In a prior post I introduced the Spammer Hammer, a small MOD that I started on last week. phpBB boards come with features to delete users and even to delete topics or posts. What is missing is a feature that will allow moderators to easily process (delete or otherwise) posts from a single user across the entire board.

Hammer Spec
The Spammer Hammer is designed to fill that gap in functionality. It starts by selecting a user that you want to process. When you “drop the hammer” the following actions take place:

• Deactivate the user
  This stops the user from logging back in. Even if your board does not require activation, I believe inactive users are prevented from logging in.
• Remove sessions
  This logs the user (spam-bot or otherwise) out from any current sessions. By first setting then to inactive and then logging them out, we have stopped the onslaught from that specific account.
• Collect the Posts
  Now here’s what I think is a bit different from other solutions in this category of anti-spam MODs. What I do next is go through the board and collect all of the spammer posts into one new topic created by the Hammer process. By doing that, I intend to make use of the existing phpBB features and avoid having to write a lot of extra code. More on that in a moment.
• Resync Topics
  This step is required to fix any topics tagged by the spammer. I don’t want to remove the entire topic, just the posts from the identified spammer. Once I’ve done that I have to resync the topic to set proper values for the first and last post ID along with the value for the topic’s reply count. Of course if the topic was entirely made up of spammer posts then that topic is removed rather than passed through the resync process.
• Resync Forums
  This is similar to what I mentioned in the last bullet; after removing posts and perhaps topics from a forum, I have to resync the number of topics and posts per that forum as well as check that the forum’s last post ID is correct.

Most of those steps are fairly straight forward. When I inactivate the user I change the value of user_active and I update the user_actkey. For boards that require activation the user_actkey contains their activation key. In case the spammer has retained their activation email I want to make sure that their activation key is changed so that they can’t circumvent the inactive status and reactivate their account. By inactivating them and logging them out I have not (yet) taken any action that is irreversible, so I am comfortable with this being a power granted to a moderator. Banning and deleting users are – in the standard phpBB settings – restricted to Administrators only. I personally am not comfortable with granting those additional powers to moderators, and I suspect that other board owners might share my opinions. It’s not a matter of trust, it’s a matter of actions that cannot be reversed. Once a user has been deleted, they’re gone. I don’t think that sort of action should be done in the “heat of the moment” so to speak.

Deleting sessions is a very simple process that clears out rows in the phpbb_sessions table that belong to the spammer based on user_id.

Resyncing topics and forums is another straightforward process. I resync each topic as posts are removed. I capture a list of forums that are affected by the spammer during the process and update all of the forums at the end with a single query for efficiency.

So that just leaves the post collection step for further explanation.

Why collect the posts? Why not just remove them?
You might notice one thing about the entire process… in includes only one delete statement (sessions table). Everything else is a select, insert, or update. Why is that?

Because deletes are permanent. Do you really want to trust me (the MOD author) to delete stuff from your database? Or put another way, do I want to take on that responsibility? Simple answer: No, I do not. So for that reason the Spammer Hammer does not remove users or posts. What it does it make it much easier for a board owner to remove posts by collecting them all into one place.

How many mouse clicks does it take to remove a topic? Two, I think. Once to click the delete topic icon, and another to confirm. That’s about it. But by asking the Hammer user to take that step I accomplish several things. First, I allow them to review the work done by the Spammer Hammer before anything gets removed from the database. Maybe the owner wants to preserve the spam for further action (evidence) against the spammer. Or by leaving the posts in place the board owner can review the IP address information used for the posts. Or perhaps any of a number of other reasons that I haven’t considered. But in short, since I don’t actually delete anything it leaves any or all of those options open.

Second, by using the standard phpBB process to delete the topic I don’t have to worry about writing code that has already been provided. For example, I don’t have to clear up the search words tables. And if there are ever updates to the phpBB process then I will automatically benefit from them as I have not provided independent code for that.

Spammer Hammer Implementation
Here’s how I envision the Hammer being used. First, the board owner should set up a forum that will be visible to moderators only. It should be hidden from the general board population. That forum will be selected in the Hammer configuration screen. Then when the hammer is applied, it will collect all of the posts for the selected user and displays them on a “preview” screen. This provides the opportunity for the moderator to confirm that they have, in fact, selected the proper user.

Once the confirmation button is clicked, the Hammer will then create a new topic in the hidden forum identified in the board configuration. In a matter of seconds every post by the spammer can be removed from the public eye and captured for further processing. Processing that can, of course, now be done at the board owner’s leisure rather than on an immediate basis.

Once the Hammer is done it provides a link direct to the new topic. Whoever ran the Hammer process can now go review that topic. Based on the policies and procedures for that board the next steps can be taken.

I expect that I will get requests to automate the banning process. I expect that I will get requests to automate the user removal process. I don’t intend to include those features in the Hammer, but I will (optionally) provide links on the final screen that would allow those actions to be taken. But they will call existing phpBB features; I won’t be writing code for that myself.

Rollback
Everything I have posted about so far is functional. I am in the process of writing a “rollback” or “undo” feature for the Hammer. Currently the Hammer is an “all-or-nothing” process. You get every post by the user. I am envisioning an option (configurable, of course) that will allow the moderator to select all posts by the spammer + all posts following the spammer posts in the same topic. This could be something commenting on the prior spam posts, and therefore has no value once the spam posts have been removed.

But in the case that it isn’t, wouldn’t it be nice to be able to restore that post back to its original topic? I think so.

The feature would only be available for topics that are not completely removed.

Once I get this feature working I intend to release some ALPHA code at phpBB.

Summary
Ultimately most MODs that I write are going to be used on my own boards. That means that I develop them to fit my needs first, and when I can, I include additional features that supplement rather than contradict features that I require personally. The Spammer Hammer is a MOD that I hope will be extremely simple to install (only a button to add on the user profile and the view topic screens) but highly functional. I envision that the main complaints are going to be from potential users that have different board policies than I do.

And I can live with that.