You are not logged in. Please login or register.
PunBB Forums → PunBB 1.2 troubleshooting → spammers are on to you
yes, it seems they have adapted to your verification system and are automatedly checking their email and then logging in and posting porn spam. maybe you could implement one of those "type these letters" verification things in as an added level of security as well as randomize the verification email so a bot cant parse it
there are a few modifications you can do to stop spammers, and if you had seached here and punres you would of found them 
not into modding.. just want to use the product as-is untouched. thanks for your helpful input into this matter
Spammers are always going to adapt to new systems.
Now then, as to your suggestions:
CAPTCHA: It's not accessible to blind users and would require us to either use PHP sessions (which we use nowhere else) or add our own system for storing data in, say, the online table, both of which are less than ideal. Of course, people are always looking to crack CAPTCHAs using OCR software, so we would probably end up in another arms race against spammers.
Random email: I'd be interested to see how you would do that, I don't think it's actually possible. Of course, each individual forum can change its welcome email to be unique, which is a point I'll be addressing right now
Now then, for 1.3, we plan to release several extensions to help deal with spam. The key to addressing spam, however, is realizing how much of it is automated. Just adding a trick to every forum won't help, since spammers will code their bots around it. So, we need to focus on allowing each forum to make its setup unique. 
well whatever you do to get around the spammers is hard because they too have access to the code and im sure some may even follow these forums just to keep up.
as far as the ocr.. i dont know how many of them have that sort of capacity available to them, im sure some do. but why have it use sessions? upon generation of a random string.. add the string to a temp table.. then check the user's verification input against that temp table.. too many wrong tries.. ban em. but the main problem i see is that to use this feature the server would need imagemagik or some other sort of graphic manipulation lib installed which increases requirements for the punbb and thats not good
if you had the resources available to support it.. you could add a "captcha" generation service. where when the verification email goes out.. the server first queries your service center for a captcha image(reduce local requirements) then drops the string in the temp table or wherever it is you store the random password.. emails the verification email with the random password inside the captcha image im the email and for those textonly-based mail clients they could be pointed to a url that is a copy of the verification email.
i guess the options are limitless really and we could come up with more all day but what matters is someone has to do it and thats not me. so ill shutup now lol
as far as the ocr.. i dont know how many of them have that sort of capacity available to them, im sure some do. but why have it use sessions? upon generation of a random string.. add the string to a temp table.. then check the user's verification input against that temp table.. too many wrong tries.. ban em.
I mentioned that in my previous post as being less than ideal
if you had the resources available to support it.. you could add a "captcha" generation service. where when the verification email goes out.. the server first queries your service center for a captcha image(reduce local requirements) then drops the string in the temp table or wherever it is you store the random password.. emails the verification email with the random password inside the captcha image im the email and for those textonly-based mail clients they could be pointed to a url that is a copy of the verification email.
No way that would work 
A single point of failure for all the CAPTCHAs that would be used by PunBB? Even if spammers didn't pay people a couple cents to type in CAPTCHAs for them, that would take an immense setup to run for very little gain.
Why is adding a table not a good option? Just curious.
Not adding a table, adding a column to the online table (a HEAP table) that is only applicable to guests who are registering. So, you're allocating more of the MySQL server's memory when the column isn't even going to be used by most of the users.
Of course, if you're going to write a CAPTCHA extension, you would likely do add the column or use PHP sessions. That doesn't change the fact that they're less than ideal solutions for storing the answer on the server
Yes, adding a column to the online table does not sound like a good idea, but why would you do it like that instead of having a seperate table just for captchas? Not trying to argue, as I do agree that using mods for spam protection is good because then everyone's is a little different Just a hypothetical question I guess.
Yes, adding a column to the online table does not sound like a good idea, but why would you do it like that instead of having a seperate table just for captchas? Not trying to argue, as I do agree that using mods for spam protection is good because then everyone's is a little different
How would you associate the CAPTCHA data with the guests I think you would end up either reimplementing PunBB's system or reimplementing the PHP session system. In either case, using the existing system is better than writing your own, if only for the assurance that it just works.
Ok... hope the discussion doesn't get all broken since this is being discussed in a few topics.
I think a good solution would be some adjustable cap parameters. For example, letting the admin decide after how many posts does a user have the permission to post links. That along with a frequency cap applied only to new users, i think would work.
The more variables the admin can control the most efficient the protection is because the spammers don't get to know what they need to go around.
I belive the future is colaborative solutions like akismet. There is an akismet mod to punbb which i've tryed, but i don't recomend because it's too strict. It's tunned to moderate blog comments which are not supose to have the same kind of content then forum posts.
An anti-spam product with its own spammers database that would be designed specially to punbb would a killer plus.
I think a good solution would be some adjustable cap parameters. For example, letting the admin decide after how many posts does a user have the permission to post links. That along with a frequency cap applied only to new users, i think would work.
The more variables the admin can control the most efficient the protection is because the spammers don't get to know what they need to go around.
Except that won't stop the spam from bots, which don't care whether or not you have links or not. As long as they can post, there will be spam posts
How would you associate the CAPTCHA data with the guests I think you would end up either reimplementing PunBB's system or reimplementing the PHP session system. In either case, using the existing system is better than writing your own, if only for the assurance that it just works.
I would do something like this rather than use sessions or adding a column to online table:
create table captchas ( captcha_id varchar(16) not null primary key, captcha_code varchar(6) not null, timestamp timestamp not null default now() );
In register.php
- generate random captcha_id, random captcha_code, insert them into the captchas table
- add hidden form field to register form for captcha_id
- call image generating php script with captcha_id in query string
- when submitted, compare the entered captcha code to captcha_code in the db
Hmm, you could also generate the image within register.php and save it with some random name, and use an hmac/salted hash in the hidden form field, then you need neither cookies nor a db table. But you would need a script to delete the old images.
Mmm, fair point.
Now, there is a bit more complexity. There should be only one attempt allowed per CAPTCHA, successful or not, to prevent brute-forcing. Also, you should deal with garbage collection so you don't have unused CAPTCHAs sitting there.
I always post this in these threads as it makes me feel smart.
This has been the single most effective anti-spam solution I have found, and is as easy as falling out of a tree to implement that it doesn't even count as a mod.
##
##
## Mod title: Simple Antispambot-code Mod
##
## Mod version: 0.8
## Works on PunBB: 1.2.15
## Release date: 28 May 2007
## Author: sirena (on http://punbb.org/forums)
##
## Description: This is a *very* simple mod to help prevent forum
## spambots from registering on a punBB forum.
##
## Affects DB: No
##
## Affected files: register.php
##
## Notes: This mod simply adds an extra free-text form field into
## the registration page for punBB (register.php) that
## prospective users need to complete, and which the forum
## administrator can easily customize.
##
## Forum administrators can specify any sort of question
## and the required (numeric or text) response.
##
## Administrators are encouraged to:
## (a) customize the question posed by this mod to suit their needs, and
## (b) change their question periodically.
##
## The more variation there is in the deployment of this mod, the more
## effective it will be, particularly against automated spambots.
##
## Questions can be simple - like "What year did Columbus discover America?"
## - or perhaps more complicated - like "What is the sum of 1000+100".
##
## Questions may even be very specific if you are confident that the
## people who you want to join your forum should know the answer.
##
## For example if you have a forum about the Beatles the question may be
## "What year did the Beatles break up?"
##
## Or if you have a forum about Beverly Hills Calif., a good question may be
## "What is the postcode of Beverly Hills?" Etc.
##
## Specific questions such as these will help prevent automated registrations
## and may even cause difficulties for some human spammers too,
## if local or esoteric knowledge is required.
##
## Questions may also be framed to require some exploration of the site.
## Eg "Please enter the 4 digit VIP code visible at the top of the Support page".
##
## This sort of question will block automated bots and slow down
## and perhaps even deter human spammers too.
##
##
## Generated By: Auto Read-Me(by Caleb Champlin) - http://www.rscheatnet.com/Auto_Readme.zip
##
## DISCLAIMER: Please note that 'mods' are not officially supported by
## PunBB. Installation of this modification is done at your
## own risk. Backup your forum database and any and all
## applicable files before proceeding.
##
#
#---------[ 1. OPEN ]---------------------------------------------------
#
/YOURPUNBBFORUM/register.php
#
#---------[ 2. FIND (line:186) ]---------------------------------------------------
#
$timezone = round($_POST['timezone'], 1);
#
#---------[ 3. BEFORE, ADD ]---------------------------------------------------
#
// anti-spam code variable checked here. Customize to suit your needs.
if ($_POST['spamcode'] <> "1492")
message('Please enter the correct 4 digit code for the year Columbus discovered America.');
#
#---------[ 4. FIND (lines: 305-309) ]---------------------------------------------------
#
<div class="inform">
<fieldset>
<legend><?php echo $lang_prof_reg['Localisation legend'] ?></legend>
#
#---------[ 5. BEFORE, ADD ]---------------------------------------------------
#
<div class="inform">
<fieldset>
<legend>Spambot prevention</legend>
<div class="infldset">
<p>Please enter the year in which Columbus discovered America in the box below.</p>
<p><b>Hint:</b> <i>In XXXX, Columbus sailed the ocean blue...</i></p>
<div class="rbox">
<input type="text" name="spamcode" size="4" maxlength="4" /><br />
</div>
</div>
</fieldset>
</div>
#
#---------[ 6. SAVE/UPLOAD ]---------------------------------------------------
#
/YOURPUNBBFORUM/register.phpaxa: Indeed, and that's the kind of anti-spam tool that works (and the kind that we're most looking forward to implementing)
can someone take this a bit farther and create a admin panel where the admin creates the Question and answer?
Q
can someone take this a bit farther and create a admin panel where the admin creates the Question and answer?
Q
i did that earlier
post the code fool...
so other can have it as well
Q
http://www.punres.org/viewtopic.php?pid=22006#p22006
dont say i never do anything for you.
here a question for ur admin_options..
how many times will it take you to get it right the first time?
(hint 100000000000000000000000000000000000000000000)
lmao...
kewl marky-poo!!
Q
here is a quick tip for anyone with a spam problem:
i was up to about 2 spammers per day that actually verify account and post porn, the remainder 5-10 false accounts per day arent sophisticated enough to automate the verification process. i simply changed the layout on the welcome email that has the login info and they stopped.. why? because their automated system recognizes the default template and knows where to extract the username and password from programatically.. so since i changed it around, their automated software no longer knows where to look for the login verification info and hence fails to verify account and does not post spam!
Not adding a table, adding a column to the online table (a HEAP table) that is only applicable to guests who are registering. So, you're allocating more of the MySQL server's memory when the column isn't even going to be used by most of the users.
Of course, if you're going to write a CAPTCHA extension, you would likely do add the column or use PHP sessions. That doesn't change the fact that they're less than ideal solutions for storing the answer on the server
You could use csrf_token in 1.3.
You mean, since the column is already there, just use it? Not a good idea, especially since we're generating CSRF tokens for every user/guest anyway
here is a quick tip for anyone with a spam problem:
i was up to about 2 spammers per day that actually verify account and post porn, the remainder 5-10 false accounts per day arent sophisticated enough to automate the verification process. i simply changed the layout on the welcome email that has the login info and they stopped.. why? because their automated system recognizes the default template and knows where to extract the username and password from programatically.. so since i changed it around, their automated software no longer knows where to look for the login verification info and hence fails to verify account and does not post spam!
I think this kind of approach is the way to go.
If the administrator can easily from the admin panel control a lot of variables in order to brake patterns then it should be easy to keep spammers away with some minor changes here and there
PunBB Forums → PunBB 1.2 troubleshooting → spammers are on to you
Powered by PunBB, supported by Informer Technologies, Inc.