I'm managing a phpBB-based forum that gets hit hard by spammers signing up fake accounts. To combat this, we enabled "administrator activation required", but it's not working so well: When a new user signs up, I get an email with a link to activate that user. However, there's no link to let me easily look at the user first; it goes straight to activation.
I'd like to try a different approach, along these lines:
- I'd like to allow registrations without my approval; instead, the user must get a mail with an activation link.
- I'd like a designated moderator group to approve all posts made by newly registered users. This should be done through the forum's web-based moderation control panel.
- When a new user posts a spammy message, I want the moderator group to kill the message and the account.
- When a new user has posted a few non-spammy messages, he's whitelisted and further postings require no approval.
How do I achieve this setup? -or- Is there a similar but smarter approach?
UPDATE: I finally found a watertight solution: http://CleanTalk.org -- it's a paid service but for a measly $8 per year it's well worth the money. So far the filter has worked 100% accurately, without any spammers getting through and without blocking legit users. I am impressed.
Some steps to take:
I found some info in phpBB's forum, but it was too well hidden for new (forum admin) users:
Then there's the suggestion to put new new users on the moderation queue, but no info on how that's done:
Here's how:
I don't remember if I made the role "on moderation queue" myself or if it's a default role. Create or review the role here:
All the above should be default settings for new phpBB installations, but isn't.
Also in the
User Registration settings, turn onreCaptchaand clickConfigureto fill in required site keys (which can be created through a link on that config page). Submit the configuration, then go back to User Registration settings and (again) turn on reCaptcha, then Submit that change.Also, try this MOD: http://www.phpbb.com/customise/db/mod/daropl_antispam/
I know you already got recaptcha working, but I thought I'd add the link to the recaptcha documentation for phpBB anyway, in case anyone else finds this question in future:
http://code.google.com/apis/recaptcha/docs/phpbb.html
Would be nice if more people used this, rather than letting their phpBB fill up with spam. Ditto for blogs...
Are you using a captcha ? - if not, definitely do so it should help a fair bit.
http://en.wikipedia.org/wiki/CAPTCHA
Instead of using reCaptcha (which reportedly has been broken by bots now), I upgraded my phpBB forum to the latest version last week and then configured it to use a Q&A captcha with a few custom questions defined (in additon to requiring activation by user emails, and moderation all new users until they have a few approved messages), and haven't had a single spam account be registered so far. Now I just have to finish pruning the thousands of messages and accounts that were already in the moderation queue!
As suggested by other people, having a captcha is a thing to be considered. But captchas are a double-edge sword: a simple one will get broken by sophisticated bots (that use neural networks and other hi-tech approaches), a very complicated captcha will become an annoyance for regular users.
Basically, you don't have many options. Instead of making sure that it is very hard to prove your site that one is a legit user, you have to make sure that every spamming account that comes through is dealt with using harsh methods.
Use some kind of phpbb mod that gathers details about accounts registered from same IPs, collects User-Agent headers etc. While many advanced spam bots can use multiple proxies, very often script kiddies skip using them, because they don't have a proxy list. While User-Agent can be faked, not everyone who is spamming knows about it and does it.
If you see many abuses from an IP that is geolocated to a foreign country that has little to do with your forum, block the whole network at firewall level. Chances are low that you would get legitimate users from there. Instead of blocking, you could redirect them to a honeypot.
If you see some clear signature in the spam messages about the app that was used to spam, please fight back. I had luck a couple of times with complaining to the hosting company that they host the notorious spam software XRumer. I've got answers like "we are aware of it, since we've got complaints from other people" and the hosting account was soon canceled. It didn't work every time, perhaps because certain hosting providers never received a critical mass of complaints that would motivate them to do something. XRumer seems to be still alive.
The only thing I have found effective (and it has been almost entirely effective) is http://stopforumspam.com/.
Just add the this mod and it takes care of almost all spam registrations: https://gist.github.com/797970
I use a Q&A Captcha module. But unlike others, it doesn't ask you to solve a math question, which spambots have broken.
Rather, it asks you to select and move the word that doesn't make sense.
It works great with spambots. I have had 0 spambots. It cannot block human spammers, but those are few and far between and easily eliminated.
You can see how it works by trying to register on my site at photographtoday.net/forums.