Your premium source for custom modification services for phpBB

HomeForumsBlogMOD ManagerFAQSearchRegisterLogin

Comments August 19, 2008

Just How Vulnerable Are Unprotected phpBB2 Boards?

Filed under: Anti-spam, bbProtection — Dave Rathbun @ 10:00 am CommentsComments (13) 

Some people wonder just how bad the spammer problem is with phpBB2. I can answer the question posed in the subject of this blog post in one word: Very.

As part of an experiment and a desire to capture more seed data for the upcoming relaunch of the bbProtection service I set up a phpBB2 board with no protection other than what is built in to the software. I have enabled user activation and I have activated the visual confirmation. I launched the board on August 15. Within 48 hours I had my first spam registration and my first spam post. :shock: The honey pot process has started slow but I’m getting an average of four registrations a day so far. Nine of the 17 have posted at least once (over 50% ratio). None of the posts are anything you would want your children to see; it’s really nasty stuff.

The only MODs I’ve applied to this board are a MOD to capture the IP address during the registration process (in case the bot doesn’t post I still want to know where they’ve come from) and to add the “nofollow” attribute to every link. If google finds this board I don’t want to be penalized for all of the nastiness on the other end of the outbound links.

I’ll be back in a month to post more statistics about the board. It should be interesting.


  1. Bots are one of the easiest bits of code to write. I happen to have written a few for testing out my own site.

    As far as I’m concerned, everyone who can should be out botting people’s sites until they get them fixed…. hmm…. that’s not a nice thing to say…..

    Comment by Dog Cow — August 19, 2008 @ 10:37 am

  2. I have considered writing a bot. :) What I wanted to do was create a “support bot” that would take posts that are unanswered after a set period of time and prompt for further information, or provide some links based on keyword searches. The first problem was time. :) The second problem was technique. Doing text analysis is hard.

    Comment by Dave Rathbun — August 19, 2008 @ 12:02 pm

  3. I certainly remember dealing with this problem back when I used phpBB2, the spam was dreadful for sure and wasn’t exactly “pretty”, it’s definitely one of the ‘worse’ things about phpBB2, but the upgrade to phpBB3 put that all to rest for me :)

    Comment by Mr. Bond — August 19, 2008 @ 1:42 pm

  4. Meik said there would be another (last) phpBB2 release in 2008, perhaps the 3.0 will be backported. But i don’t have the feeling that the dev team want to spend much more time on 2.0.

    Comment by eviL3 — August 19, 2008 @ 1:53 pm

  5. Hi Evil,

    Nice reading you, intriguing comment you make.

    As you know I’m pretty dumb when it comes to technical stuff so here´s the question: What does “backported” mean?


    This weekend I went through this whole thread about an abandoned MOD, Forum AI v0.2.0. Amongst other things I learned that this MOD has the potential to do what you want. As it is it can be set to answer questions related to the phpBB FAQ. It would need some fine-tuning but I’m quite sure you could make it do more or less what you have in mind.

    Very interesting MOD, I’m doing some basic experimenting with it when I´m bored and hope to be able to get it to do something along the lines you have in mind.

    Allthough it’s an old MOD it installs perfectly on a modded phpBB2.0.23 with only one minor issue that can easily be solved.

    Excuse me for the off-topic. :)

    Comment by dogs and things — August 19, 2008 @ 2:19 pm

  6. dogs and things, I will answer your question to evil if you don’t mind. :) Normally when you write code you move forward with new techniques in new versions. However, there have been occasions when code written for a new version (first 2.2 and later 3.0) was deemed to be useful and therefore they “back ported” it or essentially copied it back and introduced it into the 2.x version as well. One of the examples of that was the visual confirmation code, and there were also some session updates from 3.x if my memory is correct.

    Major stuff like using request_var() to sanitize all of the input variables would be too time-consuming and break too many existing MODs, so the dev team had to carefully pick their opportunities to integrate 3.x code backwards into the 2.x product.

    I have looked at various AI bots over the years, but that’s not really what I want. What I had envisioned was something that would be run as a cron job and would provide search links to unanswered posts based on the text content. I have a post that I’ve started with some thoughts about text analysis that shows where I got bogged down in that MOD. :)

    Mr. Bond, your safety from spam may be short lived. From what I have seen and read on various boards, spammers are starting to attack version 3 boards now too. It’s not anywhere close to what happens to an unprotected phpbb2 board, but the war against spam is far from over.

    Comment by Dave Rathbun — August 19, 2008 @ 5:07 pm

  7. Dave: I have a mostly finished bot for phpBB3 if you are interested. It goes through after a set amount of time, replies to the post asking if they still need help. There’s some other functionality that needs to be written, but that’s the basics of it.

    Comment by Micheal — August 20, 2008 @ 1:38 pm

  8. Thanks for the explanation Dave,

    I wonder what will come out of that hat finally.

    The AI MOD can also run on a cron job, there´s three different ways of doing that explained in the topic I linked to, link to the posts dealing with that part can be found in the first post.

    Although, I suspect you can come up with something better. :)

    Do you have the link to that post with your thoughts on text analysis. I did try to use the search function before asking but didn´t find it. :)


    Hello there. :)

    Are you planning on releasing that almost finished MOD sometime?
    I´d be interested in testing it, but I´m afraid I won´t be able to do much with an unfinished version.

    Comment by dogs and things — August 20, 2008 @ 2:54 pm

  9. Micheal: I may take you up on the offer, but only after I decide I need it for version 3. I have most of it planned out for version 2 as a perl script already.

    dogs and things: You didn’t find the post because it’s not public yet. :) I only started thinking about it during Londonvasion. There were several questions (some of them in the video, some not) about how to automatically flag spam. The challenge is that words have a different meaning in different context, so it’s not enough to just scan the words. I’m still working on how to approach it, and then will start posting during the development effort.

    If it gets that far. :lol: There are plenty of other things on my plate at the moment.

    Comment by Dave Rathbun — August 20, 2008 @ 7:24 pm

  10. Just add reCaptcha and forget the word ’spambot’ :P

    Comment by Mori — August 21, 2008 @ 3:35 pm

  11. Dogs and Things: If I ever get time. :/ Check out my blog, you’ll see what’s got me so busy. :P

    Dave: Various issues (mainly lack of time) are keeping me from finishing it. This goes for anybody, but if you are interested in helping me, I would greatly appreciate the help. I have a lot of cool projects planned that one of the MOD Team members has asked if he can steal part of it for v2, but I don’t have the time right now to do everything.

    Comment by Micheal — August 22, 2008 @ 9:32 am

  12. Hi Michael,

    I get this when trying to read what keeps you busy.

    The requested URL /blog/2008/08/19/when-people-talk-listen/ was not found on this server.

    Comment by dogs and things — August 22, 2008 @ 5:52 pm

  13. I fixed that, thanks. :) I was in a hurry upgrading wordpress and missed the .htaccess.

    Comment by Micheal — August 23, 2008 @ 3:15 pm

RSS feed for comments on this post.

Leave a comment

Tags allowed in comments:
<a href="" title=""> <acronym title=""> <blockquote cite=""> <code> <strong> <em> <u> <sup> <sub> <strike>

Confirm submission by clicking only the marked checkbox:


Powered by WordPress