Better Spambot Protection in phpBB3?

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
User avatar
Wernight
Registered User
Posts: 26
Joined: Sun Apr 02, 2006 2:15 pm
Location: France
Contact:

Re: Better Spambot Protection in phpBB3?

Post by Wernight »

cutaia wrote: Well, then allow me to enlighten you. It's a grid of random pictures that changes on each page load. The person must click (for example) all the pictures that contain tigers before submitting the page. It seems like a damned good idea as it pretty much reqires a human to descern between pictures.

The problem of those is that it requires custom images for each board, and possibly many of them. Without customization, any bot can read assign tags to every image and thus solve it. Yes there is a "Anti-image-harvesting measures", but no big deal: Any spammer can download the kit and so he'll get access to the set of images. Even if they are encrypted, with some time it's not that hard to get them all... unless there is a huge number of images.

None the less, it can be a good method if the security is really good and if people use custom images.

Supposing a PHP generate the image from an invisible server folder. That image would have a random name for each cell of the grid. Then a similar method:

Pro (of the method):
- Easy to customize
- Very hard for bots (supposing custom images)

Con (of the method):
- Takes more disk space and space in the registration box
- Requires english knowledge/translation of the tags
- Not so good out-of-the-box

MKruer
Registered User
Posts: 156
Joined: Sun Jul 20, 2003 9:01 pm

Re: Better Spambot Protection in phpBB3?

Post by MKruer »

I am all for increasing the effectiveness of spam bots protection. I run a site that seems to have at least one spam account get through despite the fact that I am running multiple counter measures.

These ideas are off the cuff but may inspire some ideas.

Audio verification: same idea as picture verification but with audio.
What is the color of the text: Red The average bot would expect to decode the image as red, but the answer would be blue.
Hidden trap fields: the idea is to generate the verification page with numerous hidden fields that a bot would find but would fail to render on the page. If one of the non displayed fields is filled in, you know it’s a bot.

User avatar
Wernight
Registered User
Posts: 26
Joined: Sun Apr 02, 2006 2:15 pm
Location: France
Contact:

Re: Better Spambot Protection in phpBB3?

Post by Wernight »

Audio verification: same idea as picture verification but with audio.
What is the color of the text: Red The average bot would expect to decode the image as red, but the answer would be blue.
Hidden trap fields: the idea is to generate the verification page with numerous hidden fields that a bot would find but would fail to render on the page. If one of the non displayed fields is filled in, you know it’s a bot.

Those have been discussed earlier or similar in the CAPTCHA section of early development:
- Audio: Not good since many don't even have speakers at office
- Text color: Very easy to bypass: Just read the HTML
- Hidden field: Very easy to bypass: Just don't fill the type="hidden" fields.

Those are all nice when they are custom just for one board only. The problem here is to make some protection that can be put on all boards and still avoid bots to register. I think this post is getting a bit out of the topic.

cutaia
Registered User
Posts: 45
Joined: Wed Mar 30, 2005 4:08 am
Location: Aurora, CO
Contact:

Re: Better Spambot Protection in phpBB3?

Post by cutaia »

Wernight wrote: The problem of those is that it requires custom images for each board, and possibly many of them. Without customization, any bot can read assign tags to every image and thus solve it.


That's a problem? I don't see that as a problem at all. I would personally love to have custom images for this thing. In fact, I think most people would consider that a pro, and I'm sure that's what the authors intended.

As for the bots simply assigning tags to the images. 2 things: 1) Even if the bot can automatically figure out that a certain picture of a "tiger" is always a "tiger"...it still needs to figure out that there is a relationship between that tiger and the other tigers, and it needs to know that a picture of a lamb is not a tiger. That part still needs a human eye. 2) I'm pretty sure that this was actually something they were working on as well:
Wernight wrote: upposing a PHP generate the image from an invisible server folder. That image would have a random name for each cell of the grid.


But even without that, it works. Like I said...a bot can index and name the individual images all it wants...it still doesn't know what to compare them to.
Wernight wrote: Con (of the method):
- Takes more disk space and space in the registration box
- Requires english knowledge/translation of the tags


I don't see these as being cons. In a world where PHPBB3.0 offers attachments right out of the box...what's a few extra images gonna do? Nothing. Hell...a forum contains plenty of images right out of the box. If you don't have the space for a few more...how are you even running a website?

As for "requiring" english? This doesn't "require" English anymore than any other mod does. The fact is, if your board is multi-language, than you make translations. That's how all mods work, and this wouldn't be any different. You're kind of just nitpicking now...
Wernight wrote: - Text color: Very easy to bypass: Just read the HTML


I think that guy was actually talking about a standard-style image verification. The difference would be that while a bot would try and decode the letters in the image like usual, a person would be able to read that they need to tell the color of the letters. No HTML involved...

User avatar
Wernight
Registered User
Posts: 26
Joined: Sun Apr 02, 2006 2:15 pm
Location: France
Contact:

Re: Better Spambot Protection in phpBB3?

Post by Wernight »

You don't quiet understand I think. To create the test you have a set of images with for each image one or more tag. Ex:
  • <tiger1.jpg> <tiger, animal, jungle> <translated tags ...>
  • <tiger2.jpg> <tiger, animal, jungle> <translated tags ...>
  • <lion1.jpg> <lion, animal, jungle> <translated tags ...>
  • <man1.jpg> <human, male> <translated tags ...>
Then you ask: Select all the <tag>. Where <tag> could be "tiger", or "animal", or whatever.

What I said is that any bot creator (a human making a spam bot) can associate the images (not only the file names but the bitmaps) with the tags for all the images provided with the system (out-of-the-box). With that the bot just has to compare the shown images with the images he knows and look for the tag asked. Thus a bot can register. It means that every board admin has to provide it's own images: Finding them, resizing them, associate tags to them. Those tags have also to be translated in every language. This is different from a mod where everything is translated by the mod creator. Here every board admin has to do it.

Hope you understand more why I put those pro and cons. Using out-of-the-box, without custom images, is good because it means less work. That's why it's a con for that system. The possibility to customize is a pro, the need for it is a con.

PS: Even if the image is a bit modified by some random distortion filter, it just goes to the same problem as the CAPTCHA used in phpBB2/3. Those of phpBB3 have much better distortion that's all.
cutaia wrote: I think that guy was actually talking about a standard-style image verification. The difference would be that while a bot would try and decode the letters in the image like usual, a person would be able to read that they need to tell the color of the letters. No HTML involved...

Same: Still very easy for a bot (may be more confusion for grandma). :D

motiv
Registered User
Posts: 1
Joined: Mon Nov 20, 2006 4:43 pm

Re: Better Spambot Protection in phpBB3?

Post by motiv »

The way we got round spam bots was to create a field with questions that we came up with.

What colour is grass, Please type the word {insert word of choice} in box. etc etc

Both question and answer are modifiable by the admin.

It was a simple solution to a known issue.

User avatar
Wernight
Registered User
Posts: 26
Joined: Sun Apr 02, 2006 2:15 pm
Location: France
Contact:

Re: Better Spambot Protection in phpBB3?

Post by Wernight »

I think also that a trivial question even a unique question but custom to each board is a way to avoid spam (supposing the admin change that question every so and then).

Lieutenant Clone
Registered User
Posts: 161
Joined: Tue Feb 28, 2006 6:13 pm

Re: Better Spambot Protection in phpBB3?

Post by Lieutenant Clone »

Shadow Reaper wrote: I am glad that one of the features will be to get all the users posts and delete at once in PHPBB 3

Oh my god! YES! *emotional breakdown* :cry:
Wernight wrote: I think also that a trivial question even a unique question but custom to each board is a way to avoid spam (supposing the admin change that question every so and then).

I agree that this would be a good method. The admin enters a set of very basic questions and awnsers, and one is randomly chosen for each registration. If the admin is having trouble with bots, then it is up to them to update their questions, which would only take a minute or two, maximum. If a very determined bot spammer were to refresh your registration page many times and get all the questions and awnsers, its a simple matter of creating new ones and getting rid of the old ones. If he still wants to spam, he has to do much more manual work in order to have the bot do it, therefor rendering his bot useless.

Even if it was just hidden away in a spam panel and turned off by default, I think it would work quite well for the admins who wished to use it. It would certainly be easier than mopping up pages of spam posts every few days.
Dennis Robinson
Image

User avatar
Tienchen
Registered User
Posts: 91
Joined: Thu Sep 14, 2006 5:23 pm
Location: Germany
Contact:

Re: Better Spambot Protection in phpBB3?

Post by Tienchen »

Well, but for that you don't need a mod or new features I think, like I posted before.
Tienchen wrote: But you could define something with the "custom profile fields" I think. Choose the "dropdown box" here, then define a question and give two options, define one as wrong and make the whole as "Required field". Of course the mod for phpBB2 is a bit more comfortable and more safe, but it could work I think.

EDIT: Also possible with numbers. E.g.: Write the number 16532. And only allow this number.
Or with single textfield/textarea. E.g.: Write an alpanumeric word with 15 letters.
Of course boolean E.g.: Are you human? Yes/no. (Ah, not possible with boolean, but "dropdown" is of course even more difficult for bots I think.)
I don't like these cold, precise, perfect people, who, in order not to speak wrong, never speak at all, and in order not to do wrong, never do anything. (Henry Ward Beecher)
Die Stifthelden

User avatar
Highway of Life
Registered User
Posts: 1399
Joined: Tue Feb 08, 2005 10:18 pm
Location: I'd love to change the World, but they won't give me the Source Code
Contact:

Re: Better Spambot Protection in phpBB3?

Post by Highway of Life »

You know... there are other ways to prevent spambot registrations...

SMS!!! 8O

100% accurate.
Image

Post Reply