Three things

- Did you hear phpbb 3 just came out? Not sure if upgrading will help at all.

- Try the Textual Confirmation mod. It's more rare than the standard captcha and may be more effective for you: [bbantispam.com...]

- You will always get some because humans will register to spam it. You need to be on top of things. There is a way to set it up so you are emailed every time someone posts... not manageable for a large board but can help a lot when you have a new forum.

Bonus, check out: [bbpress.org...]

Many thanks for quick response.

Noted on phpBB3 and have read the info before on a phpBB newsletter. I have not implemented BB3 yet as as I was having problems with phpBB2 I thought that BB3 would do nothing extra for me.

Noted on the other phpBB URLs you posted. I will follow them up soonest.

Also noted on the e-mail postings options. I don't mind this as I am on the PC all day and it would only be a pleasure if I was inundated(?) with postings for steam railway enthusiasts :):)

What forum system to people use to "authorise" registrants, the type that e-mails you with a link to confirm regsitration? Would that help?

Graham
Durban

I thought that BB3 would do nothing extra for me.

It will, the image captcha system is much improved. The one on phpbb2 is all but uesless. For stopping it on phpbb2 you need to istall spam mod, there's long thread on phpbb2 here:

[phpbb.com...]

Installing any of the mods that require the registrant answer a text question will stop them dead.

What forum system to people use to "authorise" registrants, the type that e-mails you with a link to confirm regsitration? Would that help?

Both phpbb2 and phhbb3 have this option, Nor sure how much it helps as they have numerous email addresses they can utilize.

Email confirmation isn't a barrier for major forum spammers, although it will put some off. Neither is captcha a total solution, including text captcha (although that's much better) because this is the sort of thing that can be farmed out to cheap foreign workers.

In other words, you're always going to have to keep an element of manual oversight. What you can do is disallow your members list from guest view, so that people will get no benefit from signing up in order to get a backlink from their profile. Secondly, you should set your signature threshold at a reasonable number of posts, I'd say at least 50.

Nothing is going to stop people manually spamming forums. You can filter out bots and the creation of large numbers of posts in a short time but there will be a hard core of optimistic characters (not to mention a few nutters) who can only be caught by moderation.

My forums used to have a ton of spammers signing on and posting their spam. Some as many as 20-30 sign ups a day and 5-10 posts a day.

I found a captcha hack for phpBB that shows pictures and you have to put a chekc next to each one that is the picture of an animal (it comes with pictures of kittens and cars). It will resze and crop the pictures to "fool" computers looking for specific images setups (ot whatever).

Spam is now nonexistant on all of my forums and I've only had one or two spammers able to register (total) in the two months I've been doing it. I think the only ones that got though are spam-firms, people paid to go onto forums and spam, I don't think any spam bots have gotten in.

The instructions are easy and you just need about 30-45 minutes to copy and paste code (it tells you exactly where to put the code) the first time you do it, now I can upgrade a forum in less than 10 minutes with it.

Rosalind, pikatow and dragger

Thanks for all of your inputs. Much appreciated.

Dragger - have you the URL of the picture CAPTCHA that you were referring to?

I had spammers signing up daily in 100s until I put a phpbb mod that forces people to answer a simple question (like how much is 2 plus 2). Spambots are gone for good now though I still have to manually delete those SEO types who sign up just to post a link.

I changed some of the input fields in my PHPBB Forum registration and randomized the field names since the captchas didn't work anymore. Since then the forum is Spam free and I do not need captchas anymore.

So instead of

<input type="text" name="email">

its now:

<input type="text" name="fdf3524757jgtcgs5uj68658cxgf">

and the name changes everytime the page loads. The field names are stored in the Session.

$_SESSION['email'] = sha1(uniqid (rand()));

echo '<input type="text" name="'.$_SESSION['email'].'">';

and retrieved like this:

$email= $_POST[$_SESSION['email']];

I also changed the contact forms of all my websites and all other forms and have not had any SPAM problems since then.

I don't like captchas. Most of the captchas around are simply to good nowadays - they cannot even be recognized by the human eye anymore. The little math questions are better but too easily overlocked.

I don't like captchas. Most of the captchas around are simply to good nowadays - they cannot even be recognized by the human eye anymore. The little math questions are better but too easily overlocked.

Captcha!= scrambled image captcha. The maths questions are also forms of captcha, and personally I think their days are numbered because maths is too easy for a bot to solve.

I like the session solution, because it's not one I've come across before. The less prevalent a solution is, the longer it will be useful.

We use an e-mail confirmation system with an auto-generated password that gets sent in the e-mail.

Seems to work well for us. We only get real human spammers now... which is a whole other ball game.

Email confirmation seems to take care of most of the spam bots as far as I can tell on the couple boards I run. The human ones I catch by just keeping an eye on the most recent users to join - if they have a suspicious name/email/profile info - or post spam then I ban them.

I do not have the direct link to the captcha I downloaded, I got it off of a free php script.

But I did throw it on one of my sites, when I get home I'll see if I can get the link and I'll send it to you in a sticky.

That session solution is brilliant.

We used to have the same problems on our SMF forum. I did try to play around with captchas but the spam continued in floods, then we started requiring e-mail confirmation and it reduced the SPAM but didn't quite get rid of it.

I guess the SPAM will never quite go away..

The captchas that are effective against bots are too difficult to read. Email confirmation reduces legitimate registrations.

Asking a simple question works for us. Obviously, that won't stop human spam registrants.

An option that can be used in conjunction with the "registration spam question" is to monitor new members' posts for certain keywords, and assign them spam-scores accordingly. So, for example, "iphone" in the title of a new post would garner 8 points. A link in the body of a post: 1 point. 10 points and it's considered a spam post, at which point the post is not placed on the forum until it's manually approved by a moderator. The vBulletin version of this is called "Spambuster".

So instead of

<input type="text" name="email">

its now:

<input type="text" name="fdf3524757jgtcgs5uj68658cxgf">

and the name changes everytime the page loads. The field names are stored in the Session.

Extremely clever.

I have had GREAT success with the animal/car image captcha (can't find the URL right now)

It installs VERY easily into phpbb2... and shows a table of 9 images. you are asked to either check boxes next to cars, or the animals. If answered correctly, you can register (or post, depending on how you install it).

The images can VERY easily be changed to anything you want, and you can easily change the categories "trucks" and "computers" for example. I highly recommend it.. we went from 40+ spam registrations a day, to zero occurrences since I installed it 4 months ago.

Nothing you can do about humans. There are thousands of people that spend all day going to forums and spamming them. We have a guy that goes to forums to talk up some of our sites. Some people get quite upset. Even if you try to act like a real member. They may have several sites and see the same username from same ip on the same day. I have phpbb on my forum with all kinds of anti spam stuff and I still have to delete about 10 a day. If I did not have what I do I would have hundreds. We have another site that is in asp.net and we don't get any spam. Using phpbb is a spam magnet.

This one has worked wonders for us:

[phpbb.com...]

If the link gets deleted, search for "phpbb mod vip code".

It requires a "VIP" code to register. You can put the code wherever you want on your forum, then post instructions on where to find it (we put it on the disclaimer/liability page).

Lots of manual spammers don't seem to speak English too well, and rather than taking the time to figure out where your code is, they move on to the next forum.

And since you can make the code whatever you want, and put it wherever you want, it's almost impossible to crack with bots.

I was having 10-15 spambot / spam everyday. I start to use this mod and only had 2 spam at last 3 months, i believe they were human spammers.

[phpbb.com...]

I get basically none now - I have the updated phpbb2 captcha (its a mod), as well as one that bans open proxy registrations. That alone cut spam to almost zero. I still get the odd person that will manually go through the process and make a spam post, but its very rare.

I also nofollow each link, and do not allow new users to post links until they've been registered for at least a week and have at least 10 posts.

I forget where I first saw this idea, but it's simply brilliant. I haven't had a single spambot comment in 6 weeks. It's not fool-proof, but it's close.

Step 1: Add a normal field to your form with the name "firstname" or something common, that's not already being used. For the caption write "Ignore me".
Step 2: Hide the field and caption using css. Either use visibility:none or shove 'em off the page with a negative x value.
Step 3: If the field gets filled in, you've just caught a bot! You can safely ignore it. The only way this field would get filled in by a real user is if they have css turned off and compulsively fill in every text field (which would be silly of them and quite possibly indicate mental illness) or because they use google toolbar to automatically fill in forms.

And that's all there is to it! So now you essentially have a "spam flag" that you can either check manually, delete automatically, or just not insert in the first place.

[edited by: Mobro4000 at 8:28 pm (utc) on Dec. 18, 2007]

draggar, can you please post the link here?

I'll play devils advocate and some of the problems i see with some of these solutions, I've used many of them myself in some form or another:

I changed some of the input fields in my PHPBB Forum registration and randomized the field names since the captchas didn't work anymore.

Works for you because it's unique, the bot expects the fileds to be named correctly but of course gets confused. I used a similar mod for phpbb that simply changed the submit button from agree to soemthing else. Most bots directly posted the variables without ever loading the form so the registration failed. The issue that arises here is if this was implemented by a widely distributed software the bots could be taught to get around it. i.e instead they would have to load the form and determine the order of the input fields.

Step 2: Hide the field and caption using css. Either use visibility:none or shove 'em off the page with a negative x value.

What if you're using a browser like a text reader that drops the CSS. ;) I know you mentioned if they had CSS turned off but I think you might get a lot of users that would fill it in. Again I used a similar mod on phpbb, that simply changed the website input field to hidden, if the the website was posted with the registration it banned the IP. However just like the one posted above if it was used by everyone it would start to fail.

---------------------

That's the reson I'm aan advocate of the question captcha, you can have 1 million websites and everyone is going to have a unique question that can only be answered by human.

---------------------

Here's an interesting idea I thought of that would work particularly well for localized forums, sorry if I "stole" it but haven't seen it mentioned before. Require they enter the country they are posting from, if the country doesn't match the IP range registration fails. If the country is outside your location the registrant is flagged and you can check theor first few posts. You can even take it step further and flag by location if you're in a large country like the US. Won't work for multi-national sites but for forums that are local it definitely would.

I didn't want to use php, so I searched for a perl alternative.

I found a script that asked a simple maths question, you can make it as hard as you like, and it works fine.

I've used it for almost a year and have had no spam get through at all, whereas previously I was swamped.

Not allowed to post the url, but if you search for feedbackform you'll find it on a Swiss site.

I have no connection with the developer.

Chalk up one more vote for the Textual Confirmation.

We tried most of the spam mods available for phpBB and this one was the only one that worked all the time against bots. We use this on 5 forums, no new bot spams since I can't remember when...whenever we installed it that is.

One thing I should note, don't use the default "Are you human?" question, IMO. I think some spammers have scripted the answer in the registration and got through. Make it unique and you shouldn't have any more problems.

Also, you may as well turn off the Visual Confirmation. It doesn't deter bots anymore and a lot of users, such as AOL, have problems registering with it. It's not worth losing users since it really doesn't work.

My .02

The issue that arises here is if this was implemented by a widely distributed software the bots could be taught to get around it. i.e instead they would have to load the form and determine the order of the input fields.

You are right. Most SPAM protections only works until it is widely implemented. That's the problem with captchas. Bots are getting better and better in solving them.

But if that happens with the randomized fields one can simply randomize the order of the input fields too. Or at least blocks of input fields so it does not get too confusing for the visitor.

One can also throw in some random input fields that are hidden with CSS. I think the best protection is a combination of different techniques.

The problem with the captchas is that they are annoying users too so I prefer techniques the user does not notice.

What on Earth? People using CAPTCHAs to try to block spammers? It doesn't work and it can't work. CAPTCHAs lock out people with language, numeracy or eyesight problems more seriously than spammers. It's a bloody disgrace that some major sites use eyetests and claim they are security measures. Haven't they read the W3C paper that called them a "false sense of security"? [w3.org...]

Spammers have more incentive and more ability to get past CAPTCHAs than some humans - the BBC reported recently about spammers using porno software to get Joes to solve CAPTCHAs for them. Surprisingly enough(!), the Institute for the Blind hasn't released a similar tool yet...

To really defeat spammers, you need to set policies that make your site too expensive for them. For example, hold posts from new members for moderation until they've made three good posts; hold posts which contain too many links; and/or don't let people link to their homepage from their profile until they're approved. Unfortunately, phpbb doesn't seem to make those sorts of policies easy to enforce, at least not in phpbb2.

[/quote]CAPTCHAs lock out people with language, numeracy or eyesight problems more seriously than spammers.[/quote]

I don't see how a question is going to affect those with eyesight problems, it's actually one of the benefits of using a question because its still acessible. Language possibly but if I'm running a English based forum catering to those that do not speak the English language is not on the top of my list of things to do.