castellano

phpBB and spam

Posted on April 19th, 2007 at 3:02am by Pi.
Categories: Development.

I just spent three hours trying to fix one of the phpBB boards I administrate so it could fight spam better. However, it wasn’t as easy as I thought. This was a very needed change for more than a year, but I felt very lazy about digging old code I changed and how to adapt new code to my changes.

The details: the board had phpBB 2.0.18, with some custom changes. It had no way to stop spammers from registering. I’ve been more than a year, since the first spammer registered, manually deleting the users and their spam posts. I also used exclusion rules for email domains and IPs, but they aren’t enough. They help, but far from perfect.

About a year ago, I discovered phpBB KittenAuth, a KittenAuth implementation for phpBB. It provides a nice test when registering in the board, and such test can’t be passed by spam robots, as happens with captchas. I think that captchas are enough for the usual robots, and only big places do need to worry about sophisticated robots. A robot with capabilities to defeat captchas will not worry about small sites, they target big sites.

Newer versions of phpBB include a captcha, unfortunately my version didn’t. So I had to choose, upgrade phpBB and use a captcha, or stay with my version and add KittenAuth, a better option for spam prevention than captchas. Ok, so I chose KittenAuth.

After one hour trying to adapt phpBB KittenAuth to my version, I discovered that I had to upgrade to phpBB 2.0.20 at least so KittenAuth could successfully substitute the captcha with its own test. I thought that KittenAuth would add a test, not substitute phpBB’s test. I was wrong, so my efforts went to hell. Fortunately, I did a backup so I could recover the original site.

After all that effort, it seemed that I had to upgrade to at least 2.0.20, which in fact has a captcha. It wasn’t easy, due to my changed code. The only sane option was using a patch. However, that has to be applied with a program called Patch (how original) which comes from Unix, and whose Windows versions are not exactly compatible. I had a hard time trying to find a working Patch program which would work with phpBB patch files, under Windows. These things really make me mad, but in the end I was able to apply the patch, upload the new board to the site, and finish the upgrade there. After some tests, I think the upgrade is ok, the captcha is working, and everything is fine. The board was updated to the latest stable phpBB, exactly version 2.0.22.

Now, instead of installing KittenAuth, I will look how the default phpBB captcha works. In the last month, I’ve removed one spam user every day (as average), despite what the board users might think (yes people, I kept removing them daily). Let’s see how many appear now. If one, even only one appear, I will change the captcha to a more advanced one. And if one appears after that, then I will install KittenAuth. I have the images ready, whose preparation took me the remaining hour I spent with all this. But for now, I’m done.

4 comments.

If you think you saw everything… »« Notice

Alejandro

Comment on 12:11pm.

Yo tengo exactamente el mismo problema, y he visto que tu post es del 19 de abril. Acabo de actualizar el foro, pero me gustaría saber como te ha ido a ti la experiencia.

Pi

Comment on 12:50pm.

La experiencia fatal, lo describo en otro post el 25 de mayo: KittenAuth y phpBB. En resumen, entraba incluso más spam. Pero desde que instalé KittenAuth, ni uno solo. KittenAuth para phpBB es una maravilla, te lo recomiendo 100%. Si quieres ver cómo queda, ve a http://foro.dondeyotediga.com e intenta registrarte.

Alejandro

Comment on 1:29am.

Gracias, voy a instalarlo ahora mismo.

Buscando sobre este tema he encontrado algo que, aunque no lo he probado, en mi cabeza parece que tiene bastante sentido. Básicamente se trata de llevar a cabo pequeñas personalizaciones e individualidades en los foros (tiene su lógica que cuanto más difundido está un mod, más posibilidades tiene de que lo salte).

http://soporte.miarroba.com/80376/5274701-posible-solucion-bots-spam-en-foros-phpbb/

Pi

Comment on 9:12am.

Esa explicación es incompleta e incorrecta. Aunque sí funciona, es porque ha cambiado los inputs de sitio, no porque haya cambiado de nombre cuatro variables en el código php. Igual resultado tendrías si pusieses un input extra preguntando “cuanto son 2+2″, y mirando a ver si han metido 4. Hay mods parecidos para los comentarios del WordPress.

Los spambots no son específicos, y engañarlos para que no puedan pasar un registro es a la vez extremadamente sencillo o muy difícil. Pero si todo el mundo empieza a utilizar el mismo método “sencillo”, entonces los spambots lo tendrán en cuenta y se lo saltarán. El captcha es extremadamente popular, así que llevan años saltándolo. Ahora el humanizer es popular, por lo que los spambots se lo saltan. En unos meses, alterar la página de registro con cambis sencillos será popular, y los spambots se lo saltarán.

Pero mirando al futuro, yo no veo una forma de hacer un programa que se salte un tipo de protecciones como KittenAuth. KittenAuth funciona ahora y seguirá funcionando, sin que ningún bot la pueda “romper” hasta que haya inteligencia artificial, y sin necesidad de parches tontos.

If you think you saw everything… »« Notice
What is essential is invisible to the eye.  — Antoine de Saint-Exupéry, from 'The Little Prince'

Pi in the Sky is powered by WordPress. Dressed with Vistered Little. Hosted at MochaHost.