Request for Stopping Spambots in 3.0

[VxJasonxV]

Whoa whoa whoa whoa... hold the phone.

one of the best ways to eliminate spambots is to make sure every link supplied by a user, both in his "home page" (profile) and any link that appears in any post, has a "rel=nofollow", which removes the main reason for spamming (it tells the search engines not to increase the rating of the linked site based on this link).

This doesn't reduce spam.
Manual spam maybe, but automated bot flooders don't care at ALL what rel you put on their comments.
Not all search engines care about the rel tag.

Modifying the bot's content doesn't do anything. Outright preventing it is the purpose.

I do so greatly hope that the phpBB group puts Bad Behavior or even something like Akismet to use.
The only problem with Akismet is how protection keys are handled.

Well... Bad Behavior it is then!

[SamG]

Yes, but you did say something like Akismet…which would be cool.

There was a brief conversation some months back over at the main boards, where Bad Behavior came up. In phpBB's case at least, there doesn't seem to be a lot of community interest in pursuing that kind of stuff—which surprises me just a little.

But then, I've never requested a Bad Behavior MOD either.

[dhn]

There was a brief conversation some months back over at the main boards, where Bad Behavior came up. In phpBB's case at least, there doesn't seem to be a lot of community interest in pursuing that kind of stuff—which surprises me just a little.

I don't think most users will need a tool like this simply because they only allow registered users to post, and already stop most bots at this step. Adding Visual Confirmation is a hurdle that no known bot* is able to take at the moment.

I agree that this would be a good feature for forums allowing guest posting, or could help to stop bad bots from taking up bandwith and accessing the page at all. Perhaps a MOD can show how much phpBB could benefit from this.

*Note: we are aware that our current VCS is not the safest, but there is no bot known to us that is actually using the weakness as for now

[SamG]

I'm not sure most users wouldn't benefit from Bad Behavior. As a transparent alternative to CAPTCHA, as a bandwidth/CPU preserver (as you mentioned), and as an e-mail address harvesting protector, Bad Behavior seems a natural candidate for a phpBB MOD. Plus, it supports logging.

It's not as if there's no community interest in all of the above, so that's why I'm a little surprised at the lack of community interest in Bad Behavior.

Anyway, you're right that its benefit to phpBB isn't proven. Given that Mr. Hampton has already done the hard work, it just seems like somebody would pick it up and put it to the test in a phpBB environment.

[balding_ape]

Problem is its not automated and every forum has to have differerent images and questions.
Its too annoying for most people.

I don't see that as a problem at all. The objective is not to stop bot attacks on EVERY board, it is to stop it on *my* board. I have no problem whatsoever uploading a few of my own photos with a couple of questions. I don't care that most people wouldn't take advantage of it...*I* could, and that's all I really care about.

Wish I was a competent PHP programmer...I'd create the mod if needed.*


*Of course, once I used the current phpBB anti-spambot, I stop seeing any bot registrations.

[VxJasonxV]

Yes, but you did say something like Akismet…which would be cool.

This is true

There was a brief conversation some months back over at the main boards, where Bad Behavior came up. In phpBB's case at least, there doesn't seem to be a lot of community interest in pursuing that kind of stuff—which surprises me just a little.

Ditto. I think it's going to be a big issue pretty quick. phpBB3 should mitigate that to some extent, but it won't be long before bots adapt and new code is in the wild.

I don't think most users will need a tool like this simply because they only allow registered users to post, and already stop most bots at this step. Adding Visual Confirmation is a hurdle that no known bot* is able to take at the moment.

With all due respect dhn, I have to 100% disagree. A forum or 3 of mine has registered posting only, and visual confirmation on for registration. And we still get a new spambot every few days.
A ton of accounts too registered that are never used (or... not used yet).
This is going to be an increasingly pressing issue in the coming months (IMO, of course).
Not to even mention the topic I saw somewhere around here where people pointed out the CAPTCHA breaker SourceForge project...

[EXreaction]

This is really strange...I made my own visual confirmation that does something completely different that nobody should have stuff written in for in a spam bot...yet I am getting a whole bunch of unwanted registrations...all kinds of people from *@(someting poker related).(so many different ones...org, net, com, fr)

I don't get it...I would have guessed it was a person or two manually registering, but I installed the registration record IP mod, and the 5 or so that registered within the last day are all from different IP's...

We have about 70 members(mabey 5-10 active) on our board, and every day I notice that there are around 800 guests...that have visited our forum...I doubt we are getting crawled by google, msn, and other search sites that often...

I will have to finish my mod off so that when someone does register and fills in anything in the signature or website sections(which has been hidden during registration in the templates) that it looks like they registered, but actually nothing goes into the database...except perhaps their IP address...which I could have automatically banned... 8)


/probably not the best place to talk about it...but I said it already...

[alcaeus]

*Note: we are aware that our current VCS is not the safest, but there is no bot known to us that is actually using the weakness as for now

Ok, I guess I'll check my server logs then. I'm not 100% sure it's a bot, but it's a regular pattern of usernames/email addresses that crack through the VCS.
@EXreaction: yup, I'm getting the same one. I've banned that email address, and the local development version of my forum already has an advanced ban filter in place, that lets me block a little more than the current one does.

However, the regular spambot trying to just post their ads in the forums simply trip over the VCS there, because they're not expecting it. So, sometimes just renaming the "submit" button in template and code does the trick

Greetz
alcaeus

[Yoda_IRC]

The objective is not to stop bot attacks on EVERY board, it is to stop it on *my* board. I have no problem whatsoever uploading a few of my own photos with a couple of questions. I don't care that most people wouldn't take advantage of it...*I* could, and that's all I really care about.

wel if *you* want the feature then why don't *you* hire a programmer to implement it for you? Its open spurce so there is nothing stopping you paying someone to produce a modified version of phpBB.


Oh and someone mentioned that they still get bots with visual confirmation, is it possible that a bot tries to register finds a visual confirmation and submits that to a human user, then the user tells the bot the code and on it goes? It would be faster than manual registration but can bypass virtually any protection.

[balding_ape]

wel if *you* want the feature then why don't *you* hire a programmer to implement it for you? Its open spurce so there is nothing stopping you paying someone to produce a modified version of phpBB.

Did I not just suggest that I'd create the mod if I could? If it were that important to me (and it's not), I would hire someone. But thank you for the information. It's good to know that phpBB is open source and I could do it on my own.

However, my point was that it wasn't a bad idea *if* the current system were compromised (not including user intervention as you suggest below...that defeats most of the purpose, and most of the annoyance, of the bot).

Oh and someone mentioned that they still get bots with visual confirmation, is it possible that a bot tries to register finds a visual confirmation and submits that to a human user, then the user tells the bot the code and on it goes? It would be faster than manual registration but can bypass virtually any protection.

Arrange a 5-minute session timeout or something along those lines. It would force someone to actually sit there and do nothing except register forum bots...defeating the purpose of the bots. A bot that requires user intervention is just a glorified search and register script.