September 1, 2008What Happens to an Unprotected phpBB2 Board… in Just Two Weeks!
A few weeks ago I set up an unprotected board at one of my domains. The exact launch date was August 13, 2008. I captured some statistics on August 30 and I have some very interesting numbers to report. They are not pretty.
First of all, it took only two days for me to receive my first spam registration. I got my first spam post on the exact same day. A week after the board launch I had 23 total members and 19 total posts. As of midnight last night, I have 104 total members and 2,489 posts. 
Here’s the growth chart:
The axis label for posts is on the left, and the axis for user registrations is on the right. Here is the raw data for the graph:
Date Users Posts 8/13/2008 1 0 8/14/2008 0 0 8/15/2008 4 4 8/16/2008 5 1 8/17/2008 3 0 8/18/2008 3 4 8/19/2008 7 10 8/20/2008 4 29 8/21/2008 7 18 8/22/2008 5 91 8/23/2008 6 100 8/24/2008 5 80 8/25/2008 9 79 8/26/2008 5 78 8/27/2008 10 101 8/28/2008 7 423 8/29/2008 11 692 8/30/2008 12 779
There are no visible modifications to this board. I have added code to capture the IP address used on registration, and I have altered the bbcode process so that every link includes the “nofollow” attribute. I have also set up a cron job that runs every ten minutes that dumps all of the content into an admin-only (and therefore hidden) forum. I am doing this to protect myself, as the content being posted is not something I want to be associated with on any level.
Can you imagine the frustration of a new board owner if they have to face this scenario?
I should reiterate that this board was brand new on August 13. I did not post a link to it anywhere. I did reuse a subdomain that I had used once before, so it is entirely possible that this board was still on some spammer databases as being available. Because of this, my next experiment was to set up a brand new board on a domain that has never used a phpBB board before. Ever. It will be unprotected (as was this board) by anything beyond the standard phpBB2 protections. How long will it take for the first spammer to find it? From there, how long will it take to get to the same posting level as this board?
Comments (18)
Impressive numbers, within a few months this board will beat your big board in number by all means. It´s like SPAM-HELL.
Do you see certain “users” that stand out by post number or are most accounts spammin’ along happily?
Must be horrible to set up a board and find all this rubbish floodin’ it without knowing what to do to stop it.
How´s phpBB3 standing up, spamwise, so far, by the way?
Greetings.
Comment by dogs and things — September 2, 2008 @ 5:42 pm
phpBB3 has just a few days left to live, spamwise. I’m putting the finishing touches on a spam bot which can decode the captcha, register 10,000 accounts in 5 minutes, and make 50,000 posts in 10 minutes. heheh…
(joke!)
Comment by Dog Cow — September 2, 2008 @ 8:06 pm
dogs and things, there are certainly “users” on this spam board that are responsible for more posts than others. One such user has been deactivated as an experiment, just to see if they come back in some fashion. Before they were blocked this one user had posted from 62 different IP addresses.
I will be posting more detailed specifics about this on the one-month anniversary of the board launch.
I have 142 registered users as of right now. One user has 1042 posts, one has 994, one has 812. There are 7 more users with post counts ranging from 12 to 485. Every other user has 5 or fewer posts.
phpBB3 is – in my opinion – still new enough that it has not attracted the same level of attention as phpBB2. I said as much in my spam talk at Londonvasion. Yet there are reports that the CAPTCHA for version 3 has been broken, and I’ve seen a number of interesting posts related to manual (meaning human-generated) spam on phpBB3 boards.
Comment by Dave Rathbun — September 3, 2008 @ 10:40 am
No one (well, I should say, hardly anyone) is going to waste his time attacking a product which lacks a large installed base. For example, this is why there are hardly any Mac virii. Windows is everywhere, so a lot more damage can be done, a lot more users affected. Same with phpBB. There are probably 100 times more phpBB 2 boards installed than phpBB 3 boards. So what is the bot author going to do? Well, he’s going to go for as many targets as he can.
Comment by Dog Cow — September 3, 2008 @ 12:14 pm
Dog Cow, I absolutely agree. During my talk at Londonvasion I suggested that phpBB2 was still very much more of a target than phpBB3 because of the installed base, and I was challenged on that a bit. I think that many of the folks on the teams at phpbb.com have this vision that phpBB3 is the only product out there. Clearly, I don’t agree with that assessment.
I suggested that it will be another two years before the volume of phpBB3 boards exceeds the number of phpBB2 boards.
phpBB3 is the version of the future; anyone starting a new board is quite likely to be using it rather than the older version. But the established base of phpBB2 boards is so large that it will be quite a while before phpBB3 takes over that #1 spot. Since it’s so difficult to count and quantify the exact number of boards out there, it’s extremely difficult for me to back up that suggestion with hard numbers. I would like to be able to do that, but not at the expense of the amount of time that I think it would require.
Comment by Dave Rathbun — September 3, 2008 @ 3:51 pm
Some kind of an indication of numbers of boards can be found by searching Google for Powered by phpBB © 2001, 2005 phpBB Group or Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group. Of course, this will only give very rough estimates but at least it gives an idea of the situation of phpBB2, there’s still quite a few phpBB2 boards out there.
I guess you already had figured this one out though.:-P
Comment by dogs and things — September 3, 2008 @ 4:12 pm
I think that’s highly inaccurate, unless you tell Google to return only 1 result per domain name, otherwise the numbers will be grossly inflated since all of the phpBB pages have that notice, but represents just one installation.
Comment by Dog Cow — September 3, 2008 @ 4:33 pm
I realize that, that’s why I say some kind of indication, and there´s the board with copyright notice removed or altered in some way.
There´s also the unactive boards, the pages that still reside in Google’s SERPs but might have been upgraded etc.
But I do believe we could deduce that there´s a lot more pages with the phpBB2 notice still out there. For what it’s worth.
Comment by dogs and things — September 3, 2008 @ 4:41 pm
Here’s an adjusted query which returns a little over half a million results: http://www.google.com/search?hl=en&q=%222001%2C+2005+phpBB+Group%22+intitle%3A%22View+Forum%22&btnG=Search
Comment by Dog Cow — September 3, 2008 @ 5:48 pm
I hesitate to use google for any sort of analysis like this because the numbers can so easily be skewed. I would have thought that limiting the search to pages named “index.php” would be better since every board will have exactly one of those. If you try to search for viewforum then most boards will have more than one page with that name. Same for viewtopic and of course the memberlist.
But it’s still weird.
For example, the link Dog Cow provided uses the text “View Forum” and returns a decent number of hits. Yet, if I change the text to “Index” (which I would expect to have a lower number) I get Results 1 – 10 of about 2,860,000! Some of those are from free forum hosting sites (I saw forumer, forumup, myfreeforum, and many others listed). If I change the year to 2007 but keep using “index” the results are Results 1 – 10 of about 244,000. If both numbers are equally inflated that still shows that phpBB2 boards outnumber phpBB3 boards by a factor of 10:1 at this point.
What I would love to do is get information on boards that are running phpBB broken down by version, memberlist size, total posts, and most recent post date. It would also be great to distinguish between paid-hosted boards and free-hosted boards.
The search terms as provided here won’t find any of my boards, as I’ve removed the years.
No matter how you search, I think it’s clear that there are a whole bunch of phpBB2 boards out there.
Comment by Dave Rathbun — September 3, 2008 @ 8:44 pm
One thing that draws my attention is the relation between the amount of phpBB2’s still out there and the number of support requests for it at phpbb.com.
Seems that that amount is absolutely no indication at all for the actual number of boards. And I suspect that the drop of security support will cause damage to a lot of unsuspicious board owners when new security flaws arise in the future.
It is a pity there´s nothing built in that allows phpBB to keep track of the number of existing installations of whatever version.
Isn´t there a query for Google that shows the number of backlinks to phpBB.com from index.php?
Comment by dogs and things — September 4, 2008 @ 1:22 am
Well, the version tracker does allow phpBB to keep track of the number, even though they say it’s not the reason. That’s just a “side-effect”
Comment by Dog Cow — September 4, 2008 @ 9:50 am
So they DO know how things stand, number-wise?
Comment by dogs and things — September 4, 2008 @ 2:41 pm
I doubt it. In my time at phpBB, I never see any attempts to quantify this.
Comment by Micheal — September 4, 2008 @ 5:20 pm
As phpBB does not sell their products, they’ve never really needed any marketing information. So it’s not a surprise to me that they don’t have (or have never tried to get) this sort of information.
Back to the “honey pot” board, it’s quite amusing… it’s almost comical at this point:
100% spam, all the time.
Comment by Dave Rathbun — September 5, 2008 @ 10:48 am
It´s sheer madness.
One positive point about your board is that in spite of the load of traffic there´s no moderation needed. A lovely board, loads of traffic and everybody’s behaving perfectly well. An Administrator’s dream come true.
Comment by dogs and things — September 5, 2008 @ 11:10 am
I wouldn’t say everyone is behaving “perfectly well”… but they’re certainly all staying on the same topic.
Comment by Dave Rathbun — September 5, 2008 @ 4:53 pm
The board was started on August 13. On September 12 (thirty days later) I am going to change a few things around and see what the impact is. I will also capture a “one month snapshot” of the data and share some statistics. Until I have time to do that, here’s a quick update:
Comment by Dave Rathbun — September 12, 2008 @ 1:12 pm