Comments on: Help ! Spammers have found my PHPBB forum !

Question: Help ! Spammers have found my PHPBB forum !

Baud — Mon, 20 Nov 2006 05:19:47 -0800

I'm running a PhPBB forum. Spammers have found it. Mysterious strangers selling vigorous blue pills popped up from nowhere. Now I need to build something that will prevent spammers from polluting it. Is there a silver bullet that prevents all spammers from ever posting on PHPBB forums ? (I know, but I'm an eternal optimistic). Any antispam mods that has been successfullyt tested someone would like to recommend ? Thanks in adavance.

By: bhance

bhance — Mon, 20 Nov 2006 05:50:25 -0800

I, also run a phpbb forum and have been struggling with this as well - after installing a CAPTCHA mod into the signup process - (the phpbb site has the mod code) - they stopped for a week, but resurfaced 1 week later at about 20% strength.

This either means they have a) broken the CAPTCHA and can "read" the image or b) are paying an army of slave laborers to sit and register the CAPTCHA on a bunch of bulletin boards so they can spam them.

My ad hoc solution: Once every 3 days, I log into the database and do a

select user_id, user_website from phpbb_users order by user_id

.. this produces a list of all the user_ids and their registered websites. Nine times out of then, the spammer will register a site as well, probably with the hopes of link-spamming, and it'll be easy to ID: http://pornspam-host-teen-sex.pills-4-U.ru, for example.

I do a quick visual check for anyone who might have a legit site in there (don't want to nuke any valid users) and then run something like

delete from phpbb_users where user_id > NNNN and user_website != ""

... where NNN is the last known good user_id. This purges their accounts out.

By: empath

empath — Mon, 20 Nov 2006 07:08:55 -0800

Captcha plus requiring a user to post x number of times before starting a thread.

By: By The Grace of God

By The Grace of God — Mon, 20 Nov 2006 08:17:44 -0800

Install captcha.
Turn on admin authorisation of all accounts.
Remove memberlist link.

This has removed all spammers from my forum.

All of these changes are MODs to be found (and supported) at the phpbb.com community. Mods are mostly easy to install even if you don't know PHP.

Email's in my profile if you'd like some help.

By: drstein

drstein — Mon, 20 Nov 2006 08:25:01 -0800

There is no silver bullet. I host a few phpBB forums, and the spammers simply wiggle around everything. Captchas? They've beaten them. Post X number of times? They beat that too. A few "Hello! I am XX from YY and look forward to chatting with you!" posts and then BAM they start spam spam spamming away.

Requiring an admin to approve each account seems to be the best way, but it's tiresome for the admins. I don't run any of these forums, I just host them and field the support requests that come along with them.
Removing the member list link is another good idea. Spammers are a fucking pain in the ass.

By: LoriFLA

LoriFLA — Mon, 20 Nov 2006 09:48:06 -0800

Watching this thread with interest. I also have a phPBB forum with spammers galore.

By: wearyaswater

wearyaswater — Mon, 20 Nov 2006 10:05:02 -0800

Check out the "Preventing SPAM" thread over at the phpBB bulletin boards.

I've been using captchas and admin approval for new accounts, but it's tiring to weed through 10 spammers for 1 real person. The Easy BotStopper mod looks interesting - it hides the website field on the user registration form, and automatically denies membership to scripts that try to register with a site anyway. It's no magic bullet, but since most spam accounts have website links, it might cut down on the number of script spam registrations I'm getting.

By: bhance

bhance — Mon, 20 Nov 2006 10:12:36 -0800

See also the user admin-> ban control -> Ban one or more IP addresses or hostnames

At one point I had a pretty large list of IP ranges by country, and had banned all of Europe, Russia, China, Brazil, Amsterdam, and Vietnam.

This is not as effective as it once was (botnets) but might still be worth looking into. If anyone maintains a similar list, I'd be curious to see it.

By: mcsweetie

mcsweetie — Mon, 20 Nov 2006 19:21:14 -0800

I've had some success with particular mod. the mod removes the website field during sign-up so that if someone's using a script to automatically generate accounts and it tries to submit something to that field, the registration fails. so the spammer has to either sign up manually or somehow figure out what's going on and adjust their script accordingly.

I also noticed that virtually every spammer account listed an ICQ UIN. who the hell uses ICQ anymore? so I modified the script a bit to reject registrations that include ICQ UINs but I left the ICQ field in the registration form so as not to give potential spammers any clues. I figure any legitamite users that get repelled because they use ICQ aren't very cool anyhow.

lastly, install the admin userlist mod post-haste. it adds a user list option to the admin panel that makes getting rid of spam accounts so very easy. it lists users in order by sign-up date so if you go to the very last page of the listing it'll show the most recent accounts. from there, it's pretty easy to discern the fake accounts from the real ones, especially if their e-mail address is like "freestuff@info.ru" and their occupation is "cheap viagra." just select the accounts you wanna delete and press delete. cleaning the user base used to be a 15 minute daily chore but with the admin userlist it only takes a minute or so.