[pennycsf]

Like I said.. I'm swearing by it right now: KeyCAPTCHA...

I'm sure it will be cracked eventually, like all CAPTCHA's inevitably are, but for now it seems a very tough nut to crack.

I agree, KEYCaptcha is a very tough nut to crack - too hard, I think, and that is a problem in itself!

It may be a problem with my screen size or clarity, but I failed to get it right one time in three attempts.

I don't think it would be useful for my (not particularly computer literate) target audience.

For this type of visual Captcha I thought PeopleSign looked best and easiest for most people, though I still prefer Q&A.

[Erik Frèrejean]

Like I said.. I'm swearing by it right now: KeyCAPTCHA...

I'm sure it will be cracked eventually, like all CAPTCHA's inevitably are, but for now it seems a very tough nut to crack.

I agree, KEYCaptcha is a very tough nut to crack - too hard, I think, and that is a problem in itself!

I personally wouldn't bother a second to register on a site that runs that captcha. IMHO thats even less user friendly than the phpBB GD captcha.

[Martin Truckenbrodt]

Hello Frank aka pennycsf,
a lot of spambots are activating their accounts automatically if you have set Account Activation to User! These spammers are using real email addresses!
So you have to use Admin Activation. But then real email addresses or not needed to register.
Okay, you can use Double Activation to bring these two technics together in one good solution.

Another point are guest postings. (BTW: I don't like them!). Here not any email address is needed.

@Erik Frèrejean: There are solutions where not any new user has to fill out any CAPTCHA.

Bye Martin

[Erik Frèrejean]

@Erik Frèrejean: There are solutions where not any new user has to fill out any CAPTCHA.

I know, I've developed a couple myself . Although the methods I'm using are pretty easy to beat but they work as they are unique to some sites (hence they aren't released as MODs).

[heenan73]

I personally wouldn't bother a second to register on a site that runs that captcha. IMHO thats even less user friendly than the phpBB GD captcha.

I don't see the problem, and I've been able to download it and install it and configure it successfully since reading the last post (about ten minutes), which is about a tenth of the time I've taken in failing to install various other plugins.

I think it's quite elegant, and I really don't see what's difficult about it (age 59, less than 20:20 vision - quite a lot less).

In fact, my only worry is that it's based in Eastern Europe ... but I guess they know a fair bit about spam!

I've installed it on one of two phpbb boards I control ... we'll see.

[xenofears]

I personally wouldn't bother a second to register on a site that runs that captcha. IMHO thats even less user friendly than the phpBB GD captcha.

I don't see the problem, and I've been able to download it and install it and configure it successfully since reading the last post (about ten minutes), which is about a tenth of the time I've taken in failing to install various other plugins.

I think it's quite elegant, and I really don't see what's difficult about it (age 59, less than 20:20 vision - quite a lot less).

In fact, my only worry is that it's based in Eastern Europe ... but I guess they know a fair bit about spam!

I've installed it on one of two phpbb boards I control ... we'll see.

I'd be interested to know if anyone has had a rise in complaints about the keyCAPTCHA switching from other ones. I really don't see how it is not user friendly. Then again, some users can't figure out how to post. It's a CAPTCHA, they are usually a pain in the ass, but IMHO I don't see it being any less user friendly or more difficult than anything else out there. But it's not my opinion that matters.

[Pony99CA]

if you use standard User Authentification in phpBB than anyone using a fake e-mail address will not get the e-mail thay need to validate their registration! Hence the e-mail used must be valid, and a check on e-mail address against StopForumSpam or other blacklist database is the best check possible.

That's absolutely right - and email addresses are unique, whereas an IP may include innocents (false positives), or miss the spammer, who uses a different one each time (false negatives).

Actually, E-mail addresses are serially unique. They can be reused. I work at a company where E-mail addresses are basically first_name.last_name and got the E-mail address of somebody else with the same name who left the company.

Also, spammers could use your E-mail address when registering at a board. No, they wouldn't be able to post spam, but, depending on how Stop Forum Spam harvests "spam" E-mails, it might get your E-mail address listed as a spammer even though you aren't one.

If spammers poison the well enough, getting enough non-spammer addresses in there, people might stop using Stop Forum Spam's E-mail address feature.

Think of it like domain names. A domain name is unique until you stop paying for it, at which point some spammer/squatter buys it and puts up a "What you want, when you want it" site.

In practice, false negatives are a more serious issue - banning an IP when the spammer uses 300 different ones is little help, while banning 'innocent' potential members is a theoretical risk, and unlikely to occur much more often than the lottery Big Win.

I think that you're using "false negatives" backwards. Most of us seem to use "false positive" to mean a person who is falsely identified as a spammer.

I agree that's worse than accidentally letting a spammer in, but the previous section illustrates how E-mail addresses aren't necessarily any more reliable than IP addresses.

Steve

[peoplesignDave]

There are some fine CAPTCHA mods for phpBB3, but you can probably guess I'm a little biased towards Peoplesign . Peoplesign is a variable difficulty object recognition CAPTCHA: insta-demo at peoplesign.com. In short, you simply click a picture(s) instead of typing in characters.

Peoplesign has been in the works for over 3 years and our bb3 mod is nearly a year old now. We have plugins/mods for 7 platforms, and bb3 is our most popular. We've had close to 1000 bb3 sites sign up so far in 2011. The bb3 community has been very helpful and patient as we've gradually stabilized the mod into it's current solid condition. Thank you!

But we're just getting started. I'm on the project for the long haul, and the team is growing. We're hard at work on some amazing new features, coming soon in April/May 2011 to a registration form near you.

[KeyCAPTCHA]

Like I said.. I'm swearing by it right now: KeyCAPTCHA...

I'm sure it will be cracked eventually, like all CAPTCHA's inevitably are, but for now it seems a very tough nut to crack.

I agree, KEYCaptcha is a very tough nut to crack - too hard, I think, and that is a problem in itself!

It may be a problem with my screen size or clarity, but I failed to get it right one time in three attempts

I don't think it would be useful for my (not particularly computer literate) target audience.

You know, my wife could not pass a squiggly-giggly-w(r)iggly-letters captcha 12 times while trying to log-in to her bank out and eventually had to desist.
And she wants to close her bank account because of it.

While KeyCAPTCHA doesn't require neither education (we checked that it is being passed by 4-years-old children) nor knowledge of any languages (to understand a math question, etc.). Though, our geo-cluster on 24*7*365 datacenters over a few countries servers feed KeyCAPTCHAs in a dozen of languages and support new ones being added by 3-5 a month.

KeyCAPTCHA is harder on first use but, I promise you, next times one passes it much faster like a breath.

The point in KeyCAPTCHA is not that it is currently not crackable but that it is easier to develop than spam bot (unlike other antispam solutions) and the pool of captchas as well as the type of captcha can be replaced without plugin reinstallation.

Also, KeyCAPTCHA team monitors spam bots development and activity on protected websites and can replace KeyCAPTCHA pool or even type preemptively.
All other existing antispam solutions are lagging a few steps behind advancement of spamming techniques.
I do not know any other solution providing the same abilities, they just follow behind spamming incidents.

KeyCAPTCHA service is free (well, it is free of charge antispam service, not "free of spam Joomla plugin" as malicious spamming webfarms repost it filling all google results) but subsribers of our fee-based "Personal CAPTCHA" service can create their own captchas from their own images with our on-line designer.

Best,
Guennadi --- Gennady --- Геннадий
(KeyCAPTCHA Team)
Tweet us: @KeyCAPTCHA
Protect published Email from bot harvesters: hidemail.at