[Discuss] Preventing Spam in phpBB3

[KeyCAPTCHA]

That's absolutely right - and email addresses are unique, whereas an IP may include innocents (false positives), or miss the spammer, who uses a different one each time (false negatives).

In practice, false negatives are a more serious issue - banning an IP when the spammer uses 300 different ones is little help, while banning 'innocent' potential members is a theoretical risk, and unlikely to occur much more often than the lottery Big Win

IP ban cuts out only legitimate users, it is not a barrier for any modern spam bot or professional spammer.

[newsman2010]

There are some fine CAPTCHA mods for phpBB3, but you can probably guess I'm a little biased towards Peoplesign . Peoplesign is a variable difficulty object recognition CAPTCHA: insta-demo at peoplesign.com. In short, you simply click a picture(s) instead of typing in characters.

Peoplesign has been in the works for over 3 years and our bb3 mod is nearly a year old now. We have plugins/mods for 7 platforms, and bb3 is our most popular. We've had close to 1000 bb3 sites sign up so far in 2011. The bb3 community has been very helpful and patient as we've gradually stabilized the mod into it's current solid condition. Thank you!

But we're just getting started. I'm on the project for the long haul, and the team is growing. We're hard at work on some amazing new features, coming soon in April/May 2011 to a registration form near you.

I'm going to put your Peoplesign on my site at http://photographyaficionados.com/forums and see how it goes in default config.

I was getting spam registrations, but most did not verify their email, so they never got on the board, but a few did and created spam profiles, though oddly never made a post. Maybe it's because I catch them so fast (new board, so it's slow enough to check registrations right now).

[heenan73]

... illustrates how E-mail addresses aren't necessarily any more reliable than IP addresses.

I don't think it that's true at all.

The examples of email misuse you describe are all very rare 'special cases' - indeed, in most cases the mebership would be blocked by the spammer being unable to verify the email address.

While the futility of recording an IP for a spammer who uses ever-changing IP happens billions of times a day.

I prefer to look at real day-to-day issues than theoretical ones ....

I am not claiming email (or anything else) is perfect, I am saying it is much, much, much more reliable than IP.

That's all.

[pennycsf]

Actually, E-mail addresses are serially unique. They can be reused. I work at a company where E-mail addresses are basically first_name.last_name and got the E-mail address of somebody else with the same name who left the company.

The only way that I can see this being a problem is if a spammer gives up an e-mail address, which is then picked up for re-use by an innocent user. There will of course have to be a considerable period of inactivity by the spammer before the e-mail address (gmail, hotmail, etc) is cancelled and therefore available for re-use.

Such a scenario is so unlikely to result in the banning of an innocent user that I for one wouldn't let this argument stop me from using e-mail addresses as the main way to detect a human spammer.

Frank

[Martin Truckenbrodt]

Hello,
I think there is some mismatch of words here.

Banning has nothing to do with the use of DNS blacklists or other remote databases. IMO banning is only usefull if you want to keep single annoying people off your forum - e.g. personal attacks, stalking, ...
IMO banning is not a (usefull) anti-spam feature.

Some other things too are explained in my ABM FAQs: http://www.phpbb.com/customise/db/mod/a ... k_mod/faq/

Don't forget: DNS blacklists looking for spammer ip addresses (IP-RBL) are the worldwide leading feature to prevent email spam.

Although don't forget: Perhaps some phpBB3 using webmasters have the time to check every account registration at their board if it is a spammer or not. I don't want to spend my spare time for this job. So I'm using features which are working automatically, except the last feature in the order which is Double Activation to manually verify successfull account registrations with confirmed email addresses.

Bye Martin

[Pony99CA]

... illustrates how E-mail addresses aren't necessarily any more reliable than IP addresses.

I don't think it that's true at all.

The examples of email misuse you describe are all very rare 'special cases' - indeed, in most cases the mebership would be blocked by the spammer being unable to verify the email address.

While the futility of recording an IP for a spammer who uses ever-changing IP happens billions of times a day.

Because spammers don't register new E-mail addresses every day?

I am not claiming email (or anything else) is perfect, I am saying it is much, much, much more reliable than IP.

That's all.

And I'm claiming they both have issues. It's up to the administrator to pick a strategy that's effective for him. Banning an IP range in Russia and all .ru E-mail addresses may work well for me because I don't care if I get any Russian visitors. A Russian admin may feel completely different.

Actually, E-mail addresses are serially unique. They can be reused. I work at a company where E-mail addresses are basically first_name.last_name and got the E-mail address of somebody else with the same name who left the company.

The only way that I can see this being a problem is if a spammer gives up an e-mail address, which is then picked up for re-use by an innocent user. There will of course have to be a considerable period of inactivity by the spammer before the e-mail address (gmail, hotmail, etc) is cancelled and therefore available for re-use.

Such a scenario is so unlikely to result in the banning of an innocent user that I for one wouldn't let this argument stop me from using e-mail addresses as the main way to detect a human spammer.

As I said, it depends how Stop Forum Spam gets their E-mail lists. For example, if they take complaints from board admins ("This user registered but never activated.") and they see the same E-mail address reported a lot, they might add that address to their list. Now if the spammer was using your E-mail address to sign up, you would be blacklisted.

Or maybe you've never heard of Joe Jobbing.... I've had spammers generate spoofed E-mail appearing to come from one of my domains and only found out about it because of the occasional bounced E-mail.

Personally, I wish that I could castrate all spammers, make them eat the remnants and then draw and quarter them. You don't want to know what I want to happen to phishers and other criminals.

Steve

[royalambassador]

I am new to having a forum and just got it set up last week but I have been going crazy deleting spammers. I assume they are joining my site through bots at a rate of about 70 a day. I want to say THANK YOU to the people posting about using the Q&A to prevent them. I set that up about 2 hours ago and have had no new users in that time. You have saved me from going crazy.

Thank you, Thank you, Thank you!!!!!

[Tonttu]

As I said, it depends how Stop Forum Spam gets their E-mail lists. For example, if they take complaints from board admins ("This user registered but never activated.") and they see the same E-mail address reported a lot, they might add that address to their list. Now if the spammer was using your E-mail address to sign up, you would be blacklisted.

SFS accepts submissions and it's the user's business to decide how they trust them. Data is username, email and IP and you can use whatever you want and activate the blacklist only at a certain number of submissions. In case a human is blocked, they will see the reason and can contact the forum admin or request removal from SFS.

[wmtipton]

I am new to having a forum and just got it set up last week but I have been going crazy deleting spammers. I assume they are joining my site through bots at a rate of about 70 a day. I want to say THANK YOU to the people posting about using the Q&A to prevent them. I set that up about 2 hours ago and have had no new users in that time. You have saved me from going crazy.

Thank you, Thank you, Thank you!!!!!

Been using the Q&A feature myself on 3 forums for weeks and weeks now.
We've had one live spammer sign up since I enabled Q&A and not a single spambot has signed up since.
Seems to be fairly effective at stopping the bots.

[image45]

Don't forget: DNS blacklists looking for spammer ip addresses (IP-RBL) are the worldwide leading feature to prevent email spam.

Yes your 'Advanced Block Mod' uses this, its one of the best spam prevention tools i have ever install.

Excellent indeed.

[KeyCAPTCHA]

Banning has nothing to do with the use of DNS blacklists or other remote databases. IMO banning is only usefull if you want to keep single annoying people off your forum - e.g. personal attacks, stalking, ...
IMO banning is not a (usefull) anti-spam feature.

Some other things too are explained in my ABM FAQs: http://www.phpbb.com/customise/db/mod/a ... k_mod/faq/

Don't forget: DNS blacklists looking for spammer ip addresses (IP-RBL) are the worldwide leading feature to prevent email spam

My home IP is in that worlwide leading feature and it is IP through which communicate all clients of my ISP
(that do not pay for white IP).

Blacklisting is being easily and routinely used by blackhat SEO and criminals to ban its competitors with the help of spam bots.
Blacklisting does not stop spam bots, only legitimate users
I daresay that use of IP blacklisting is professional incopmpetence,
I'm pissed off to read addices on its use
when there 100% botproof antispam methods without making internet unusable by humans.

Free of charge KeyCAPTCHA has never been passed by any bot.
Even if it has, the pool of captchas and even its type are easily and preventively replaceable.

Users who started to use KeyCAPTCHA usually switch off any other antispam measures including moderation.

Besides KeyCAPTCHA.com site ,
the plugin (and feedbacks) for phpBB is available from phpBB.com

Gennady
Tweet me: @KeyCAPTCHA

[xenofears]

Banning has nothing to do with the use of DNS blacklists or other remote databases. IMO banning is only usefull if you want to keep single annoying people off your forum - e.g. personal attacks, stalking, ...
IMO banning is not a (usefull) anti-spam feature.

Some other things too are explained in my ABM FAQs: http://www.phpbb.com/customise/db/mod/a ... k_mod/faq/

Don't forget: DNS blacklists looking for spammer ip addresses (IP-RBL) are the worldwide leading feature to prevent email spam

My home IP is in that worlwide leading feature and it is IP through which communicate all clients of my ISP
(that do not pay for white IP).

Blacklisting is being easily and routinely used by blackhat SEO and criminals to ban its competitors with the help of spam bots.
Blacklisting does not stop spam bots, only legitimate users
I daresay that use of IP blacklisting is professional incopmpetence,
I'm pissed off to read addices on its use
when there 100% botproof antispam methods without making internet unusable by humans.

Free of charge KeyCAPTCHA has never been passed by any bot.
Even if it has, the pool of captchas and even its type are easily and preventively replaceable.

Users who started to use KeyCAPTCHA usually switch off any other antispam measures including moderation.

Besides KeyCAPTCHA.com site ,
the plugin (and feedbacks) for phpBB is available from phpBB.com

Gennady
Tweet me: @KeyCAPTCHA

Haha I see you thinking my thread. Good for you, I love you guys! It's a 100% end to spambots, no other antispam measures necessary (I still have user validation on, but it didn't do a thing whatsoever to stop spambots and is totally unnecessary and useless as an anti-spambot measure.) So you deserve the plug!

The only other comparable option to Keycaptcha is Q&A. It's really personal choice here, and I'm not going to tell you not to use Q&A. But on large enough sites worth the attention, Q&A can be broken, I mean if *I* can think of ways off the top of my head to break it (try random words in the question as the answer, or if there are words with random letters in caps you can break those apart into their real words too,) or it can be shipped out to sweat shops, it can't be perfect. Nothing slips through Keycaptcha as of this moment. But the upside to Q&A is it is completely locally served and administered, no reliance on external sources.

Using blacklists is like putting out a building burning down with a bucket, and I question where they come from and what the data is used for otherwise (as the Keycaptcha team has put forward). The downsides to CAPTCHAs (ANY), is real humans being unable to pass the tests, but I have no had any complaints about Keycaptcha. Some say it is confusing, I don't see it at all. Especially the put-the-picture-together ones, if you can't do that, you need to go back to the 1st grade .. and you can choose to use just those.

[KeyCAPTCHA]

Haha I see you thinking my thread. Good for you, I love you guys! It's a 100% end to spambots, no other antispam measures necessary (I still have user validation on, but it didn't do a thing whatsoever to stop spambots and is totally unnecessary and useless as an anti-spambot measure.) So you deserve the plug!

Why?
I have written as private person pissed off by blacklisting. I hope my colleagues will not see that/what I've written it from KeyCAPTCHA account
Honestly speaking I was thinking (or was pissed off) by blogs using Akismet or other blacklisting features + multi-layer protections (captcha + moderation). Either of this made commenting unpleasant or simply impossible experience.

Just 2 days ago I came across this link on twitter:
http://cgonlinemarketing.com/online_adv ... -bloggers/
which is not available to me even for reading - http://cgonlinemarketing.com blocks my IP.

The same story is with many forums in which I can not only register but I can not even read them - only through anonymizers or google cache.

@xenofears!
Thanks again for positive feedback! Honestly, I did not expect it.
And, again, it is not promotion of KeyCAPTCHA but private irritation on IP-address or email blacklisting over internet

Update:
You are correct. According to my experise in this area,
any captcha requiring typing-in is passable by spambot
(might be not from 1st attempt).
The common opinion that Q&A (or honeypots, or Akismet-like systems) protects -
well, it protects from lack of interest
from professional spammers (with professional spam bots) only

[xenofears]

Haha I see you thinking my thread. Good for you, I love you guys! It's a 100% end to spambots, no other antispam measures necessary (I still have user validation on, but it didn't do a thing whatsoever to stop spambots and is totally unnecessary and useless as an anti-spambot measure.) So you deserve the plug!

Why?
I have written as private person pissed off by blacklisting. I hope my colleagues will not see that/what I've written it from KeyCAPTCHA account
Honestly speaking I was thinking (or was pissed off) by blogs using Akismet or other blacklisting features + multi-layer protections (captcha + moderation). Either of this made commenting unpleasant or simply impossible experience.

Just 2 days ago I came across this link on twitter:
http://cgonlinemarketing.com/online_adv ... -bloggers/
which is not available to me even for reading - http://cgonlinemarketing.com blocks my IP.

The same story is with many forums in which I can not only register but I can not even read them - only through anonymizers or google cache.

@xenofears!
Thanks again for positive feedback! Honestly, I did not expect it.
And, again, it is not promotion of KeyCAPTCHA but private irritation on IP-address or email blacklisting over internet

Update:
You are correct. According to my experise in this area,
any captcha requiring typing-in is passable by spambot
(might be not from 1st attempt).
The common opinion that Q&A (or honeypots, or Akismet-like systems) protects -
well, it protects from lack of interest
from professional spammers (with professional spam bots) only

That should have said LINKING my thread. Not sure what the "why?" was for?

Would you guys like me to shut up lol? It's ok, I'm done

[TheJester]

I have a severe problem with spam bots and maybe you can give me some hints.

After intensive research I added the following security settings / mods to my board:
- Anti Bot Question Mod (with non-standard german question)
- Custom Profile Field based on numbers
- Blocking time zone -12 (based on known tutorial)
- various captcha settings, some of them way too hard for humans

Somehow the bots totally pass every security extension of the registration formular. The bot users are created with a wrong answer for the Custom Profile Field and also with time zone -12. So this tells me that they totally bypass the registration formular. How is this possible and is there a way to stop it?

What I also thought of is an SQL injection, but I could not find any problematic entry field. The guest rights are very limited anyway, without posting and viewing member list and so on. Even with totally hiding all forums from guests I got a bot registration.

Nearly all of the bots are using gmail.com email addresses. Up to now I did not want to block this domain, just because it could be used by human users as well.

My main problem is that I am not that firm with PHP, but with coding in general. So it is very hard for me to identify any security breaches.