We use rotating challenge questions.

Example..

Which is not a number
A .. Three
B .. Fifteen
C .. Red
D .. Four

No spam since. No additional work for admins.

Thanx, I'll look into those and test some on the sites that have the most attacks.

I use an old version of phpbb via my host provider's vdeck control panel.

I tried upgrading the forums to newer ones that are available via vdeck, but the database transfer was unsuccessful so I still use the old version.

Drago, how did you purge the database of spammers? Since I use vdeck (and and not direct ftp), I am not sure.

Thanks.

I purged it by going into the database itself using phpMyAdmin (though my hosting company) amd manually editing out the 50+ spam bots (not many legit people signed up so it was easy to kill most of them in one mass-row delete).

Members should not be deleted directly from the database as there user information is tied to other aspects of the forum. Either manually delete them one by one in the ACP or for mass deletions there's tool for this. Search phpbb for toolkit . This is a standalone application that works outside of phpbb, invaluable if your forum becomes fubared.

----------------

@Serengeiti , I'd suggest learning how to use a FTP program. I couldn't even imagine trying to manage a site through the control panel FTP.

phpbb3 RC3 has just been released and will most certainly go gold within 1 to 2 months. This has many features such as an automatic updater. Following the directions and using a FTP program you can have a test forum up and running in a short amount of time.

Members should not be deleted directly from the database as there user information is tied to other aspects of the forum. Either manually delete them one by one in the ACP or for mass deletions there's tool for this. Search phpbb for toolkit . This is a standalone application that works outside of phpbb, invaluable if your forum becomes fubared.

I deleted all the posts first but the board has been fine.

"We use rotating challenge questions.
Example..

Which is not a number
A .. Three
B .. Fifteen
C .. Red
D .. Four

No spam since. No additional work for admins. "

How do you go about setting that up? I don't have that facility in the ACP?

> I use an old version of phpbb

You absolutely must update your phpBB installation, or spam attacks will be the least of your worries. Older versions of phpBB contained vulnerabilites which could allow an attacker to take over the entire server (access all files, wipe the database, use your server as a spam relay, everything).

You can get the latest 2.0 version directly from phpBB and follow the update instructions.

How do you go about setting that up? I don't have that facility in the ACP?

Its not aprt of phpbb, you have to add it with a modification.

I can't update my phpbb forums because I am using startlogic.com as my host provider and they have a vdeck control panel which I have always used to update my site (rather than ftp). The latest phpbb startlogic now offers in vdeck is also somewhat old, and it didn't work for me anyway. Their support for phpbb is terrible.

I am trying to figure out how to use ftp and update phpbb (from phpbb.com this time instead of from startlogic) instead of using startlogic's vdeck. If anyone knows, this, please post here!

I had the same problem. I did several things. I did the normal stuff like CAPTCHA and "are you a bot" question. I found a hack that checks the sensor list and won't let you register if you use one of the bad words. I also found a good list. Of course this made my forum G rated so not everybody will want to do this. I also made it so that you have to log in to see the member list. I then removed the ability to add a URL to the registration process. I still get 2 or 3 attempts a day. They seem to be done by hand.

Some other things I want to try are:

1. Make is so the register page only loads if you have javascript.
2. Make it so the register page gives a 404 if you try to access it directly.
3. Randomly change the Are you human to are you a bot. You would check the box if you are human and uncheck it if your are not a bot.
4. Use a text based question that randomly changes instead of a CAPTCHA
5. Block usernames with all capitals

Most of this stuff stops bots and smart people that are doing it manually. It does not stop the guy that hires a spam outfit in India. They are just like bots only slower and they can see any visual stuff you try. They don't care or notice that there is no value in doing this. They just have their list and they go through it.

1. Make is so the register page only loads if you have javascript.

Bad idea IMO since you'll also be blocking regular people with JS disabled. The golden rules that I I and I'll guess most otters follow is JS shouldn't be used for critical parts of your website, instead only to enhance it. The basics should all still work.

2. Make it so the register page gives a 404 if you try to access it directly.

There's a mod that changes the default variable names, a lot of bots will load the registration page directly but if you use custom variable the net affect is the same thing you are suggesting. At the very least they would have to load it once.

4. Use a text based question that randomly changes instead of a CAPTCHA

There's a lot of question mods, the one I'm using has just that. You can edit/add them in the ACP. They can also be used in conjunction with images.

I then removed the ability to add a URL to the registration process

Yet another mod I installed, the website and signature fields don't become available until X amount of posts. Any registration that has the website or signature field included results in instant IP ban. :)

There's lots of stuff you can do but by far the best mod I have added is the question one. I've had no bot registrants since, I've also taken some similar measures like yourself to prevent human spammers. The memberlist and profiles are denied in robots.txt, signatures are only viewable if your logged in. I make it known in registration form that this is the case. This stops most human spammers, those that continue are easily spotted and few and far between.

the mod you are looking for is called "the humanizer."
Even a simple question on this will kill the bots. e.g.
humanizer: "The sky is ______"
spambot: "Um.... uh...."
humanizer: zap.