1 (edited by iota 2006-12-12 02:28)

Topic: Simple way to stop spam signups

I noticed on my site that about 90% of spam signups are from users that select -12 as the timezone for their new account, and have found a simple way to block these users. The reason that these signups are all from -12 timezone is because the spammers are just using automated scripts that simply select the first choice in any drop-down that they do not recognize on a signup form. Obviously, there are smarter spammers out there and this method wont last forever but it works for now.

The simple solution is to add a new timezone called 'none' that is the first choice in the drop-down when signing up. Most users will never see this, as PunBB pre-selects the server timezone and uses that as the default; plus, who would select 'none' as a timezone? Then, in the registration code, simply add a catch for this bad timezone and force an error.

The code below is an example and is obviously very poor; I have tried to make it as simple as possible, but someone is welcome to make a better modification out of this. Indents have been removed for clarity.

In register.php, find the line (is line 185 for me):

$timezone = intval($_POST['timezone']);

Above this line, add:

if ($_POST['timezone'] == "none") message('Please select a valid timezone.');

Then, in the same file, find the line (is line 311 for me):

<br /><select id="time_zone" name="timezone">

below this, add:

<option value="none">Select one</option>

Make sure that the line you add is the first in the list of option tags. You can customize the text between the tags to change what is shown in the drop down as the top choice, just be sure that the value is set to 'none'. You may actually want to change the text in the option tags to say something other than 'Select one', as spam bots might know to skip this (but I have not seen it). For example, you could change to <option value="none">None</option> or <option value="none">I am a spammer</option> since most people wont even see it.

I actually used message($lang_prof_reg['Invalid timezone']); and added 'Invalid timezone' to the lang/English/prof_reg.php file but the above code is easier since 90% of people will never see it; if you expect multiple language signups you might want to modify your code accordingly.

Now when spam bots attempt to submit the form and pick the top choice in the drop-down, they will be blocked. This is not perfect, but again it should help cut back on many of the dumb spam bots that are out there.

Let me know if you have any comments or questions!

Saab92x.com
Over 2300 users and 265,000 posts, running PunBB for 3 years

Re: Simple way to stop spam signups

Return Values

The integer value of var on success, or 0 on failure. Empty arrays and objects return 0, non-empty arrays and objects return 1.

So would a timezone of GMT trigger the error?

3

Re: Simple way to stop spam signups

You are correct; I have updated my post with a solution (basically just check if the value of the POST'ed timezone is 'none'). Thanks!

Saab92x.com
Over 2300 users and 265,000 posts, running PunBB for 3 years

Re: Simple way to stop spam signups

the spam is getting WAY out of hand with punbb I am getting hundreds. I just added this tweak in hopes it will help cut down on some of it. Thanks!

!

Re: Simple way to stop spam signups

Emancipator wrote:

the spam is getting WAY out of hand with punbb I am getting hundreds. I just added this tweak in hopes it will help cut down on some of it. Thanks!

http://www.punres.org/files.php?pid=293

Re: Simple way to stop spam signups

yeah i looked at that one but after seeing the complaints of members getting banned who were not spamming and no ability to adjust the settings i passed.

!

7 (edited by Savvy 2007-01-07 21:48)

Re: Simple way to stop spam signups

When my forum started to get hit by automated spam bots I quickly made a small modification to the sign-up page as you need to be registered to post.
Now when bots try to register they always fail and it gets logged to my apache's error.log, normal users are not having any problems.

It is a simple extra form where it asks a simple math sum, and you need to enter the correct answer. (I based it on the "Did you Pass Math" mod for Wordpress, but I used server-side openssl for challenge/response)

You can have a look at: http://www.savvy.nl/blog/forum/register.php and check if you can write an automated script to register an account.
Actually it's not that hard if you evaluate the form question.. but hey it works, i got ZERO spam smile

If anyone is interested in the mod, PM/email me. I'm not making this public as it will increase the chance that bot coders will pick it up and write something for it.

8 (edited by Timpa 2007-01-07 21:57)

Re: Simple way to stop spam signups

Savvy wrote:

When my forum started to get hit by automated spam bots I quickly made a small modification to the sign-up page as you need to be registered to post.
Now when bots try to register they always fail and it gets logged to my apache's error.log, normal users are not having any problems.

It is a simple extra form where it asks a simple math sum, and you need to enter the correct answer. (I based it on the "Did you Pass Math" mod for Wordpress, but I used server-side openssl for challenge/response)

You can have a look at: http://www.savvy.nl/blog/forum/register.php and check if you can write an automated script to register an account.
Actually it's not that hard if you evaluate the form question.. but hey it works, i got ZERO spam smile

If anyone is interested in the mod, PM/email me. I'm not making this public as it will increase the chance that bot coders will pick it up and write something for it.

Would be nice if you posted the mod.
And it would be ALOT better with a image generator that said "what is 4 plus 5?" so that parsers can´t read it.

Edit:
like this: http://www.hetemeel.com/einsteinform.php

9

Re: Simple way to stop spam signups

Timpa wrote:

And it would be ALOT better with a image generator that said "what is 4 plus 5?" so that parsers can´t read it.

Parsers and screenreaders used by visually impaired people.  Using character entities, though, might stop some bots while staying readable for humans.

10

Re: Simple way to stop spam signups

Thanks, I did something like that, then also modified post.php to reject guest posts which contain URLs.

Re: Simple way to stop spam signups

Thanks for the tip iota, seems like it's working well!

12 (edited by quaker 2007-01-29 02:54)

Re: Simple way to stop spam signups

i have one major site that! what i do is created a new user group that i monitor atleast 3 times aday and i call it newbies. if i dont see a friends email addy i purge it... simple... i got it where they cant post, view, or do anything with out being moved up to a member status.
and i added a
box like this before you can go to the register file.
which i rename to something completely different.
and edit the functions.php and the login.php to the new location of my (tos)


http://modelcrowd.com/img/gallery/2_1170039145.png

Q

My stuff or my style might sux, but atleast I'm willing to help when I can.
Don't be stupid and help ! We are the stupid one's !!!

Re: Simple way to stop spam signups

i am getting spammed so bad its not funny. I had to completely delete an entire forum because there were thousands of porn posts. I am gonna this sugestion on it and see if it does kill a large amount of it.

!

14

Re: Simple way to stop spam signups

Emancipator, I've been using the Akismet mod and it's working great.

http://www.punres.org/viewtopic.php?id=1850

Re: Simple way to stop spam signups

this mod does work pretty good, i still get signups but not as many

Re: Simple way to stop spam signups

Thanks Guys for the feedback. I tried this on my Halo site and it seemed to work well but the forum was to small to really tell. I will know better on this other forum. That said, HCG i like the idea of Akismet but hate how i have 0 control over it which is why i have not used it.

!

Re: Simple way to stop spam signups

I'd recommend the image verification to register.
I was getting up to around 50 spam posts a week (not a lot compared to many sites - but still bothersome) and installed the image verification mod and it went to 0. I don't remember what the mod is called, but look on punres and you'll find it. wink

Re: Simple way to stop spam signups

it must be a new mod. I was hunting for hours a week or so ago and this was the best option I found ( the date change ). A captcha box your right is the best choice.

!

Re: Simple way to stop spam signups

I'm pretty sure that's it --> http://www.punres.org/desc.php?pid=250

Re: Simple way to stop spam signups

tks buddy i am gonna check it out!

!

21

Re: Simple way to stop spam signups

Emancipator wrote:

That said, HCG i like the idea of Akismet but hate how i have 0 control over it which is why i have not used it.

Depends on the forum I guess. For a high volume forum, Akismet works well, it keeps you from having to approve many posts when a moderation queue makes it's way into PunBB. As far as control, you can go through what is marked as spam and mark it as Not Spam. I'm so used to spam controls in Thunderbird that I find Akismet to be a natural extension to my daily routine.

Let me just add: This past week I was working on some mockup Rules for my local test PunBB 1.3 forum. I liked the wording on the Rules and decided to add them to my live forums, they had never had any Rules before. Well, to my shock, the normal 15+ signups a day, went down to a few and then nothing. Looks like the configured bots got thrown off by an extra screen in the signup process.

Re: Simple way to stop spam signups

both the timezone 'none' mod and the math mod are ingenious solutions to these spam bots signing up! askimet is far too complicated and has too many false negatives to be dealt with. askimet and captcha are not the best solution to your spam problems. i've seen 1000s of spambots get past those with ease.

~thegleek

Re: Simple way to stop spam signups

There's no "best" or "one-size-fits-all" solution for spam. Different forums deal with their spam problems in different ways, and rightly so.

Looking for a certain modification for your forum? Please take a look here before posting.

Re: Simple way to stop spam signups

hi all, I'm a brand new newbie. ;)
sorry for my bad English! :P

I used the work of Savvy as inspiration for a math registration check based on a simple sum.
But, in this case, the textfield is disabled and its value can be modified only by clicking on two "+" and "-" buttons: I think (or I hope) that this operation can't be easily do by a bot.

this is the code.

header.php:

locate the line that starts with:

(1)

<script type="text/javascript">

and before it add this line:

<?php $max=10; ?>

this is the maximum value that the two values to be added can reach.
then, after the (1) line, put this:

var max=<?php echo $max; ?>;
var randomValue1=Math.floor(Math.random()*max);
var randomValue2=Math.floor(Math.random()*max);
var theSum=randomValue1+randomValue2;
max*=2;

function upAndDown(the_form, sign){
    var theValue=the_form.elements["mathValue"].value;
    if(sign=="+" && theValue<max) theValue++;
    else if(sign=="-" && theValue>0) theValue--;
    the_form.elements["mathValue"].value=theValue;
}

this is the JavaScript code that generates the sum value and that controls the behavior of the "+" and "-" buttons. put this code before the process_form function.
well, now inside the process_form function, locate the } that close the for and, afer it, put this code:

        if (the_form.elements["mathValue"].value != theSum){
            alert("The sum result is not correct.\nPlease retry.");
            the_form.elements["mathValue"].focus();
            return false;
        }

the work on the header.php file is over.

register.php:

in this file, put the following code in the position you like (according to the div structure):

            <div class="inform">
                <fieldset>
                    <legend>A little math (and antispam) question</legend>
                    <div class="infldset">
                        <p><script type="text/javascript"> document.write('What is the result of '+randomValue1+'+'+randomValue2+'?'); </script></p>
                        <div class="rbox">
                            <input type="button" name="buttonDown" onclick="upAndDown(this.form, this.value);" value="-" /><input type="text" name="mathValue" maxlength="2" size="2" value="0" disabled /><input type="button" name="buttonUp" onclick="upAndDown(this.form, this.value);" value="+" />
                        </div>
                    </div>
                </fieldset>
            </div>

tha's all. :)
I hope this work may be useful for someone: thanks again to Savvy for his great idea. ;)

bye all

Re: Simple way to stop spam signups

moaiamorfo wrote:

then, after the (1) line, put this:

var max=<?php echo $max; ?>;
var randomValue1=Math.floor(Math.random()*max);
var randomValue2=Math.floor(Math.random()*max);
var theSum=randomValue1+randomValue2;
max*=2;

function upAndDown(the_form, sign){
    var theValue=the_form.elements["mathValue"].value;
    if(sign=="+" && theValue<max) theValue++;
    else if(sign=="-" && theValue>0) theValue--;
    the_form.elements["mathValue"].value=theValue;
}

you might want to clarify the insertion of that above data.. there is no "(1)" in the header.php code anywhere.

~thegleek