|phpBB and spam problem|
inundated with registration emails
I know very little about phpBB, so am hoping someone can help me out. I have four questions.
1. I use a captcha and also only activate new users personally as the administrator. But I get up to a hundred system-generated emails per day for me to check. The backlog is so great I have given up, which means real users will never get activated. Basically the forum software is straight 'out of the box' with no mods. What would be the most effective thing I can do to prevent spammers getting this far?
2. The member list now has several thousand entries for unactivated spammers, often with links to medi or porn websites. I'm sure this puts off potential users! But I can't find an option to prevent potential users adding a website to their details.
3. Again re the member list. It's impracticable to delete the spam entries one at a time via the admin panel. Is there anything that can help with this?
4. Or is there a forum software that avoids these issues? Would paying for vBulletin or something similar be worth considering?
I posted the following introduction a couple of years back, it's a bit out-of-date in places but the basics are still the same (at least for phpBB 2.x, version 3.x is significantly different): phpBB Security Best Practices [webmasterworld.com]
The two key points are: remove the public memberlist completely, and use the "User List" mod to bulk-delete the spammers and get back control over the list.
Once that's done, you will need to strengthen the sign-up process, there are some very good suggestions in this thread: Two Modifications Virtually Eliminate Spam Posts [webmasterworld.com]
phpBB is often targetted due to its ubiquity, but assuming you have installed the latest update, the security issues have mostly been ironed out, you will need to concentrate on removing the footprints which attract the automated spammers.
Thanks encyclo, very helpful.
My situation is the forum is attached to a family history site. It's very niche and only serves for occasional messages for individuals trying to get information. I installed it so that individuals could talk to each other directly rather than sending me emails which I then had to forward. Unfortunately the spam issue has made it more labour intensive!
I will be shortly moving the web site to a new host, and temporarily have removed the link to the forum (although of course this hasn't stopped bots).
Before reinstalling the forum I need to make a couple of decisions.
If I stay with phpBB it would be best to hide the footprint. Currently the home directory is /forum/. If I changed that to something less obvious, would I be able to restore from a backup from the old forum?
Is there any forum/messageboard software which is really simple (but very secure) which would avoid my getting involved in security mods, etc. It can be really, really, simple. There is no need for sub-forums, email links, member contacts, etc. It's just a message board for occasional use, probably no more than a few threads per month.
Is there anything like that?
There is a phpBB Mod known as the VIP Mod which will completely eradicate all spam registrations.
Here's the link:
It should only take around 10 mins to install.
Thanks. I took a quick look and it seems like a very good idea.
remove the public memberlist completely
What's the reason for doing this?
Max - by making the memberlist public (eg, visible to guests), you're making all of your members' email addresses visible to guests - making it much easier for spammers to find them.
Thanks for all of the info.
I was getting a ton of porn spam on an educational forum and it was upsetting many users.
I just implemented the mod where you can not post urls or images until you have made 10 legit posts or have been an active member for 7 days.
It seems to be working really well so far. If not I might have to adjust the days and number of posts.
When moving to the new host, you might want to consider using something simpler. Even a lot of blogging programs would give you what you need. Check out opensourcecms.com for a number of options for blogs and simpler forum set-ups. Not that those aren't capable of being spammed, but as encyclo mentioned, you're now using a program that a lot of spammers have right in their crosshairs.
[edited by: Beagle at 1:50 am (utc) on Sep. 25, 2007]