My Checkbox Challenge MOD has been installed on one of my boards in its initial form since last Saturday. As a test I removed all banned email domains from my ban list. So the only thing left protecting the board is this MOD.

Since Saturday afternoon, there have been zero successful spam registrations.

There have been plenty of attempts, but I can’t say exactly for sure how many. I just got the idea to add logging to the MOD on Sunday, so I had the code installed for nearly 24 hours before that feature was added to the code. What I am finding is that I am getting about a dozen or more registration attempts every day. Previously I had been analyzing registrations, comparing email addresses and usernames across multiple boards that I run, and so on. It was a time consuming process and one that was reactive rather than preventitive. I hoped to change that with this MOD.

Here is a dump of some of the information from the log for a single day (April 18).

@mail.ru			4/18/2007 1:59
@bluebottle.com		4/18/2007 3:40
@mail.ru			4/18/2007 3:49
@mail.ru			4/18/2007 4:11
@mail.ru			4/18/2007 6:55
@narod.ru			4/18/2007 8:15
@yahoo.com		4/18/2007 8:55
@rambler.ru		4/18/2007 8:57
@gmail.com		4/18/2007 10:51
@mail.ru			4/18/2007 12:58
@mail.ru			4/18/2007 13:28
@mail.ru			4/18/2007 15:36
@mail.ru			4/18/2007 17:58
@ddimpex.co.in		4/18/2007 18:08
@web.de			4/18/2007 19:54
@web.de			4/18/2007 19:55
@dialupispaccess.com	4/18/2007 19:56
@hotpop.com		4/18/2007 20:40
@mail.ru			4/18/2007 23:25

I’ve removed the usernames and left only the domains for this blog post. I think most phpBB board owners have probably banned “mail.ru” for quite some time now. The domain web.de is also a frequent source for spammers in my experience, as is rambler.ru and hotpop.com. I haven’t researched bluebottle.com yet but I expect that it will turn out to be a spammer.

What is significant about this list, in my opinion, is that the content seems to confirm that spammer registration bots are having problems with this new technique. That’s the good news. The MOD has been 100% effective on the first board. But this is a board that isn’t really active… in fact, if it weren’t for spammer members I would not have many members at all.

I have installed a more robust version of the MOD on my biggest board that is quite active. I say “more robust” in that I have added more information to the logging process. It logs successful registrations as well as failures, and it logs why the registration failed. There are two reasons: no checkboxes were marked, or too many checkboxes were marked. The results have been interesting.

First a brief digression… my reasons for writing this MOD were that I thought it would be very easy to implement, it seemed to have a good chance to be effective, it is extremely portable as it doesn’t require any graphics packages, and I thought that it would be easy for users (real users) to figure out. It seems that’s not necessarily the case. In reviewing the registration log on my big board I see users that are having problems getting registered, and that’s not a good thing.

I made this determination based on the usernames, email addresses, and the log times. When I see entries in the log that are more than a minute apart from the same username that’s one indication of a real person rather than a bot. I can also make judgements based on the requested user name and email address. I trust that these are real people. And in some cases these real people are filling out the registration form 6, 7, and even 8 times. If you’ve looked at the first post for this MOD then you probably saw the screen image of the registration page. I do not see how it could be much easier. You enter your name, email address, password (twice), and then click one checkbox. A thumbnail version is below:

Based on the feedback from the log I have changed the text displayed on the registration form. I am also considering adding text on the checkbox area itself that is displayed in a larger font. I have made some language changes and we’ll see what the registration log looks like after a while.

So the bad news is that some users have been challenged by the new registration process. The good news is I’ve blocked 100% of registrations that I know were spammers, based on their email domains. I will report back in a few days after I see how effective my changes have been.

Banning Feature Removed
The banning feature will be removed. It was pointed out to me by evil<3 that if I were to ban users based on failed registration attempts someone could easily write a script that would attack a board and end up banning email addresses simply by entering bogus registration attempts. I was never a fan of automatic banning (I put hooks into the MOD but had not written anything yet) so I expect that this will be removed for version 1. In this context I am talking about using the actual banning tables provided by phpBB.

What I plan to do instead is incorporate some sort of optional temporary ban on registrations (30 minutes or so). I can do that with the current code using the registration log as source data. Thirty minutes would be an inconvenience to a real user but not a permanent issue. The number of registration attempts and the length of the temporary ban would both become admin control panel options.

Side note: It’s good to be back playing with phpBB again.