Anyone running phpBB forums?

**Ron** · 11-17-2006, 12:13 PM

If there are any members here running phpBB forums and having issues with spam registrations/posts, and willing to try something, would you drop me a PM?

Thanks.

**JPC-Greg** · 11-17-2006, 12:32 PM

We're having that problem with vb, does that count?

**Ron** · 11-17-2006, 01:21 PM

Yes you are....

I'll PM you

Still looking for more phpBB forum operators...

PS It would REALLY HELP if moderators had the ability to moderate

**JPC-Greg** · 11-17-2006, 02:38 PM

It would really help if vb didnt suck so much with options. Your set as a mod but um, well it just dont work.

**Ron** · 11-17-2006, 02:40 PM

phpBB requires not only that individuals be set as moderators, in the moderator group, but that the moderator group be given moderator privileges to each forum that they should have moderator privileges.

Really. The moderator group doesn't have moderator status by default. sigh.

Still looking for phpBB operators....

**Gwaihir** · 11-18-2006, 09:20 AM

I'm one.

Actually, there isn't such a thing a "the moderator group". You can however make a group, call it "moderators" and give it moderation rights on whatever you please.

About half of the forums on the board I administer are private in one way or the other, so it is to my liking that the moderators of the public parts do not automatically gain access and mod rights there too. It's simple enough to set it up where needed.

As for the spam signups: we have activation via e-mail on and hide unactivated accounts from all but administrators, who have gotten the option to delete such accounts in just a few clicks. That works reasonably well.

What I believe would work miracles is a simple non-standard Turing test. The Captcha phpBB offers on sign-up stops some scripts, but many have cracked it already. However, that's based on sheer numbers: if your forum sets its own special trick, as simple as "Type abracadabra in this field", a stock script would fail and your one forum wouldn't be worth adapting the script for. If time permits me and / or the spam problem on our boards worsens again, I'll be putting that idea to the test.

**Mandi Apple** · 11-18-2006, 03:42 PM

Originally Posted by Gwaihir

What I believe would work miracles is a simple non-standard Turing test. The Captcha phpBB offers on sign-up stops some scripts, but many have cracked it already. However, that's based on sheer numbers: if your forum sets its own special trick, as simple as "Type abracadabra in this field", a stock script would fail and your one forum wouldn't be worth adapting the script for. If time permits me and / or the spam problem on our boards worsens again, I'll be putting that idea to the test.

There's a mod for vB that I'm running that does this; it seems to do the trick most of the time but I'm still being hit occasionally by the same electronics spam that hits this place up too. Can't be automatic, so it must be a manual registration, even if the email confirmation and posting is not. The bot-based registration has vanished completely, though.

**Ron** · 11-18-2006, 11:17 PM

I'm glad your moderators like wading through all of the registrations and deleting them one by one.

I'm looking for phpBB operators who don't have moderators with the patience of Job, or who would like to open up their forums and turn off admin review on every registration.

**Frank Broughton** · 11-20-2006, 07:57 AM

Ron, try this tool for deleting multiple accounts:

PHP Toolkit:

http://starfoxtj.no-ip.com/phpbb/toolkit

I use it and like it much!

**Ron** · 11-20-2006, 07:59 AM

I have the admin toolkit, but I don't need it to delete accounts anymore!

**Mikalee** · 11-20-2006, 08:44 AM

Originally Posted by Ron

Still looking for more phpBB forum operators...

I run a phpbb forum - with a moderate number of spammer accounts.

But I'm not sure if what you suggest will work for me since my phpbb is very out-dates, not including security patches...though it'd be great if it did work.

Mike

**Gwaihir** · 11-20-2006, 11:55 AM

Originally Posted by Ron

I'm glad your moderators like wading through all of the registrations and deleting them one by one.

I'm looking for phpBB operators who don't have moderators with the patience of Job, or who would like to open up their forums and turn off admin review on every registration.

Hey, I stepped forward, no? I didn't say I wasn't interested.. just that the problem is reasonably under control for me. By all means, do tell!

Also, we do not use admin review on / prior to registration. We just check the list of newly registered folk regularly. I wouldn't exactly call it deleting "one by one" either; the mod we use makes it simple to delete non-activated ones en masse. Spammers / bots rarely complete the activation via e-mail process.

**wgiese** · 11-20-2006, 12:16 PM

I installed the Anti-Bot Question mod to our phpBB forums about 6 weeks ago. Prior to that point in time, we were getting 3-5 automated spam account signups per day. And yes...we had phpBB captchas turned on, which are now virtually useless. They are easily defeated by many automated spambots.

Since installing the mod, we have not had a single spam account signup. In fact, even though you can configure it to work in conjunction with captchas, I turned them off - they merely slow down and annoy legitimate users, while doing nothing to prevent sophisticated spammers. I did leave email verification in place.

In addition to being able to create your own random registration questions/answers with the mod, you can include custom images, and tailor the question to be specific to the picture. For example, one of my questions displays a photo of a bunch of fish on a cutting board, and prompts the user to answer how many are shown.

In addition to eliminating the SPAM accounts, I've not had a single user complain about the registration process - I received one or two emails a month when using captchas. It's simple, intuitive, and I can't see how it can be beat in an automated fashion.

Granted, the mod would do nothing against a "real human" spammer signup with a legitimate return email address, but those are relatively far and few between.

**Ron** · 11-20-2006, 02:58 PM

As bots grow and learn how to defeat the hard-coded and limited approaches intalled around the net, the owners will have to install another mod and another mod and so forth. Also, it generally doesn't protect against human spammers. Spam bots are becoming more and more sophisticated, and will most certainly use their spam domains as real mailboxes, and have programs that are activated upon the receipt of a validation request that will complete the registration and begin to post spam.

Turning off CAPTCHA only welcomes one generation of bots that scan your reg page and look for the CAPTCHA phrases; if not found they attack the board with abandon.

My approach is similar to having SpamAssassin installed; you install it once and it stays current with the bot technology. It works with humans and bots both.

There are many ways to skin a dinosaur like phpBB.

**wgiese** · 11-21-2006, 09:53 AM

Originally Posted by Ron

As bots grow and learn how to defeat the hard-coded and limited approaches intalled around the net, the owners will have to install another mod and another mod and so forth.

Nah...that's only true, due to the manner in which this problem has been tackled to date.

Other than methods that require site administrator intervention, most attempts at dealing with bots include some form of auto-generated question/answer challenge. If the challenge/response is generated by code, it's just a matter of time before it's cracked.

The Anti Bot Question mod throws a huge monkey wrench into this...it moves the challenge/response from an automated method, to one that would require sophisticated AI techniques to beat. Every site owner will create their own challenge/response questions - assuming they configure the mod correctly, not using the defaults. As such, the questions/answers can not be determined by screen scraping an image, or cracking of an algorithm used to generate a challenge/response. The inclusion of random photos, from which an accurate response must be determined from a human generated question, requires AI techniques which simply don't exist yet - by anyone.

Second, and more importantly - spammers won't waste their time trying to beat something like this, and one need look no further than how they go after email. They don't succeed primarily with technical prowess, although they are getting more sophisticated. They simply consider a minuscule percentage of their payload being delivered a success, so they make up for things in quantity. They will always prey on the vulnerable and easy to attack boards, even if they are in the minority.

Originally Posted by Ron

Also, it generally doesn't protect against human spammers.

This is the tougher problem...I don't think this will ever be addressed, in a manner that is both non-intrusive to legitimate users, and transparent to site administrators.

LinkBack

Thread Tools

Display

Anyone running phpBB forums?

Bookmarks

Bookmarks

Posting Permissions