You are not logged in. Please login or register.
PunBB Forums → PunBB 1.2 troubleshooting → Bots attacking :(
Holy crap!
Yesterday I've installed PunBB (Well, version 1.2.12), and now (but nobody knows about my forum!!!) bots attacking! 5-7 bot registrations per day! I really need some advice. I don't know what to do. Is there any mod or something?
I want bots to get away:))) i don't want them registering on my forum every bloody day!
Look at the bright side, your forum will have a lot of members 
Seriously, we know about it and we've been discussing ways to combat this.
Email verification didn't help?
I have Email verification on, the email will go out but that's no indication it's valid.
In your admin, go to users, enter an '*" in the user name and click Submit search. All those users that say, Not verified, have never responded to the email they were sent.
In the meantime, you can use Image Verification to try to prevent bots (although you should remember that there are potential accessibility issues).
pogenwurst, yep, I remember that. Let's try anyway...
Strofanto, this e-mail verific. can't help, because every user registered with any e-mail is already in user list.
hcgtv, thanx, didn't know where to find this "not verif." userlist, now I know, thanx a lot. And about bright side...
Look at the bright side, your forum will have a lot of members
......oh, and my DB someday will be down (and not only for maintenance, ha-hah!:)))
I just checked for Not Verified on my forum, and there are tons!
Is there any way to prune away all those users, with a mod perhaps?
http://punbb.org/forums/viewtopic.php?id=5936
User Management Plugin
http://punbb.org/forums/viewtopic.php?id=5936
User Management Plugin
Thanks, I should search before I ask 
Hey, guyz!
Bots has started to post spam and verifying registrations!!!
What to do????????????? HELLP!!
Note: they all attacking to the Test Forum category...
You might need akismet for PunBB: http://www.punres.org/desc.php?pid=293
Then type in all words that you want to ban.
There's too many registations per day... I think I hate them all...
Well, let look from the other side.
What I need?
I need something special.
Heh...
Why there are no such registrations on vB or IPB, uh?
What's the difference between PunBB and vB?
I like vB, but it cost too much. And I want PunBB to work carefully with the registrayions, BUT HOW???
I'm crying...
Michael, I feel your pain.
A couple of things you can do:
* Put in some censor words to stop the drugs and sex related user names.
* Ban some of the most abused domain names from signing up.
This is going to have to be looked at for the PunBB 1.3 release, it's getting a bit out of hand.
Can I add some fields in registration form to avoid this crap?
If yes, how?
P.S. I just think that if I add a few new required fields it could be better!
If what Michael is suggesting actually works, i.e. adding some custom fields... I mean if its that easy to thwart spam-bots then why isn't that standard?
Standard meaning, building into the forum registration the ability for the forum host to create, say, 3 custom fields that can be configured with anything they want, or whatever.
Or do spam-bots have some sort of built in learning that renders this inviable?
Cheers,
Because it's only slightly more work to build a spam bot that actually reads the HTML from register.php and fills in things properly
If it becomes standard, the people that make bots will render it useless. The key is to make your registration process unique, since the chances of a bot maker caring about your specific forum is pretty low
One of the things we do is enforce first and last support. Something else would be good to use is capatha support too - that usually prevents bots from grabing the front form.
Also, add a checkbox {nulled} so before the new member can create the new acct they must check it - we use one for "I Read the Terms and Agreement" - the continue button is dimmed until the check the box.
HTH
If it becomes standard, the people that make bots will render it useless. The key is to make your registration process unique, since the chances of a bot maker caring about your specific forum is pretty low
I have a simple suggestion to defeat the bots, based around this concept of making each forum's user registration process in some way unique.
Rickard could code the Members section of the PunBB administrators area to allow Admins to add 1 (or more) custom form field(s) to the user registration page. This custom form field would allow (or require) each site to specify an additional unique registration variable for all forum signups, to supplement username, password and email verification.
The options available in this form could be anything the forum administrator likes. The format of it should also be variable, so that the admin can make it a drop down form, or radio-buttons, or a blank text input form box. Ideally, the php code or form ID for the subsequent form should also make its name unique, based on the form name or a randomly generated value.
Eg on one punBB forum it could be a drop-down form that asks the user at signup time to confirm: 'What's your favourite colour?', and gives them a selection of 'Red/ Green/ Yellow/ Blue'. Another punBB forum might have a drop down form that asks: 'Who is the President of the United States?', and gives them the option of specifying 'George Bush/ Dick Cheney/ Arnold Schwartzenegger'.
Etc, ad infinitum.
If every punBB forum that required signups had a unique question/response requirement like so, bots may have a harder time reaching into multiple punBB sites.
Is this concept valid?
What I am trying to express is some (built in) way of essentially randomising the punBB login sequence, so that each punBB board has in some way a unique login process.
Actually, a neater solution to this (now that I think about it) could be as simple as having the punBB installer assign a random prefix to either the login.php file or the register.php file, which is unique to each punBB install, so that for example on one site login.php becomes '123login.php', whereas on another site it is '99bblogin.php'.
That alone would screw the bots up.
sirena: The main way to deal with spam registrations as suggested here is randomized form variables. However, for them to be effective they have to be unique for each install (and people can't simply guess at them). I can't see a way to add arbitrary form variables to registration becoming part of the core (although it would be a good extension) simply due to the issue of bloat. And as you said, the only way for the spam prevention to be effective is if the question is unique for every forum.
As for a randomized filename, that wouldn't help. All links need to point correctly, so the bot would simply need one more page request to find the correct URL.
I track the ip address. I give a warning on the site that you can NOT sign up more than once in 24hrs. If the same ip tries to access the sign up form more than once in 24hrs I block their ip address for 24hrs and redirect them to my error script. Then the script deletes their entry in the db. If I start having trouble from one particular ip address I block it permanently, they simply cant get to the sign up script.
I also check for ban words, both during sign up and on the forum. Anyone using a ban word on the forum is immediately removed from the db. Checking my db, it doesnt look like anything has even gotten as far as the forum to be ban.
Works fine so far.
Aren't there some 'common functions' of bots that can be taken advantage of to cause them to 'reel' into loops?...
What I am thinking is (but I do not know bot-techno, so some other brainy-ack would have to thunk it through...),
...if bots have some primary functions for some sort of calculating when they arrive, and they must because they have to make decisions (which essentially are calculations), ...aren't there 'problems' you could seed into the site pages or the root of the domain that would cause the bot to get stuck until it timed out and decided "ouch, I am leaving now for more fertile prey elsewhere"... kind of like giving a computer the task of solving the square root of 2... kind of thing?
Maybe a stupid idea, I haven't a clue...
Cheers,
kind of like giving a computer the task of solving the square root of 2...
1.4142135623730950488016887242097
And there's nothing I can think of that wouldn't harm users/legit bots (ie: from search engines) more 
Here's how I have virtually coped with spam bots on my site:
I followed an idea I saw on the phpBB forums a few months ago. It's basically creating a custom question/field that every (or nearly every ) human could easily answer but for which the spam bots have almost no chance at guessing the answer. The question can be well-thought so that it doesn't bring accessibility issues.
Since I did this, I haven't got ANY spam delivered to my mailbox through the contact forms on the site. And before that I used to get about 10-20 spam emails per day.
So I am planning to implement the same technique with my copy of PunBB soon. I only need to find some free time to take a closer look at the code.. 
Only problem is that simple math can be easily adapted to by bot makers
Adapted to, but if it's not currently, it will temporarily stop spam won't it?
Also, maybe you should change the questions to ask historical questions that everyone would know, such as: What civilization built the pyramids, What empire was known for building roads, and maybe a few easy questions about your countries history.
If people don't know they can switch questions.
Should be pretty simple for a person, but hard for a bot.
That was just an idea I had, I've never dealt with spam before, so I'm not really sure, but it sounds good.
PunBB Forums → PunBB 1.2 troubleshooting → Bots attacking :(
Powered by PunBB, supported by Informer Technologies, Inc.