[RFC] Improved AntiSpam Countermeasures by default

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
User avatar
jsebean
Registered User
Posts: 165
Joined: Wed Nov 17, 2010 1:40 am
Location: Atlantic Canada

[RFC] Improved AntiSpam Countermeasures by default

Post by jsebean » Fri Apr 13, 2012 12:52 pm

phpBB site owners continuously post on phpBB.com requests in regards to preventing spam posts and automated registrations. Most of the time, they're just linked to the Preventing spam in phpBB 3.0.6+ topic and then move on to the next users asking a question. The topic makes good examples of preventing spam by using things like blocking UTC -12 registrations, Q&A Captcha and downloading Captchas, but phpBB should have more protection built in.

A lot of people would rather not modify the board, even though at the current state captcha's are plugins, some just simply don't know how to install them, others might not want to. 3.1 will make life easier to install more plugins then just captchas, with hooks and stuff, but the issue with mods/plugins is you're in the hands of the original developer of that mod/plugin. If they decide to move on for whatever reason, unless it's an insanely popular or lucky mod, it most likely will remain abandoned.

Thus, phpBB should have other built in AntiSpam countermeasures. Some examples to build into phpBB is StopForumSpam.com integration, Project Honey Pot, Akismet, and maybe even other resources that doesn't rely on a third part service such as a "Spam Words" system. StopForumSpam can even be used without an API key, but I think it would be nice if it was used in phpBB to, out of curtosy toward the project, require an API key for submitting spam posts since they only way SFS can work is if people submit spam posts to the DB. Also SFS will be requiring you submit the actual posts (Called evidence iirc) since the system was abused earlier with false submissions.

Q&A captcha is nice but requires effort in making questions, and ensuring that their working. I found in the past I had to keep tweaking the questions to keep it working. Then there is reCaptcha, which, IMO, totally useless. Sure it helps a bit, but doesn't do an insanely good job. Then of course, all the default captchas built into phpBB are also useless, that's to be expected. phpBB being a popular BB system as it is, someone is gonna be trying to get through it's captchas, so I don't think it would be wise to make another captcha again just to have it broke again.

phpBB does have a DNSBL built in but to use it to prevent spam as-is is almost useless. Big chances of false positives.

So basically some additional antispam countermeasures under the hood of phpBB would be really nice to have, so that most board owners can cut back on spam posts out of the box without additional plugins, mods etc.
-Jonah

User avatar
brunoais
Registered User
Posts: 964
Joined: Fri Dec 18, 2009 3:55 pm

Re: [RFC] Improved AntiSpam Countermeasures by default

Post by brunoais » Sat Apr 14, 2012 8:38 am

One of the ideas behind phpBB is that each phpBB installation must not, by default, require any external access.
In StopForumSpam case, if you don't have allow_url_fopen turned on or curl available, how do you contact with the outside world? You cannot require something like that in the forum system, at least, set by default. We could, however, create such option in the ACP.

I could try to comment the other options but I can't or they fall down the the StopForumSpam case.

User avatar
callumacrae
Former Team Member
Posts: 1046
Joined: Tue Apr 27, 2010 9:37 am
Location: England
Contact:

Re: [RFC] Improved AntiSpam Countermeasures by default

Post by callumacrae » Sat Apr 14, 2012 9:23 am

brunoais wrote:One of the ideas behind phpBB is that each phpBB installation must not, by default, require any external access.
In StopForumSpam case, if you don't have allow_url_fopen turned on or curl available, how do you contact with the outside world? You cannot require something like that in the forum system, at least, set by default. We could, however, create such option in the ACP.

I could try to comment the other options but I can't or they fall down the the StopForumSpam case.
There is already a DNSBL check built in, so that argument isn't really valid :-)
Made by developers, for developers!
My blog

User avatar
jsebean
Registered User
Posts: 165
Joined: Wed Nov 17, 2010 1:40 am
Location: Atlantic Canada

Re: [RFC] Improved AntiSpam Countermeasures by default

Post by jsebean » Sat Apr 14, 2012 11:45 am

callumacrae wrote:
brunoais wrote:One of the ideas behind phpBB is that each phpBB installation must not, by default, require any external access.
In StopForumSpam case, if you don't have allow_url_fopen turned on or curl available, how do you contact with the outside world? You cannot require something like that in the forum system, at least, set by default. We could, however, create such option in the ACP.

I could try to comment the other options but I can't or they fall down the the StopForumSpam case.
There is already a DNSBL check built in, so that argument isn't really valid :-)
Agreed. Also, anything that calls onto an outside source, such as SFS, should be disabled by default, for obvious reasons. And of coruse, Spam Words system would be disabled by default as well since you'd need to collect some words. I'm just saying options like this should be available for those having spam issues, then it would be maintained by the team and users will be sure they have some options available that will stick around.
-Jonah

MartinTruckenbrodt
Posts: 171
Joined: Sun Jan 29, 2006 1:00 pm
Location: Germany
Contact:

Re: [RFC] Improved AntiSpam Countermeasures by default

Post by MartinTruckenbrodt » Fri May 11, 2012 7:37 pm

Hello Jonah,
the new Advanced Block MOD 1.1.0 for Olympus offers the features you are requesting.
It offers plug-in systems for HTTP blacklists (at the moment included: Stop Forum Spam, BotScout, Akismet, Project Honey Pot), IP-RBL DNS blacklists and Domain-RBL DNS blacklists. The weight system is reducing the risc of false positives very successfully.
My experience of more than three years of discussion is that phpBB developers don't want to have these features improved or included. Their only argument is the risc of false positives. In past some people ment this would decrease the board performance.
I don't understand their arguments. The whole world is using blacklists to prevent email spam, bad web content, blog spam (e.g. wordpress), forum spam and so on. Only phpBB is thinking this would bring the evil into the core.

One important argument pro the use of blacklists: It's the only one really successfull feature to prevent human spammers whom are registering and posting manually.

Bye Martin
Advanced Block MOD 1.1.1 has been released! - Prevent spam on your phpBB3 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists! - My MODs

Senky
Extension Customisations
Extension Customisations
Posts: 300
Joined: Thu Jul 16, 2009 4:41 pm

Re: [RFC] Improved AntiSpam Countermeasures by default

Post by Senky » Sat May 12, 2012 10:12 am

HTTP blacklists are ok, however they require registration, don't they? At least Akismet do, what about the others.

The main point of phpBB team is to include anti-spam not requiring... But there is an important question: if Wordpress can offer Akismet to the users as default, why phpBB not? Nowadays, no absolutelly free anti-spams are as effective as registration-requiring ones (reCaptcha, Akismet, ...)...

User avatar
callumacrae
Former Team Member
Posts: 1046
Joined: Tue Apr 27, 2010 9:37 am
Location: England
Contact:

Re: [RFC] Improved AntiSpam Countermeasures by default

Post by callumacrae » Sat May 12, 2012 10:15 am

Akismet isn't free for commercial use, and they prompt people to pay why they want also. Akismet is *extremely* accurate, while the free HTTP blacklists that don't require registration tend to be a bit rubbish.
Made by developers, for developers!
My blog

MartinTruckenbrodt
Posts: 171
Joined: Sun Jan 29, 2006 1:00 pm
Location: Germany
Contact:

Re: [RFC] Improved AntiSpam Countermeasures by default

Post by MartinTruckenbrodt » Wed May 23, 2012 8:38 pm

Hello,
in this point there are three types of HTTP blacklists:
  1. free, no registration and key required for checking, but registration and key required for reporting new spam - e.g. Stop Forum Spam
  2. free, but registration and key required for checking, too - e.g. Project Honey Pot
  3. non-free, but they are offering free editions, too - sometimes there are restrictions, e.g. in the number of free requests per day - registration and key required - e.g. BotScout or Akismet
@Callum: Please give us a source for your statement about the difference in the quality of the different HTTP blacklists you are writing about several times. It seems you haven't tested it or compared yourself. So please give us an external source.

Bye Martin
Advanced Block MOD 1.1.1 has been released! - Prevent spam on your phpBB3 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists! - My MODs

User avatar
bonelifer
Community Team
Community Team
Posts: 108
Joined: Mon Jan 31, 2005 10:41 am

Re: [RFC] Improved AntiSpam Countermeasures by default

Post by bonelifer » Thu May 24, 2012 12:23 am

It should be noted that BotScout steals it's data from SFS, and therefore why would anyone pay for them!?!?!?

MartinTruckenbrodt
Posts: 171
Joined: Sun Jan 29, 2006 1:00 pm
Location: Germany
Contact:

Re: [RFC] Improved AntiSpam Countermeasures by default

Post by MartinTruckenbrodt » Thu May 24, 2012 6:11 pm

Hello bonelifer,
I'm using BotScout for free.

Bye Martin
Advanced Block MOD 1.1.1 has been released! - Prevent spam on your phpBB3 board with Stop Forum Spam, BotScout, Akismet, Project Honey Pot and several IP-RBL and Domain-RBL DNS blacklists! - My MODs

Post Reply