5

I'm managing a phpBB-based forum that gets hit hard by spammers signing up fake accounts. To combat this, we enabled "administrator activation required", but it's not working so well: When a new user signs up, I get an email with a link to activate that user. However, there's no link to let me easily look at the user first; it goes straight to activation.

I'd like to try a different approach, along these lines:

  1. I'd like to allow registrations without my approval; instead, the user must get a mail with an activation link.
  2. I'd like a designated moderator group to approve all posts made by newly registered users. This should be done through the forum's web-based moderation control panel.
  3. When a new user posts a spammy message, I want the moderator group to kill the message and the account.
  4. When a new user has posted a few non-spammy messages, he's whitelisted and further postings require no approval.

How do I achieve this setup? -or- Is there a similar but smarter approach?

UPDATE: I finally found a watertight solution: http://CleanTalk.org -- it's a paid service but for a measly $8 per year it's well worth the money. So far the filter has worked 100% accurately, without any spammers getting through and without blocking legit users. I am impressed.

Torben Gundtofte-Bruun
  • 1,164
  • 2
  • 10
  • 16

7 Answers7

4

Some steps to take:

I found some info in phpBB's forum, but it was too well hidden for new (forum admin) users:

ACP, General, User Registration settings, New member post limit - set to whatever number you want. ACP, General, User Registration settings, Set Newly Registered Users group to default, Yes.

Then there's the suggestion to put new new users on the moderation queue, but no info on how that's done:

Permissions may be set on this group much like any other group -- an example use is to place the Newly Registered Users group on the moderation queue for all forums.

Here's how:

  1. ACP, Users and Groups, Group's forum permissions.
  2. Set "Lookup user group" = "newly registered users", submit.
  3. Select all forums, submit.
  4. Wait for the long list of forums to load...
  5. Set role = "on moderation queue" for every forum, then submit.

I don't remember if I made the role "on moderation queue" myself or if it's a default role. Create or review the role here:

  1. ACP, Permissions, Forum Roles.
  2. Then either click the "gear" icon for the role, or create it using the text field under the list.
  3. Scroll past the "Users/Groups assigned..." section to the "Forum permissions" section at the bottom of the page.
  4. Select the "Misc" tab.
  5. Make sure the setting "Can post without approval" is set to "Never".

All the above should be default settings for new phpBB installations, but isn't.

Also in the User Registration settings, turn on reCaptcha and click Configure to fill in required site keys (which can be created through a link on that config page). Submit the configuration, then go back to User Registration settings and (again) turn on reCaptcha, then Submit that change.

Also, try this MOD: http://www.phpbb.com/customise/db/mod/daropl_antispam/

rjmunro
  • 2,221
  • 4
  • 18
  • 22
Torben Gundtofte-Bruun
  • 1,164
  • 2
  • 10
  • 16
2

I know you already got recaptcha working, but I thought I'd add the link to the recaptcha documentation for phpBB anyway, in case anyone else finds this question in future:

http://code.google.com/apis/recaptcha/docs/phpbb.html

Would be nice if more people used this, rather than letting their phpBB fill up with spam. Ditto for blogs...

dunxd
  • 9,482
  • 21
  • 80
  • 117
1

Are you using a captcha ? - if not, definitely do so it should help a fair bit.

http://en.wikipedia.org/wiki/CAPTCHA

Sirex
  • 5,447
  • 2
  • 32
  • 54
  • Yes I use Captcha, but it's easily broken. I've just turned on reCaptcha instead, let's see if things improve. I've also just added a long answer of my own about moderating new posts; I think that's going to be helpful too. – Torben Gundtofte-Bruun Oct 22 '10 at 09:27
1

Instead of using reCaptcha (which reportedly has been broken by bots now), I upgraded my phpBB forum to the latest version last week and then configured it to use a Q&A captcha with a few custom questions defined (in additon to requiring activation by user emails, and moderation all new users until they have a few approved messages), and haven't had a single spam account be registered so far. Now I just have to finish pruning the thousands of messages and accounts that were already in the moderation queue!

Remy Lebeau
  • 11
  • 1
0

As suggested by other people, having a captcha is a thing to be considered. But captchas are a double-edge sword: a simple one will get broken by sophisticated bots (that use neural networks and other hi-tech approaches), a very complicated captcha will become an annoyance for regular users.

Basically, you don't have many options. Instead of making sure that it is very hard to prove your site that one is a legit user, you have to make sure that every spamming account that comes through is dealt with using harsh methods.

Use some kind of phpbb mod that gathers details about accounts registered from same IPs, collects User-Agent headers etc. While many advanced spam bots can use multiple proxies, very often script kiddies skip using them, because they don't have a proxy list. While User-Agent can be faked, not everyone who is spamming knows about it and does it.

If you see many abuses from an IP that is geolocated to a foreign country that has little to do with your forum, block the whole network at firewall level. Chances are low that you would get legitimate users from there. Instead of blocking, you could redirect them to a honeypot.

If you see some clear signature in the spam messages about the app that was used to spam, please fight back. I had luck a couple of times with complaining to the hosting company that they host the notorious spam software XRumer. I've got answers like "we are aware of it, since we've got complaints from other people" and the hosting account was soon canceled. It didn't work every time, perhaps because certain hosting providers never received a critical mass of complaints that would motivate them to do something. XRumer seems to be still alive.

halp
  • 2,098
  • 1
  • 19
  • 13
0

The only thing I have found effective (and it has been almost entirely effective) is http://stopforumspam.com/.

Just add the this mod and it takes care of almost all spam registrations: https://gist.github.com/797970

aepryus
  • 123
  • 1
  • 7
0

I use a Q&A Captcha module. But unlike others, it doesn't ask you to solve a math question, which spambots have broken.

Rather, it asks you to select and move the word that doesn't make sense.

It works great with spambots. I have had 0 spambots. It cannot block human spammers, but those are few and far between and easily eliminated.

You can see how it works by trying to register on my site at photographtoday.net/forums.

Mike Elek
  • 1
  • 1
  • 1
    This would be much better if you linked to the captcha module rather than your own web site. Otherwise it looks self-promotional! – Michael Hampton Nov 11 '15 at 20:12
  • It's a phpBB extension. I can't recall if they have a working demo. It works only with phpBB v3.1.x. Sortables Captcha https://www.phpbb.com/customise/db/extension/sortables_captcha/ – Mike Elek Nov 11 '15 at 22:34