Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: rogerd
New members can only post URLs once they've made x posts and been active for y days. Configurable in the admin panel.
Mod details and download here:
Prevents bot registration if anything is filled in the profile fields, has a notice to warn human registrants. Can also send a notification email to admin.
Mod details and download here:
Pretty simple to install and by using both together it clears up the spam problem from manual and automated submissions instantly together with completely removing the www field from the registration form. Thought I'd share this since I've had so much help from these forums, I'll post back in a week with a progress report, no doubt one or two will slip through.
Your site is automatically added to scripts which will fire off spam attempts continually.
Spammers use bots to find phpbb (and other) boards and then create a list of url's to spam.
It makes no difference if you apply a fix to prevent spam registrations - once you are in the loop you are in the loop.
The best advice is to minimise the chance that your board will be targetted in the first place. For new installs I recommend not placing your forum in widgets.com/phpbb/ or widgets.com/forum/ and if you can use a gif for the phpbb.com copyright notices.
Better Captcha is hard to read, so a note on the reg page that says "hit reload if you cannot read the code in the image" Does wonders.
Insta-ban works by removing the "website" field in the reg. It's gone, a human cannot see it. So when a reg. tries to fill it in, it is always a spam-bot, and goes automatically into the ban list.
Also, for better SE placement use phpbb SEO mod. Removed duplicate content, and also irrelevant pages like "memberlist" or "post" from being spidered.
Works great - User who ahve already registered can come in via proxies but you can't sign up via one. It stops a LOT of attempts every day.
I also outright banned Nigerian IPs in my htaccess. Stopped almost all the spam immediately.
[edited by: John_Carpenter at 6:14 pm (utc) on Dec. 15, 2006]
Background: Have a few small-audience forums that have been running for at least 10 years. The groups participating have become good friends by now -- some even visit each other across the US and CA. The audience is "local" in the sense that most participants reside in 5 or 6 countries. Topics discussed are generally about one breed of dogs. The forums are NOT big time and since the beginning, have been open to all. This year, forum spammers found them and started in. I dunno, sort of made me cross that people like that can ruin the original intent of the web -- ease of use and free, open communication.
Tried to find a forum spam remedy. For about a month now, have had success with a solution that would not suffice at all for high traffic, worldwide-user-based forums, but it works for these small, "local" ones, and the forums can remain open without registration or captcha requirements -- convenient for this audience and what they've come to expect over time.
1) Am using a free country locator and also a proxy detector service (very inexpensive). The forum posting script denies posting for anonymous and open proxies as determined by the service. So far, proxy scores delivered by the program are right on. Tested this for quite a while before determining an appropriate cutoff proxy score.
2) Participants have agreed to no live link posting -- the main inconvenience of this system -- but these users prefer an open, captcha-free environment and are willing to make the necessary tradeoff. Regex in the posting script redirects link posters to a "Read Only" announcement page instead of posting when various linking codes are matched.
3) As a final measure, the country locator scripting stops any posting outside the few countries of this local group. So far, steps one and two have stopped spam posting before step 3 has to kick in.
As said, this solution has only a narrow base of usefulness. However, the described forum participants are quite pleased with it, and I am definitely pleased to be basically free of "forum watching."
Questions about forum spammer methods:
1) I notice basically two types of forum spammer traffic -- individual spammers (some paid, some just for devilment) and what I call "programmed" spammers. I think I understand that these small forums got on various spammer lists via the illegal spiders, is that correct?
2) If correct, will these forums be removed from the spammer lists in time because of failed spammer attempts?
3) How do the spammer cycles run? Cannot notice any specific patterns yet.
4) When proxy user ips originate from large ISPs (i.e., comcast.net, verizon.net and so on), does that mean that some unaware internet user has been trojaned?
Have lots more questions about this topic, but will stop here. Would appreciate any useful links about forum spam methods, cycles, etc., and thank you very much for your time.
It asks users a skill-testing question before they register. For instance, "how many red lines are in this picture". The one downside is that it will inconvenience blind users - however they can always email me to be registered manually.
Simple yet works the best :)
Simple yet works the best :)
Yes agreed, over the last few weeks I've not had any bots get through. A closer look at the registration page and you'll see you don't have to send prospective members to another page looking for the code. But that's an option if and when required.
That makes N's options all together. For a human to read and make a disision + fill in all additional data on the form it takes longer than 5 seconds.
that is al to it
As far as the first mod listed in the original post that is a great mod to stop human spammers but isn't going to stop the bots. As far as the second one goes it's possible for regular users to fall in your trap... Besides there is similar and better one IMO.
The first of three that I've installed is confusabot, it allows you to change the variables in the agreement form so that they are not the standard phpbb ones, (ex: instead of agreed=true agreed=custom variable) This prevents spammers from posting directly to the agreement page, they have to load it first.
The second one is similar to the one that the OP posted but instead removes the website and signature fields in the registration, these can be filled in after x amount of posts. Here's the best part though, since many bots submit the information directly they include the website or a link in the signature field which results in an instant ban of the IP or returns them to the registration page, however you want to configure it...
Those two slowed them down but they were still getting through, my guess is that just as I've read the measures so have the spammers so they simply adjust the bot.
The last one I installed asks a human question that is configurable in the ACP, you can add as many questions as you want. It will also work with images such as putting an image of an apple and asking what it is. I've only used one question, I have a definition that is part of the content of the page and it asks for the last word in the definition. This has stopped them dead in their tracks, I've not had a spammer registration in about 5 months... It's also very user friendly. I've even removed the all but useless standard phpbb image captcha.
There's a whole laundry list of additional mods here:
What would make it easier is if I could ban a username and doing that would automagically delete all their posts.
Its simple and even fun and can be used to make a little participation from your members. The system allow for admin created user verification registration questions.
where admin writes questions and exact answers (in lieu of capta image) for the registration process.
(better ask your members to write some..its fun! ;))
The question can be related to forum or general or whatever. You can make as many questions as you like...and randomly shows a questiosn at registarion. just have to make sure there are discreet number of possible answers (usual 1 or 2 max).
Like I said, its even fun makign questions..! and I got members involved in doing it even. I've used stuff like...
- Type this EXACT phrase in the box provided (case sensitive) "I am not a spambot! Please let me in."
- what is the name of this site (www.______.com)?
- Which country in Europe is shaped like a boot?
- what does four (4) plus four (4) equal (4+4=?)?
Writing questions specific to the site is best, as one figures if the person can't answer the question...
they really don't need to be registering anway:
eg: For a gaming site, you could write a question like:
What does online multiplayer game is commonly refered to as "WoW"? Answer (if you don't know): World of Warcraft
but again, its up to you how creative or not you wanna get with your questions.
Not a single bot for months after I installed it. ^_^ and yes, I WAS "in the loop" as I was geting spambot registrations before I started using this.
[edited by: GrendelKhan_TSU at 10:43 am (utc) on Dec. 17, 2006]
All the humans doing spam-postings were using either web.de or mail.ru as their email address. Once each was banned on a wild-card, *all* spam postings stopped dead, instantly.
The forums on my site operate at a fairly low level, so my experience may not match others' experience.
One forum I was in charge of had the default phpbb captcha, and we were getting overwhelmed with fake registrations.
I realized that spambots could break the captcha because it was the SAME letters every time in the same style.
All I did was manually change the captcha's raw IDAT data, and added stripes through all the letters. Stopped spam 100%.