PenUltima Online

I have to confess that PHP code confuses me and I need help with my forums.

I am getting fed up with 'bot spammers' that create accounts, confirm them and then post messages or any of the above on my forums. Actually when it happens on any forums is irritates me.

Is there any way that the PHPBB code can be made 'bot resistant'?

I am currently using the standard PHPBB install with visual confirmation enabled.

My thoughts were that prospective registrants would have to certify that they are human when they get sent to the activation link in the email by entering a codeword or perhaps a field that moves to random locations in the list of user data that is entered at registration time that requires them to enter the codeword "human".

I realize that eventually these fixes too will become subverted by bots but maybe there's a way that we can define the codeword that needs to be entered and thus twart the efforts somewhat.

I am so tired of the "cheap drug barely legal teen male organ enlargement win free gamestation cheap mortgage male lesbians in drag" crap that gets posted on BBSes.

Can anyone help me and everyone else who has this problem?

Thanks in advance.

Yep, we've just done a phpbbs upgrade and still the bots get accounts although nowhere near as many.

I heard that verification by pictures rather than 'identify a character in a bitmap' is a better way to go. I will ask my partner who is rapidly running out of hair.

One way to avoid bots is not to use an 'off-the-shelf' forum software but instead make something yourself or use something less well known.

Thanks O&G. I appreciate it.

Barb, the one thing I like about PHPBBS is its ease of installation and configurability. If I knew how the bots were actually gaining access that might help fix the issue. I'd rather not use any other BBS software. There has to be some way to prevent the bots from invading.

As for writing my own...
*laughs*
my brain has just about reached its capacity for knowledge and besides that I am a one person show here with my shard. I don't have time to write a BBS.

These bots are poorly programed and will probably fail if small things are changed.

It may be trivial to modify or replace random image generation mechanism or you can do a ~10 line mod and change a few field names used for registration. Details:
http://www.phpbb-seo.com/boards/phpbb-f ... vt252.html

There's a lot of discussion already out there with people that know more.

Thanks Tek.

It appears that that technique works for t6hem so I'll give it a shot.

The current trend is to use pictures and have the users identify the object in the picture. This is exceedingly difficult for a "bot" to accomplish but a simple task for a human being. It's also not widely used yet, so even if a bot could be created to break it, it wouldn't happen in the near future.

You must however ensure that the pictures are random, not just in content, but in size. Meaning you have a picture of a red ball.. but that picture has a distinct file size. It could thus be identified to some degree of accuracy by a bot based just on the filesize of the image. You must then ensure that not only is the object shown random, but the size of the file is also random. This can be accomplished with a little random editing of the image with PHP/GDI.. similar to how the text-based CAPTCHA images are generated. The goal here though is just to randomize the size, rather than obscure the image.

Wouldn't having all image files the same size be the way to go? That way the bot wouldn't know which one was which image.

Anyway, I am currently testing the method mentioned on the forums referrenced by Tek above.

However if anyone wants to create some other bot twarting techniques I, and I am sure many others, would be grateful.

No. The bot could then generate hash values for the images, compare them to a known database and then identify the image with probably a good bit of accuracy. Randomizing the size would guarantee the hash values of the images are always unique.

OK.

I am not sure how the images are generated for the current visualization system so I leave this whole idea to those who know better than me.

I just hope that someone who knows PHP will help out with this problem.

You could get about 20 pictures of random objects and resize them to the same size using a good program like adobe photoshop, and then serve one up randomly during registration and resize it on the fly +-10-20 pixels.

Sounds good to me. Anyone who knows PHP would like the job of helping us out is welcome to take up the mantle.
*smiles*

Yukiko, that antispam code, got CWO Banned. THe reason is, the variable it replaces and checks for to ban, is required by the avatar and other various systems that use forms. Reason being, it is also used due to it matching a table field's name. lmao. Removed the ban part from avatar code it had change.

You mean the anti-spam code that Tek referred me to or the info you sent me? I am still only using the info that Tek sent me to. Have not implemented your stuff yet Maud.

So far the only issue I have on my boards is that I am having to log in twice to get fully logged in. This is the same for all members. It shows you logged in at the bottom of the forum main but you don't get full access to the forums until you log in a second time. I have tried to figure out what's wrong but haven't yet. I am thinking about just going back to a virgin install and manually berfing the spammers.

My forums did that for a while, but only with Opera and not every time. Have you upgraded to the newest version? That may fix it. After a lot of mess with PHPBB2, no offense to the devs, it's open source and free, I switched to another forum and never looked back.

Kudos to you there. Free Software these days has a lot higher quality than it has in the past; Just look at the Linux and BSD options out there. But there are some examples of free software that really give the whole thing a very bad name. PHPBB is just a huge, bug-ridden, wide-open piece of crap that needs lots and lots of effort to make it somewhat 'safe' to use, and even then, it seems almost a weekly event that another SQL injection hack is found against it. And of course, things like the issue in this thread, too.

With PHPBB being used on so many sites, finding trivial-to-use exploits either for 'botting' accounts and posts, or actually exploiting the web site or even the web server itself through PHPBB is just way too easy. And often, when people end up having to fix PHPBB bugs themselves, they start to create problems patching in future updates to PHPBB itself, and the mess just gets worse.

hehe

Notice recently, a lot of our onslaught stopped too. The nice part is, I keep a logfile of all "non-patch changes" we make to the forums. That way, we can implement it in any updates from the phpBB group, or into any other forum software effortlessly. Isn't documenting great?

Yes it is Maud, BTW which mod was it that caused the accidental banning?

THe one you sent me.

I assume you mean the one Tek gave me in this forum. That's odd though I haven't heard of anyone being banned on our forums yet because of it.

The exact thing I did... I went to my profile, looked at the avatar gallery and hit "Cancel Avatar". Hitting that button got me banned.

Thanks CWO.

I'll make a test account and experiment.

Watch out, its an IP ban, not account ban.

Ick!!!!

Thanks.