phpBB2 - Spam

[rlhanson]

I have a client site which featured a "submit your testimonial" forum which she wanted to make easily accessible to clients.

As you all probably already know, we got slammed with porn. Since then, I have made the user registration only upon approval by admin.

Any suggestions on how to prevent problems like this without having such a strict registration policy?

Is it just normal procedure to have to manually remove the crap everyday?

Does anyone know how to remove MULTIPLE users from the phpBB2 admin section? I don't necessrily want my client in the DB removing items!

[Matt]

1. Require user registration to post in most forums.
1a. Make sure user registration uses CAPTCH or some other means of human authentication/verification.

2. Use Captcha verification on forums that you want the general public (unregisterred users) to be able to post on.

3. Make sure you are running the latest version of the software at all times.

==================

It is not normal to have to remove spamvertisements every day. We have to from time to time, but we ban the username (which will catch of lot of bots that use the same username over and over to register) then used that in tendem with banning the user IP address in .htaccess and you will see a lot of cleanup on the forums even if it is open source.

==================

4.. If it is worth it to you, use a closed-source forum. Only one of them comes to mind. vBulletin

Closed source by nature is going to have less available exploits floating around on the web.

Does anyone know how to remove MULTIPLE users from the phpBB2 admin section? I don't necessrily want my client in the DB removing items!

I will leave this to someone else who might know something about PHPBB!

[rlhanson]

I found this guy's answer to help with the spam on phpBB2 forums - I implemented what he recommended and have had all spam activity cease so far!

http://boonedocks.net/mike/archives/...-Question.html

You have to change two files, templates/(your template)/profile_add_body.tpl and includes/usercp_register.php.

In templates/(your template)/profile_add_body.tpl, add this after the <!-- END switch_confirm --> line (about line number 68):


<!-- BEGIN switch_add_profile -->
<tr>
<td class="row1"><span class="gen">Anti-Spam Question:</span></td>
<td class="row2">
<span style="font-size: small;">Enter the name Luke Skywalker's
father. Check your spelling!
Requiring this question to be answered will hopefully limit
spammers who try to sign up.</span><br />
<input type="text" class="post" style="width: 200px"
name="bonusq" size="25" maxlength="255" value="" />
</td>
</tr>
<!-- END switch_add_profile -->


In includes/usercp_register.php, add this after else if ( $mode == 'register' ) { (about line number 275):


// mod by MB to require human data to prevent spam bots
if(trim(strtolower($_POST['bonusq']))!='darth vader') {
$error = TRUE;
$error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) .
'You did not answer the Anti-Spam question correctly...' .
'please try again.';
}
// end mod


So there you have it. I'm sure there are some sophisticated PHPBB mods out there that will do the same and more for you, but this simple change has saved me a lot of trouble. I'm keeping my fingers crossed that it will last.

Update 2007-05-23: I omitted one other mod to make this work. You also need to edit your includes/usercp_register.php file. Find the line if ( $mode == 'editprofile' ) (about line number 941) and modify that block to look like this:


if ( $mode == 'editprofile' )
{
$template->assign_block_vars('switch_edit_profile', array());
} else {
// Else block is Mod by MB 2006-08-11
$template->assign_block_vars('switch_add_profile', array());
}

[Matt]

But what if someone has never seen Star Wars? I know quite a few that haven't.

Might want to consider something more universal like:

"What does 2+2 equal?"

It eliminates the potential for blocking someone who has never seen the movie and also eliminates the possible spelling problem when typing "Darth Vader" and besides that, someone might think it is actually "Lord Vader" AND besides that, for uber Star Wars geeks, his Dad's name was actually "Anikin Skywalker" and I am not even sure I spelled Anikin correctly!

And, is it CaSe SenSiTive? There is no lower-case "2" so that is the way I would run with that snippit. I'd modify it a tad for usability purposes.

Seems like it leaves a lot of room for human error!

You know what else I find sort of funny is that on his page where he mentions this code, if you look at the comment section at the bottom of the page, he is using CAPTCHA verification, not his own Star Wars code!!!

Just a thought.

[rlhanson]

Matt, I was already using some CAPTCHA code and was still getting at least 10 spam user registrations everyday so I implemented this code, which worked for me.

However, I did have the same thoughts as you, so I changed the question to "On a beautiful summer day, what color is the sky?" Then gave instructions as to the case it should be written in. I realize this may still eliminate some people, but it was worth it to me for the few users who may not be able to get past the spelling or case or incorrect input.

Just thought I'd share something that worked and was appreciative that he had it posted in such a way that was extremely easy to implement.

Thanks for your input!

[Matt]

But what if your user is colorblind?

Haha, I am just kidding around. Glad you got a working solution

[rlhanson]

what if your's is mathematically chellenged?
<lm-o>

[Matt]

ahhhhh.... Touché