You have several options though they all come with their own draw backs...

I'm not terribly familiar with phpBB as it comes out of the box and I don't know anything about the nature of your community, so I don't know if these would be practical for you to implement, but I've seen other communities implement these types of things with varying degrees of sucess:

- Membership by invitation only - community growth may slow down but you will likely get higher quality members.

- Open membership only on certain days of the month - people who are truly interested in joining your commuinty will wait around till registration is open, most porn spammers won't.

- Prescreen all new members - ban those with porn sites in their profiles before they have access to the forum at all.

- Recruit a few trusted, dedicated users from your community to take over some moderation tasks such as banning these accounts on sight.

I can't think of any way to reduce the number of porn spammers to your site without either increasing inconvenience to all potential new members or creating more moderation work.

Spammers are attracted to out of the box phpbb messageboard like bees around honey. If you want to stop them from creating spam accounts you have to a) stop them from finding you as an easy source, b) take measures to make it difficult for them to use automated tools for spamming.

1. Ensure you have Visual Confirmation Enabled. This will
stop auto spamming tools from constantly registering at your site

2. Remove the Memberlist function. It's a waste of time and is a key thing which spammers are looking for. Google for

memberlist.php

and you will see hundreds of sites which openly display the memberlist. Spammers love this because it's a great way to promote their sites in search engines.

3. Remove the option to enter a homepage in the users control panel.

4. Remove the option to post 'signatures'

5. Set the account activation to be performed by Admin only.

There is a simple MOD for phpBB that will stop from adding new members to the member's list until approved by Admin. But anyone clicking on 'latest member' will see their profile.

I'm not familiar with phpBB. But a pretty effective way is to block search engines spidering certain pages with robots.txt. Won't work right away but will stop many automated spammers in the future.

like:
memberlist.php
profile.php
submit.php ...and similar.

MaxM

The damage may already done by now. SE's would have cached the pages.

You have to remove the options for listing memberlist.php and / or replace that file with a simple message such as

Memberlist Function Not Available

I don't know why the memberlist function exists anyway. It is such a waste of time!

happyslob read this post
[phpbb.com...]

Also and in the phpbb mod database search for "Spam Words" Mod [phpbb.com...]

Hi again,

Thanks you guys - this really helped. I had someone help me with a few changes to the boards and I'm shocked by how it's seemed to do the trick. :)

Also - one of you had mentioned 'the damage has already been done.' I HAVE noticed a big change over the past couple of months in how many hits I'm getting from Search engines, particularly Google. Is this what you mean by damage? If so -- how can I now rectify the situation, or is it already rectified now that I've made changes such as removing the member list, etc?

Thanks again!
Christina

Everybody is tired of those spammers.
One more thing I would advise is searching for a mod to hide the actual outgoing URLs (like it is done here on WebmasterWorld).

One of you had mentioned 'the damage has already been done.' I HAVE noticed a big change over the past couple of months in how many hits I'm getting from Search engines, particularly Google

Are you getting more or less SE traffic over the past few months? If more, then I think this is the first time I've ever heard anyone wonder if this was a bad thing! ;)

Normally, increased search engine traffic is considered a mark of success. However, the point I think others were making is that there are sometimes certain sections of a site that are best kept private. The members list would be one of those. You can use robots.txt to restrict access for well-behaved bots. More extreme measures are required to stop the "baddies." And of course, you need to be very careful to make a complete and comprehensive list of everything that should be protected.

If some of the sensitive pages have already been indexed (and you should check, not only Google but the other SE's) then you may have a problem getting them removed from both the index and the cache.

You can set phpBB2 to require approval of all new registrations. And quickly ban any member who does not comply with your "rules". This stops anyone using any kind of script to place posts

You can also set up a list of words that will automatically be replaced with words of your choosing.

So you can thereby have posts that include words on your "banned" list automatically have those words replaced by "nicer" words.

So for example you might have someone past an item using the word "f*ck", and you can have the system replace it with "cor blimey".

Or replace "drugs" or "pharmacy" with "lollypops" or "idiot sticks". And by carefully manipulating your banned words list in this manner you can make complete nonsense of posts advertising porn or drug sites - which puts the posters off somewhat.

Another trick is to disallow the use of HTML or URL's in members posts.

It all takes a bit of effort but you CAN make a phpBB2 forum a safe place for all.

I made some modifications to the phpBB code for myself:

(I did turn on image verification for a bit, but phpBB's image verification is pretty easy to crack, so I turned it off.)

1. Member websites do not show up in the member list, ever.

2. Members do not show up in the memberlist unless they have posted at least once.

3. "The newest registered user" does not show up unless it's an activated user. (Actually, I made this so that it was only people with 1 post for awhile, but I didn't like that as much.)

4. Member websites do not show up in their profile unless they've posted at least once.

5. All member first posts result in a notice emailed to me so I can check 'em out. :-)

these were all pretty simple changes -- the main problem being that it makes it a little more time consuming to upgrade since I have to first upgrade and then put all my little hacks back in. The above seem to work pretty well for me, and anyone who's familiar with PHP should be able to do those tweaks for you.

It may not be worth the trouble with upgrading in the future, though, but maybe one or two of these might be useful.

Admin approval of new registrations would help, but honestly, I don't want to slow down registration by that much...

JK

How about simply adding noindex to your member list and having a FAO spammers with a note mentioning the tag on the signup page. Obviously will need a captcha to prevent bots.

I'm having major trouble with spammers now, it seems to come in waves, sometimes its quiet for months then you suddenly get loads of them everyday.

I have set account activation to user but this doesnt stop them registering to get the link in memberlist.php. I have also removed links to the memberlist file and blocked it in robots.txt but still they come.

So without the memberlist file even being visible these idiots are still registering, any ideas?

Some people seem to be missing the point here. There are no real people registering on your forums, guys. Chances are that the spammers even don’t know your forum exist.

It is just a spambot problem. They find your forum (automatically) using search engines, use a real and working e-mail to register, "click" on the confirmation e-mail (automatically, again) and add the spam link to the profile.

You can kill the profile page and use robots.txt, but they will never notice it and will be still registering on your many times a day.

I have 4 big phpBB forums and saw the same kind of spambot attack on 3. Also I saw the same pattern on dozen of others phpBB forums.

You have two options, a visual confirmation (the default phpBB visual confirmation worked for me) or personalize the registration scripts.

Just remember that it is not personal, but nasty spambots using searching engines.

That's a good point, JustMeAgain. There are really two kinds of spammers, human and bot, and what works on one won't work on the other. Steps you take to make links useless may cut down on human spam, but the bots will just post away and not worry about it. And the simplest verification steps that require thought will frustrate bots but not slow a human down.

Welcome to WebmasterWorld, JustMeAgain!

But I have the visual confirmation enabled and still they come.

I even deleted the website bit in the registration form:

<tr>
<td class="row1"><spanclass="gen">{L_WEBSITE}:</span></td>
<td class="row2">
<input type="text" class="post"style="width: 200px" name="website" size="25" maxlength="255" value="{WEBSITE}" />
</td>
</tr>

But they're getting round this too. It seems to come in batches of both bots and human, it'll be quiet for months then a whole bunch of them every day for weeks ... its damn annoying.

Same problem....I spent all weekend making only approved members able to have webpage listing, implementing manual activation by me only, and puting up visual code to circumvent the robots.

It didn't work. Even though the spammers porno links will never display again on my members page, they still are coming. The spammer robots have no idea they're not being displayed, and just keep coming at the same pace when they did display.

The visual code did nothing to stop them. I even went as far as to make the membership page purposely crash when accessed. They still kept coming. I suspect that their links are credited by search engines, in spite of not showing on the page, which gives them purpose to keep on spamming.

The perfect solution would be a mod that removed the webpage and signature blocks from both the profile page and the corresponding MySql, for people who are not activated. I found one mod that looked hopeful, but it ended up banning access to me.

As far as I know, I have put every security mod possible on phpbb2 that addresses this problem. If anyone comes up with a new solution, sure would appreciate hearing about it!

Bucker

So I strongly recommend you to post the problem on the phpBB support forum. It may be a new security problem.

Keep us informed about it if you post.

Also, I stress the point that the spambot owners will never notice that you removed the links from the profile. It is not a personal attack, but a program that spam thousands of forums, using search engines to find the URLs. Probably no one of them ever saw you forum.

As a side note, anyone know if bots pay attention to JavaScript? I had some ideas that would use javascript so as not to affect (most) users, but that would stymie a bot if it didn't use JavaScript.

JK

the problem is to do with the generic 'register.php' or profile.php?mode=register

You should be able to change the filename and the templates which call it, or change the mode to something like?mode=registerxyz

It's the same with all well know apps. Exploits are seeked out via the filenames. Change the filenames to something only you know and the bots will move on elsewhere.

Frank,

Thanks for the tip...I'm gonna fix things right now!

I just caught a hacker using google to find spam targets....He typed....

www.google.com/search?q=phpBB2/memberlist.php&hl=en&lr=&start=90&sa=N

You can't believe how many sites are listed! Then he has an easy job of harvesting sites, and inputing links to his website. I'm thinking that you want to change the "memberlist.php" name. What do you think?

Bucker

Well....I'm successful (I think)...no spammers for two days!

I completely eliminated the website and the signature block from showing up on the registration page by implementing this mod that is not yet validated by the powers to be...

[phpbb.com...]

If those powers are listening....it works real good! :)

I run two completely custom asp-based forums and recently I've been getting unprecedented amounts of comment spam. I just implemented a simple 3-digit captcha for each post and spam is down 95%. A little spam is still getting through but I think it's coming from spam boiler rooms in some third world country.

>>>4. Member websites do not show up in their profile unless they've posted at least once.

I don't let ANY websites show up in member profiles. All you have to do is edit profile.php and remove the line that prints the member profile. EasyPeasy, that part of the problem solved.

Also institute the other fixes like removing the member list, enable visual confirmation, disable signatures, etc.

I don't let ANY websites show up in member profiles. All you have to do is edit profile.php and remove the line that prints the member profile. EasyPeasy, that part of the problem solved.

Also institute the other fixes like removing the member list, enable visual confirmation, disable signatures, etc.

I've considered that, but I (and several of my users) like the memberlist! I tried visual confirmation, but the one used by phpBB is so easily bypassed it's not even funny. All that did was alienate my (very few) sight-impaired users, so I took that down. People also like having their sigs.

For me, it's sort of a weighing between cutting down on spam while at the same time, not alienating the "real" users. So far it's a decent balance, but I imagine I'm going to have to get tougher as time goes along.

Grr. :-)

JK

Hi,

Another suggestion:

Ban all access, especially sign-ups, from compromised or known-SPAMmer machines.

This is very easy to do in real-time with no manual white/black lists (though you can have some of those as well) using such free DNS BLs as the SPAMHAUS xbl-sbl list and the SORBS open-proxy lists.

That at least makes it harder for bad users to use their own machines or cover their tracks...

You may also, as a nice side-effect and a public service, warn users that their machines are infected and known to be so, if they didn't know already!

Rgds

Damon

Well....I knew when I posted I shouldn't have. It inspired the spammers to prove me wrong once again.

They have doubled their efforts, which makes me think they enjoy Webmaster World too!

There is now no listing of web sites except for those who have posted once. That means the boxes for web site submission and signature shouldn't show up...yet the spammers have found a way to have that box show up so they could submit their things.

They still don't show on the membership list without my activation, but in spite this, the game seems to be getting fun for them.

Banning them is impossible, because they change addresses and names everytime.

It's starting to feel like my garden has a couple of problem gophers, and I'd go get my waterhose, but I can't figure out which hole to squirt!

Bucker

Hi,

Sorry to hear that it's getting worse...

Do try the DNS BLs: its easy and free. And I reckon it saves me 5%--10% of my bandwidth costs too...

If it makes you feel better, you should know that I have to filter out 10,000+ SPAM mail messages aimed at my mailbox each day, and it took a lot of work to set up the filters, though not much to maintain.

Rgds

Damon

There is now no listing of web sites except for those who have posted once. That means the boxes for web site submission and signature shouldn't show up...yet the spammers have found a way to have that box show up so they could submit their things.

I hate to mention this, and please don't think I'm insulting your intelligence, because I've see a lot of people do this (including people muich smarter than me), but did you just make it so the form fields don't show, or did you also modify the actual code that takes the *input* from those fields?

Because form fields don't have to be visible if the code is still taking input from them. The bots are going to be sending values for those fields regardless of whether or not a human would see them on the form.

Sorry if this was obvious to you: it's really not at all obvious to a lot of people.

JK