One of the most common topics in the phpBB Discussion forum at phpbb.com is anything related to spam. While initially an email issue, the proliferation of message boards has presented spammers with a new market. Lucky us.
The spam attacks can come from any number of sources. With a little bit of ingenuity and time anyone can code a script that scans the ‘net looking for web sites that include specific board packages (like phpBB). Once found, this “bot” knows how to fill out the registration form, and perhaps can even post. The result? Board owners get spammed with inappropriate and unwanted content. So what is a board owner to do?
There were some easy preventative methods that were fairly effective in the early stages. For example, a board owner could turn on account activation. Most bots were unable to respond to the challenge email (in fact many used bogus email addresses anyway) and therefore were never able to activate their account. As a result, setting your activation method to “User” was enough to stop quite a few bots dead in their tracks. For my largest board I have had this setting on since the first day we went live, and I added a weekly script that removes inactive accounts after a set period of time.
Over time the bots (or the systems in place to support them) got more creative. It doesn’t take long to write a script to parse incoming emails, check for a specific format (which all phpBB boards use), and parse out the activation URL. It’s an easy matter from there to add a few lines to the script to actually invoke the URL and then add that user account information to a database for spammers to use.
Back in version 2.0.12 psoTFX back-ported the CAPTCHA / Visual Confirmation logic from phpBB3. (Wiki article on CAPTCHA) Simply put, this is a “challenge / response” system where a random set of letters and numbers is presented on the registration screen in a graphical format. If there is a human reading the screen, they’re supposed to be able to recognize the letters and numbers and enter them in a specific field on the registration form. If they fail to match, their attempt is rejected.
For a while this helped. But just like the email confirmation, the bots and the spammers that run them got smarter. You see the challenge graphic provided by the base phpBB code is fairly simple because it doesn’t rely on any special graphics software. I assume that this was done to allow the program to run on the widest possible selection of servers, which makes sense given the popularity of the product.
There are a number of sites on the web that demonstrate how “easy” it is for a bot to see the image, find the edges, and employ basic OCR-type logic to figure out the code. From there, they’re in. And we’ve already talked about how bots can activate their email.
So that’s about is, as far as standard features within phpBB. If you are running a small board you can considering doing Admin activation rather than User activation, but that means you have to review and manually activate each and every new member that signs up on your board. I run one board that gets over 100 new registrations every week, so that’s not an option for me.
There are a number of MODs available – either in release or in development – that provide various anti-spam strategies. But ultimately a board owner is restricted in that you want people to be able to join, and you can only go so far before you turn away desirable members just to avoid getting spam. In fact, there are articles posted (see slashdot.org or other places) where people discuss the fact that some spammers are actually hiring real people (at a pittance of a wage) to sit at their computer and solve CAPTCHAs as they are presented! One creative solution involved showing free porn images… between each porn image the person browsing the site had to solve a CAPTCHA or two. Now those might be coming from the host site itself, but perhaps they’re simply echoing images downloaded from various phpBB registration forms?
What I believe it comes down to is you can’t make the registration too hard, or people won’t register. Keep the registration simple, but make it unattractive to spammers. That’s the main idea between two MODs I recently wrote. The first is EZ Registration. This MOD makes it very simple to register, in that the only visible fields are the username, email address, password, and confirm password. If you use visual confirmation then that field is also displayed. That’s it.
So this accomplishes a couple of things. First, it makes it easy for real members to join as they’re not overwhelmed by a bunch of choices to make right away. Second, it takes away the prized website field so that it’s not available during registration. Third, if a website is present it’s an immediate giveaway that a spammer is trying to register.
After They Register
The next step is figuring out how to effectively deal with spammers after they get registered. I’ll save some ideas for another post.