Vulnerable to spambots (Page 1 of 4)

For me it's a bug when it brings your server down, and when basically it uses an exploit to turn your forum unusable. I agree that there are mods, but it shouldn't be necessary to install a mod. Any forum that you set up these days will be hit by spambots early or late. It's like surfing the web using Windows 98 with no antivirus IMHO.

Of course I can install mods or create mine. The problem is that it has an exploit, it allows any non-human user to send an unlimited number of messages with no restriction. It's like not requiring registration, or disabling captchas. The point is that with a default installation of punBB, I can't run my forum.

I use the default settings (with e-mail verification, etc...).

Thanks. As I said, I can install mods myself or even tweak my own spam filter. I'm talking about fixing this bug for the default installation so that people who install punBB don't have to worry, the default installation will be safe.

It's not just for me. I have 3 different forums (Interaction, PC-BSD and another one for my NGO). They all have been targetted by spambots. I can safely conclude that any forum will be exploited to broadcast spam on the web. Anyway, I hope Rickard will read this thread and agree that this security breach is something important that should be fixed in the default installation, especially that common users don't expect that a forum can be hit by spam, even less by spambots. My message has been heard

I tend to agree with calande.

It's a classic problem. Administrators should accept some responsibility for the secure operation of their sites, of course. But you can see the trends - we have to accept that the web is a hostile environment nowadays. So application hardening is the way to go.

Ergo, a modern forum has to be able to deal effectively with spam in a default install. That is to say, a 'secure' anti-spam configuration should be the default.

Perhaps this means including stuff like a CAPTCHA or textual equivalent built-in, along with expanded post and registration 'censoring' options, and certainly implementation of the simple stuff like support for the no-follow tag on links in forum posts, designed to reduce the incentive to spam. And turning all of these options 'on' by default.

Administrators should then be able to choose to selectively disable the spam control options, but by default they would be active.

It's the appropriate security model to adopt. Forum spam is only going to get worse. Why contribute to the problem?

Look at the MS experience and the new security model in Vista and successive generations of for example their server product lines. You start with a secure configuration, and users then have to explicitly *choose* less secure options.  Is good.

I'd certainly encourage punBB to go down this path.

i also agree, but at the same time PunBB is standards compliant - XHTML, CSS, accessible, etc and these are some of the great things about PunBB, so to introduce something like CAPTCHA would only break this which is quite bad in my opinion.

a text equivilant like "What is 5 + 3?" (random numbers) would be a good idea as a basic defence, but then, as mentioned earlier, if this becomes standard to PunBB, then bots will be programmed to defeat this which brings us back to square one. a mod i made, mentioned earlier (based on the Forbidden word spam blocker mod by Daniel Vijge), addresses the issue differently but the problem with this mod is that it must be customised by the administrator to each forum and a "one size fits all" is not going to work (except maybe for limiting URLs and post sizes for new users/guests).

Akismet, as previously mentioned does a great job but the downside with this is the forum administrator is relying on a 3rd party which may not suit a lot of people who like simplicity and total control, and who therefore chose PunBB in the first place.

perhaps integrating like you mentioned sirena, a few solutions, like CAPTCHA, "What is 5 + 3?" etc into PunBB but having them off by default would give new forum administrators the easy option to turn them on at their will. having them on by default though i do not think is a good idea as PunBB is simple and standards focused, and adding too much and breaking the standards would not be good.

I knew it was a mistake to use a MS example around here

But a dislike of MS shouldn't cloud the argument. It was just meant to illustrate a point about application hardening. One valid approach can involve reducing the 'surface area' an application exposes to attack 'out-of-the-box'. That's all. It's a very *nix-like perspective.

Progressive strengthening of the defences by all web apps is an inevitable trend. You can see it everywhere. And the forums you will see around in several years time will be much tighter than the ones you see today, that seems an absolute given.

This doesn't necessarily need to get in the way of the spirit of open source, *nix, the web and other goodness. It's a matter of survival.

there was a mod here a little bit ago that had you change the first item in the time zone drop down to "select a time zone," and a change in login to check for a null timezone.  this simple fix has completely (now that I say this I'll get bombarded I bet) stopped false registrations on my board.  I think that things like this, that stop automated scripts from signing up and posting on your forum is needed, and simple to add in without disturbing the masses.  I run several other websites and only one has punbb, the others run phpbb, but I have never had this problem with the phpbb and there are a lot more people trying to exploit that board.

I'd definitely call it a bug.  not that there is anything broken in the code, but it does allow for subsequent automated sign ups after one valid registration (even with the email me the password enabled, because once they know the server time, they can use fake emails and generate the password), and I'd call that a security (albeit timid) risk.

ultimately its up to the guys owning the code to fix / change it, and if they don't see it as a bug then it wont get fixed.  If they don't see it as a bug, maybe they'll still consider it as a feature request, but whatever it is, I think it would be a good idea to revisit that algorithm and see if it couldn't be refactored a bit.

hey i know this is slightly off topic but i couldn't resist posting it.  so u you have spam problems?  check out this article,
MySpace users snowed in by new blizzard of spam.

"...some of the vilest porn known to man..."  i hate spammers but that line's kind of funny.

I'll agree spam filtering and captcha should be options for the default installation, too many newcomers to punbb and people that dont konw php wont have time or know how to implement some of the plugins and mods

i doubt it will happen though, the team here has decided in keeping the core super clean, although spam filters are being put in almost every modern web app now

i think in a way it hurts punbb, i see a lot of old links in old posts that are now using phpbb/smf/vbulletin and I'm sure they switched because of spam and fake registering