New Website

I've made a new website, as lynx.io is dead. You can find it here: http://macr.ae/—it's similar in format to lynx.io, but has better articles, and they're all written by me.

JavaScript disabled

While it will still mostly work, a lot of this site's functionality relies on JavaScript - please enable it for the best experience.

Preventing and dealing with spam in phpBB

A couple days ago, the amount of spam being posted to my phpBB forum increased dramatically. I turned to the phpBB.com community forums and made my thread, and it looks like it's happening to many other people using the Q&A CAPTCHA. The Q&A CAPTCHA was added to phpBB in 3.0.6, and it allowed the board administrator to specify a question that the user had to answer on sign-up. If their answer to the question matched one of a list of allowed answers the administrator had specified, the user would be permitted to sign up. If they could not provide a correct answer, they would be prohibited from signing up. This was actually extremely effective, as the questions would be things like "What is the name of this forum?" or "What colour is the sky?". A couple days back, the bots noticed that everyone was using the same questions, and so they started answering correctly, leading to a lot more spam. There have also been reports of bots attempting to hack into people's accounts on not only their own forums, but the phpBB.com forums. They weren't doing anything too advanced - they were simply trying to brute force the password using (I assume) the most common passwords people use, such as "password" or "username123". Now that I have explained what the spammers are doing, I will explain how you can attempt to prevent them from damaging your board or hacking into your users' accounts.

Registration

The bots have been managing to register, as they are now managing to break through most of the CAPTCHAs phpBB provides. Google's reCAPTCHA was cracked a long ago, the default phpBB CAPTCHA was also cracked quite a long time ago. And now the bots have found a way to solve the Q&A CAPTCHA.

There are a few ways you can stop the bots registering / posting:

Carry on using the Q&A CAPTCHA.

It is still the best CAPTCHA, and when used properly it will stop all spam. Make sure that you have a set of unique questions related to your target audience so that they will know the answers. Make the questions tricky enough to keep the bots out, but not so difficult that your users cannot get in. I would recommend that you have at least 10 questions, as this will make it trickier for the bots to just catalogue the questions and the acceptable answers.

An example of a good question (for lynxphp): "What is the latest version of PHP?"
An example of a bad question: "What is the admins favourite colour?"

Enable user activation

Enabling user activation will mean that when the user or bot registered, they will have to click on a link that is emailed to them in order to activate their account. Although a lot of bots can get round this by simply clicking on the link in their email, it seems to be having moderate success on the bots that are currently attacking. If this doesn't work, you could also enable admin activation - this means that whenever a user or bot registers an account, an email is sent to all administrators asking whether the account should be activated. The admin can then check the IP or email address against a spam database such as Stop Forum Spam.

Enable the newly registered users group

The newly registered group is a great feature. After you have activated it, users will be added to this group, and when they reach a certain post count they will be removed from it. I generally have it set to 1 or 2. You can use this group to give members who have recently registered limited access to the forums, eg their posts have to be enabled by a moderator.

To enable the newly registered group, go to ACP -> General -> User Registration Settings. When you're there, set "Set Newly Registered Users group to default" to yes and "New member post limit" to a number between 1 and 3. Then when setting individual forum permissions, set their forum permissions to "On Moderation Queue". Then you will see their posts in the MCP homepage, ready for you approve or disapprove. It is also a good idea to make sure that the newly registered users group cannot send PMs or set a signature, as these are other common techniques that spam bots use.

Stop them from hacking into your users' accounts

Spam bots have also been attempting to brute force people's password. I experienced this on phpBB.com, but was not hacked. You can recognise that a bot has tried to brute your password by the fact that the board will force you to complete a CAPTCHA in order to sign in, as the bot has exceeded the maximum login attempts. Other signs are increased POST requests on ucp.php and increased server load.

Solving this one is easy - simply force your users to have more complex passwords. You can make them do this by going into User Registration Settings and changing "Password complexity". It is also more secure to get them to change their password every month or so, by using the "Force password change" box below the password complexity box. As long as your users don't have stupid passwords, none of your users' accounts will be hacked.


By following these steps, you will have helped prevent your board from spam. If some does get through, your users won't see it, as you will be able to delete it and ban the account.

About Callum Macrae:

Callum Macrae is the founder of lynx.io and a JavaScript developer from the United Kingdom. He is currently writing his first book, to be published by O'Reilly Media.

You can view more articles by this author here.

Tags: phpbb spam

Comments

Greg Bolte says:

One thing I noticed, you mention the stop forum spam website, however there is actually a mod developed for PHPBB which will automatically check new user registrations on the fly against the stop forum spam DB. This would be a better option on high visibility forums where there are a lot of legitimate users signing up. The details for the mods can be found on the stop forum spam site http://www.stopforumspam.com/contributions

Callum Macrae says:

Thanks for linking me to that, I wasn’t aware there was a modification. I’ve been looking for an Akismet modification for a while, but I never thought of searching for this, I’ll check it out tomorrow.

~Callum

neody says:

thanks for your article.. but i'm tired to put question and answers..

sorry for my bad english

Callum Macrae says:

@neody

Is your board in English? If your board isn’t in English, then Q&A is by far the best CAPTCHA that you could use; the bots can only speak English, so they won’t be able to answer any questions in any other languages.

~Callum

bdistler says:

Is your board in English? If your board isn’t in English, then Q&A is by far the best CAPTCHA that you could use; the bots can only speak English, so they won’t be able to answer any questions in any other languages.

~Callum

Do not count on "can only speak English" most bolts today can and do work with more then one language.

Callum Macrae says:

As the majority of the Internet is in English and most of the money on the Internet is in America, more spam bots will target English speaking websites than other languages. In my experience, the Q&A captcha is less likely to be cracked if it is in a different language.

Of course, the bots CAN be programmed to speak other languages, but they generally aren’t.

~Callum

Callum Macrae says:

I meant English, fix’d

That mod looks pretty good, and I have heard quite a lot of recommendations for it :-D

Ya!Wego says:

how to prevent the spam forever?

Callum Macrae says:

Make sure you keep your board up to date, and change your questions occasionally, if you are using Q&A CAPTCHA.

andy says:

If you are thinking of buying the ads poster software, please beware of this site "http://the-classified-connection.com/". The seller is a ghost and you won't get any emails, any support at all. The softwarecosts $149.95 and it's not worth a dime. The software doesn't work nowadays!There's no submission report that you can check and see if you ads actually are posted in those over 1,000 websites as he advertised. I've been calling his office many times and sending lots of emails asking for his help. Been nearly a month now and it seems like there's no hope left. No refunds because he just disappeared into thin air.

I hope my case will help those of you not making the same mistake like I did. Thanks for coming by.

says:

Add comment

 

You can use markdown in comments (press "m" for a cheatsheet).

Enable JavaScript to post a comment

Markdown Cheat Sheet

# This is an <h1> tag
## This an <h2> tag
###### This is an <h6> tag

Inline markup: _this text is italic_, **this is bold**, and `code()`.

[Link text](link URL "Optional title")
[Google](http://google.com/ "Google!")

![Alt text](image URL)

![This is a fish](images/fish.jpg)

1. Ordered list item 1
2. Ordered list item 2

* Unordered list item 1
* Unordered list item 2
* Item 2a
* Item 2b

And some code:

// Code is indented by one tab
echo 'Hello world!';

Horizontal rules are done using four or more hyphens:

----

> This is a blockquote

This is an <h1> tag

This an <h2> tag

This is an <h6> tag

Inline markup: this text is italic, this is bold, and code().

Link text Google

This is a fish

  1. Ordered list item 1
  2. Ordered list item 2
  • Unordered list item 1
  • Unordered list item 2
    • Item 2a
    • Item 2b

And some code:

// Code is indented by one tab
echo 'Hello world!';

Horizontal rules are done using four or more hyphens:


This is a blockquote

Toggle MarkDown / HTML (t), full reference or close this