Thanks for posting Buksida.

One simple alternative to Mod #2 is to block indexing of user pages with robots.txt or a NOFOLLOW in the header.

I've been using my own home-made version of Mod #1 for 2 years now, and it works a treat.

TJ

This won't stop attempts totally. You will still get attempts at posting and registering but they will now not get through.

Your site is automatically added to scripts which will fire off spam attempts continually.

Spammers use bots to find phpbb (and other) boards and then create a list of url's to spam.

It makes no difference if you apply a fix to prevent spam registrations - once you are in the loop you are in the loop.

The best advice is to minimise the chance that your board will be targetted in the first place. For new installs I recommend not placing your forum in widgets.com/phpbb/ or widgets.com/forum/ and if you can use a gif for the phpbb.com copyright notices.

There's some great background info to phpBB security from encyclo here:-

[webmasterworld.com...]

I use "better captcha" and "insta ban". These two have totally stopped spambot posting.

Better Captcha is hard to read, so a note on the reg page that says "hit reload if you cannot read the code in the image" Does wonders.

Insta-ban works by removing the "website" field in the reg. It's gone, a human cannot see it. So when a reg. tries to fill it in, it is always a spam-bot, and goes automatically into the ban list.

Also, for better SE placement use phpbb SEO mod. Removed duplicate content, and also irrelevant pages like "memberlist" or "post" from being spidered.

I just added a required extra field for registation "check this box to accept terms and conditions" for a quick registration mod and change the name of it every so often. I also don't have any "finger prints" so spammers won't find my site by searching.

I also use the Ban Open Proxys from Registering mod.

Works great - User who ahve already registered can come in via proxies but you can't sign up via one. It stops a LOT of attempts every day.

I also outright banned Nigerian IPs in my htaccess. Stopped almost all the spam immediately.

>>>New members can only post URLs once they've made x posts and been active for y days.

So does this prevent new users from linking to pics at imageshack?

All you really need is a decent captcha on registration (guests are not allowed to post, of course). I haven't seen a single spam post on our phpbb-based forum since we replaced the default captcha a year ago.

[edited by: John_Carpenter at 6:14 pm (utc) on Dec. 15, 2006]

I've never relied upon phpbb for anything that I couldn't stand to lose. I've had lots of security problems from back in the ol days of phpbb.

If you wanted to you, you could quickly code it to allow links to certain domains that may be trusted. However, if someone is going to be a value to the community, they should be willing to wait 5 posts before posting links to any url, imho.

I used these MODifications to deter spammers. The ones that never post but enter a home page in thier profile

Hide inactive members
[phpbbdoctor.com...]

or

Stop them from entering a home web site
[phpbbdoctor.com...]

Hello, am new to these forums. Got here via a google search for a php spider trap, which is performing very well for my purposes, thank you very much. Have a few questions about forum spamming, if any of you have the patience/time to respond. Am new to forum spam. Not only is it an eyesore, but it can be dangerous to uninformed forum users, as you well know, when spammer links open pages that install malware on the user's computer.

Background: Have a few small-audience forums that have been running for at least 10 years. The groups participating have become good friends by now -- some even visit each other across the US and CA. The audience is "local" in the sense that most participants reside in 5 or 6 countries. Topics discussed are generally about one breed of dogs. The forums are NOT big time and since the beginning, have been open to all. This year, forum spammers found them and started in. I dunno, sort of made me cross that people like that can ruin the original intent of the web -- ease of use and free, open communication.

Tried to find a forum spam remedy. For about a month now, have had success with a solution that would not suffice at all for high traffic, worldwide-user-based forums, but it works for these small, "local" ones, and the forums can remain open without registration or captcha requirements -- convenient for this audience and what they've come to expect over time.

1) Am using a free country locator and also a proxy detector service (very inexpensive). The forum posting script denies posting for anonymous and open proxies as determined by the service. So far, proxy scores delivered by the program are right on. Tested this for quite a while before determining an appropriate cutoff proxy score.

2) Participants have agreed to no live link posting -- the main inconvenience of this system -- but these users prefer an open, captcha-free environment and are willing to make the necessary tradeoff. Regex in the posting script redirects link posters to a "Read Only" announcement page instead of posting when various linking codes are matched.

3) As a final measure, the country locator scripting stops any posting outside the few countries of this local group. So far, steps one and two have stopped spam posting before step 3 has to kick in.

As said, this solution has only a narrow base of usefulness. However, the described forum participants are quite pleased with it, and I am definitely pleased to be basically free of "forum watching."

Questions about forum spammer methods:

1) I notice basically two types of forum spammer traffic -- individual spammers (some paid, some just for devilment) and what I call "programmed" spammers. I think I understand that these small forums got on various spammer lists via the illegal spiders, is that correct?

2) If correct, will these forums be removed from the spammer lists in time because of failed spammer attempts?

3) How do the spammer cycles run? Cannot notice any specific patterns yet.

4) When proxy user ips originate from large ISPs (i.e., comcast.net, verizon.net and so on), does that mean that some unaware internet user has been trojaned?

Have lots more questions about this topic, but will stop here. Would appreciate any useful links about forum spam methods, cycles, etc., and thank you very much for your time.

Sincerely, hhb

My forum had a massive increase in spam (I was using Better Captcha mod - so that must have got hacked or something), so I installed the
<a href='http://www.phpbb.com/phpBB/viewtopic.php?t=383305'>
anti-spam bot mod</a> which got rid of (so far) all the spam.

It asks users a skill-testing question before they register. For instance, "how many red lines are in this picture". The one downside is that it will inconvenience blind users - however they can always email me to be registered manually.

THIS is the only mod that has ever really worked for me [phpbb.com]

Simple yet works the best :)

Simple yet works the best :)

Yes agreed, over the last few weeks I've not had any bots get through. A closer look at the registration page and you'll see you don't have to send prospective members to another page looking for the code. But that's an option if and when required.

Add last N+3 Session IDs & N-3 in the drop down list with the quesion above that "Please selects matching String"

That makes N's options all together. For a human to read and make a disision + fill in all additional data on the form it takes longer than 5 seconds.

that is al to it

BETTER YET

Using select box for quesions & CSS to ask colorful questions about the top left color of the screens image.

Having been down this road about 6 months ago and having completely stopped them at the door I'll offer some advice. My prerogative is that it should be seamless for the user and of course work. The key is layers of preventive measures but by far the last preventive measure I list works the best.

As far as the first mod listed in the original post that is a great mod to stop human spammers but isn't going to stop the bots. As far as the second one goes it's possible for regular users to fall in your trap... Besides there is similar and better one IMO.

The first of three that I've installed is confusabot, it allows you to change the variables in the agreement form so that they are not the standard phpbb ones, (ex: instead of agreed=true agreed=custom variable) This prevents spammers from posting directly to the agreement page, they have to load it first.
[phpbb.com...]

The second one is similar to the one that the OP posted but instead removes the website and signature fields in the registration, these can be filled in after x amount of posts. Here's the best part though, since many bots submit the information directly they include the website or a link in the signature field which results in an instant ban of the IP or returns them to the registration page, however you want to configure it...
[phpbb.com...]

Those two slowed them down but they were still getting through, my guess is that just as I've read the measures so have the spammers so they simply adjust the bot.

The last one I installed asks a human question that is configurable in the ACP, you can add as many questions as you want. It will also work with images such as putting an image of an apple and asking what it is. I've only used one question, I have a definition that is part of the content of the page and it asks for the last word in the definition. This has stopped them dead in their tracks, I've not had a spammer registration in about 5 months... It's also very user friendly. I've even removed the all but useless standard phpbb image captcha.
[phpbb.com...]

There's a whole laundry list of additional mods here:
[phpbb.com...]

I've been using a similar setup. I use the 2nd mod as is. I use one similar to the first mod except they can't leave a link in their signature until they post x times. It worked well until recently when some bots started catching on to the 2nd mod and leaving the profile fields blank. The ones that got through left many many porn posts that all had to be removed one at a time. These bots (or humans) were all in the 8* IP range so I blocked that range from my forum.

What would make it easier is if I could ban a username and doing that would automagically delete all their posts.

There's a mod for removing posts in mass by one user, don't have a link but do search for phpbb post remover. That one I *think* can only be found on phpbbhacks but I'm pretty sure I saw a similar one on the regular phpbb site .

I use a simple system that has stopped spam posts and registrations dead. and it is used in lieu of capta images.

Its simple and even fun and can be used to make a little participation from your members. The system allow for admin created user verification registration questions.

where admin writes questions and exact answers (in lieu of capta image) for the registration process.

(better ask your members to write some..its fun! ;))

The question can be related to forum or general or whatever. You can make as many questions as you like...and randomly shows a questiosn at registarion. just have to make sure there are discreet number of possible answers (usual 1 or 2 max).

Like I said, its even fun makign questions..! and I got members involved in doing it even. I've used stuff like...

- Type this EXACT phrase in the box provided (case sensitive) "I am not a spambot! Please let me in."
- what is the name of this site (www.______.com)?
- Which country in Europe is shaped like a boot?
- what does four (4) plus four (4) equal (4+4=?)?

Writing questions specific to the site is best, as one figures if the person can't answer the question...
they really don't need to be registering anway:

eg: For a gaming site, you could write a question like:

What does online multiplayer game is commonly refered to as "WoW"? Answer (if you don't know): World of Warcraft

etc etc.

but again, its up to you how creative or not you wanna get with your questions.

Not a single bot for months after I installed it. ^_^ and yes, I WAS "in the loop" as I was geting spambot registrations before I started using this.

[edited by: GrendelKhan_TSU at 10:43 am (utc) on Dec. 17, 2006]

Just an update to the original post, usually after the weekend I have to spend a good hour cleaning spam and their accounts off my two forums.

With the two mods I suggested installed not one has been found!

Requiring Registration + Activation, then setting a custom parameter at Registration has stopped all bot signups + postings from initiation. It did leave the forum with a low-level of human spam-postings, however, until a recent discovery.

All the humans doing spam-postings were using either web.de or mail.ru as their email address. Once each was banned on a wild-card, *all* spam postings stopped dead, instantly.

The forums on my site operate at a fairly low level, so my experience may not match others' experience.

Remember, spambots are dumb automated programs.

One forum I was in charge of had the default phpbb captcha, and we were getting overwhelmed with fake registrations.

I realized that spambots could break the captcha because it was the SAME letters every time in the same style.

All I did was manually change the captcha's raw IDAT data, and added stripes through all the letters. Stopped spam 100%.