Your premium source for custom modification services for phpBB


HomeForumsBlogMOD ManagerFAQSearchRegisterLogin

Comments July 23, 2008

Londonvasion Part VII: phpBB Versus Spam Presentation

Filed under: Anti-spam, Londonvasion 2008, phpBB — Dave Rathbun @ 7:43 am CommentsComments (5) 

I’ve provided a link to a pdf version of the presentation that I did at Londonvasion. If you don’t want to download the entire presentation, here’s a brief recap:

There are three different elements in the fight against spam, as outlined here:

  • Prevention means being able to keep spammers from getting on your board in the first place
  • Detection means being able to quickly identify and react to spam if it is posted
  • Elimination means being able to easily and thoroughly clean up the mess that a spammer has left behind

View the PDF

In the prevention section I talked a good bit about the Checkbox Challenge MOD that I wrote, which regular readers of this blog are probably already familiar with. The statistics are quite astonishing, and are up-to-date as of July 19, 2008. Altogether the checkbox trick has prevented over 76,000 spam comments from appearing on this very blog. :shock: I also shared statistics about registrations on my largest phpBB2 board as well as a comment form. Those are three different bot targets (Wordpress, phpBB, and a file simply named “comment.php” which apparently is quite a target) but all have been successfully defended via the simple checkbox MOD.

In the detection section I talked mostly about my opinion that most MODs in this space are not appropriate. It is extremely difficult to write code that can detect spam 100% of the time, and there are people that have been trying to do this for quite some time. That’s why you get emails with random strings of words at the bottom; they’re trying to fool the anti-spam measures you might have protecting your email inbox. There are several MODs for phpBB2 that attempt to automatically detect and react to spam, but I submit that your best defense as a board owner is an active moderator team.

To than end, I touched on a number of features for phpBB3 that I think are quite appropriate and necessary in the ongoing battle. The “Report a Post” feature turns anyone on your board into a potential moderator, and that’s a quite excellent feature. I have added this to my phpBB2 boards as well. There is a moderator ability to send all posts from a single user to the “trash” forum in phpBB3 as well (something I wrote up as the Spammer Hammer for phpBB2) which makes it very easy to clean up after a spammer. But the bottom line is these are human actions rather than anti-bot scripts, and I think that’s where we will be in this area for quite some time.

Finally, in the Elimination section I talked about several types of spam scenarios, including:

  • Users that register but don’t activate
  • Users that activate but don’t log in
  • Users that log in and post spam
  • Users that log in and post “accidental” spam

The distinction between the last two is subtle… the first situation is easily recognizable as the user has posted something with dozens of links to cheap audio or medication web sites. They’re easy targets for the Spammer Hammer. :lol: The second scenario is when a user appears to be legitimate but maybe didn’t read (or understand) all the rules. In this case, the moderator team can use the user notes feature to mark the account. This means that if the behavior is repeated, it doesn’t take the same moderator to notice… any moderator can check the user’s history and see if they have a habit of rules violations. If they do, a temporary ban can be used rather than a permanent ban.

Ultimately phpBB3 provides a number of excellent features that help protect your board from spam. I am thinking that the Checkbox Challenge MOD should be my first entry into writing MODs for phpBB3. 8-)

So that’s it. If you want to see all of the details you can check out the pdf file linked above.


  1. I haven’t heard of any cases of phpBB 3 spam. Have there been any reported?

    Comment by Dog Cow — July 23, 2008 @ 6:39 pm

  2. One more comment. I just remembered that one of my projects for the next week is to start recording all $_POST data, as well as the $_SERVER data in order to take a look to see if any non-standard values or bizarre user-agents are involved. The contents of $_GET are easy to see since they are part of the URL and can be looked up in server logs but I have a feeling since POST data is often over-looked, there may be some interesting tidbits left behind. :)

    Comment by Dog Cow — July 23, 2008 @ 6:45 pm

  3. From what I understand, the phpBB3 CAPTCHA has reportedly been broken. I don’t think it’s in widespread use yet, but it will be. We have seen spam on phpbb.com but so far most of it appears to be manual (human) stuff.

    I mentioned in the presentation that it’s only a matter of time, in my opinion, before phpBB3 becomes a major target. At that point, we’ll need new defenses against reg-bots and post-bots and all the rest.

    Logging posted data would be an interesting exercise, just make sure you sanitize the data before you log it. ;)

    Comment by Dave Rathbun — July 23, 2008 @ 11:02 pm

  4. I did some searching on the phpBB3 CAPTCHA being broken topic, and I found this website: http://www.apathysketchpad.com/blog/2007/06/05/how-to-crack-captchas/ I haven’t read the entire thing yet, but it seems that this guy found a possible way to break the phpBB3 CAPTCHA.

    Some guys who also experiment with CAPTCHA’s are the guys at Rapidshare.com. Unregistered users have to complete a CAPTCHA every time before they can download. They did quite a lot of things, similar to the “marked checkbox” method here.

    Sounds like it was a good presentation. :) I should’ve been there, but couldn’t make it.

    Comment by Ganon_Master — July 24, 2008 @ 6:39 pm

  5. Hey Ganon_Master, I want to say BIG THANKS to you for giving me that link. Seriously. That was great. That guy not only showed the captchas in before/and after form, but he told how to break them. And he was totally right about how people make them who don’t know how to break them. I’m using the advanced vc mod and I tried his techniques, where you set the threshhold. …. My gosh, any OCR could have read it like a book.

    So I spent some time tweaking the settings, so now each letter gets about 6 or so shadows behind it of different colors and rotational angles. Colors are all the same intensity so the result is that trying to threshhold it to remove all the bg colors and garbage makes the letters look awful. I don’t have it running live yet, but it makes me happy to know I increased the toughness of my captcha (and still make it solvable by humans) in an hour or two.

    Still probably not unbreakable, but hopefully more difficult now.

    I recommend others do the same, or at least open a paint program ( I used Photoshop 5) and try his methods on your own captcha, if you are using one.

    Comment by Dog Cow — July 30, 2008 @ 5:22 pm

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress