1 (edited by JAcky 2008-04-21 15:53)

Topic: PunBB Human Test - Anti SPAM Mod

I have written a new mod for PunBB to help forum administrators the fight against SPAM.

The new mod will ask a simple question which must be answered before registration is possible. The new mod differers to other "ask a simple question mod" in the following ways:

- Prevent bots from auto registering if they try to submit POST variables directly to register.php instead of loading the form to enter username and password first. This should stop most bots ..... PunBB developers may want to implement this for the login procedure and for posting new messages.
- register.php will ask a simple question which must be answered correctly. Unlike other solutions, my modifications will ask different questions which are randomly selected from a file which contains the questions and answers.
Example:
   Question: How many letters e are in the word: free?
   Answer: 2 or two
   This should stop the more sophisticated bots....
- Fixed problem when a user running the Firefox web browser enters an incorrect value and needs to go back, the submit button will stay disabled until the page is reloaded. Java script removed to fix issue on register.php

You can download the modifications and find the instructions here:
http://www.network-technologies.org/Pro … mod_punbb/

Please report any problems or submit suggestions via the Contact form on my website as I will not monitor this thread forever.
http://www.network-technologies.org/contact.php

It is my personal rule to keep all my posted information from issuing 404's even when moving to a new server but should it ever happen, you can find the mod at the following URL as well:
http://www.punres.org/desc.php?pid=503

I hope you find this mod as helpful as I do, since I installed the mod my forum has received 0 SPAM posts.

EDIT, added question information:
Important Notes Regarding Question Selection:
Because the validation scheme supports many questions it is possible to make the mod almost useless if you have a lot of questions with the same answer or very short answers.
Assume that you have added 10 questions, most of the questions are simple math problems such as 1+1 or 2-1 which only have a one digit answer, then a spammer can adjust his SPAM bot to attempt a brute force attack. When brute forcing, the bot will attempt to try any possible combination so any simple question can be broken very quickly.
It is a good idea to apply standard password policies to the answers, no answer should be shorter then 6 characters.
It is also a good idea not to include the word which is supposed to be typed into the answer field within the question.

Here are a few not so good examples:
- What is 1+1?
- Write the word red into the field below.

Here are a few good questions you may want to modify to build your question/answer file:
- Remove all occurrences of the number 2 from the word "2jel2ly2" and type it into the box below (without quotes)
- Fill in the missing character and enter the word into the box below: cof_ee
- Fill in the missing character and enter the word into the box below: mat_ematics
- What does one hundred PLUS thirty PLUS twenty five PLUS two hundred equal to?
- What year did Apollo 11 land on the moon?
- Write the number one thousand three hundred thirty three in numbers.

Re: PunBB Human Test - Anti SPAM Mod

It works well. Pity there is no admin control panel to modify the challenge/response pair though.

Just remember not to script multiple questions that all have simple answers like 1, 2 or 3. smile

Complex questions that have simple answers - no matter the actual number of questions - can defeat the purpose of this mod. A bot (or scripted browser...) could easily break through a run of 10 randomised complex questions if they all have simple answers like 1, 2 or 3.

3

Re: PunBB Human Test - Anti SPAM Mod

sirena wrote:

It works well. Pity there is no admin control panel to modify the challenge/response pair though.
Just remember not to script multiple questions that all have simple answers like 1, 2 or 3. smile
Complex questions that have simple answers - no matter the actual number of questions - can defeat the purpose of this mod. A bot (or scripted browser...) could easily break through a run of 10 randomised complex questions if they all have simple answers like 1, 2 or 3.

Correct, a little bit of thought needs to go into the selection of the questions but there are sooooo many good questions  to choose from such as:

Type the word after the colon into the box below: red
Type the word "love" without quotes into the box below (without quotes)
Remove all occurrences of the number 2 from the word "2jel2ly2" and type it into the box below (without quotes)
Fill in the missing character and enter the word into the box below: cof_ee
Fill in the missing character and enter the word into the box below: mat_ematics
.... and so on

That's why I wrote the mod it does not require the standard 1,2,3 responds from the user and offers a great deal of variety.
I will add more information about proper question selection to the instruction manual as it is susceptible to brute forcing ... or maybe I could write an anti brute force mod .... mhhh

As far as adding it to the admin panel, I doubt I will write that.

4

Re: PunBB Human Test - Anti SPAM Mod

JAcky wrote:

Type the word after the colon into the box below: red
Type the word "love" without quotes into the box below (without quotes)
Remove all occurrences of the number 2 from the word "2jel2ly2" and type it into the box below (without quotes)
Fill in the missing character and enter the word into the box below: cof_ee
Fill in the missing character and enter the word into the box below: mat_ematics
.... and so on.

I am writing a guide on proper question/answer selection now and the first two are actually not that good since they contain the answer in plain text. A smart bot may try to brute for the way in by trying out every word on the page.

Looks like I need to start working on the next version soon which will include brute force protection.... damn spammers....

Re: PunBB Human Test - Anti SPAM Mod

Yes, it's an interesting challenge you have set yourself.

But lots of punbb forum owners will no doubt appreciate any work you do to help defeat spammers and further improve this mod.

Questions I have made up are careful not to feature any answers that might contain text from anywhere else on the page. Each question is also phrased uniquely - there are no sets of three similar questions, for example, as there are in the default set. And if a question requires a numeric response, the answer is always at least 4 digits long smile

Furthermore, I also recommend that anyone who deploys this mod take a few extra measures:

(a) place the human test question in a slightly different location in the HTML code of register.php than the default (ie place the question above or below it's default location in the example register.php supplied in the mod);

(b) rename the two-pairs of publicly visible form response variables in the HTML of the supplied register.php ( ie name="human_test" ) to something unique to your forum;

(c) rename the human test question legend in the HTML code of the supplied register.php from "Human Test" to something unique to your forum too.

By making each deployment of this mod unique, these measures may make it harder for scripted bot attacks against this mod in future. At least in theory.

Brute force detection could be a useful feature to add. It could be a classic 'three-strikes and you are out' type of system, which can sometimes be tricky to build. Or perhaps you could use something similar to the post-flood control that is already in punbb that just sets and enforces a (variable) throttle on the allowed time between form responses. That might also be effective.