[RFC] Improved AntiSpam Countermeasures by default

[jsebean]

phpBB site owners continuously post on phpBB.com requests in regards to preventing spam posts and automated registrations. Most of the time, they're just linked to the Preventing spam in phpBB 3.0.6+ topic and then move on to the next users asking a question. The topic makes good examples of preventing spam by using things like blocking UTC -12 registrations, Q&A Captcha and downloading Captchas, but phpBB should have more protection built in.

A lot of people would rather not modify the board, even though at the current state captcha's are plugins, some just simply don't know how to install them, others might not want to. 3.1 will make life easier to install more plugins then just captchas, with hooks and stuff, but the issue with mods/plugins is you're in the hands of the original developer of that mod/plugin. If they decide to move on for whatever reason, unless it's an insanely popular or lucky mod, it most likely will remain abandoned.

Thus, phpBB should have other built in AntiSpam countermeasures. Some examples to build into phpBB is StopForumSpam.com integration, Project Honey Pot, Akismet, and maybe even other resources that doesn't rely on a third part service such as a "Spam Words" system. StopForumSpam can even be used without an API key, but I think it would be nice if it was used in phpBB to, out of curtosy toward the project, require an API key for submitting spam posts since they only way SFS can work is if people submit spam posts to the DB. Also SFS will be requiring you submit the actual posts (Called evidence iirc) since the system was abused earlier with false submissions.

Q&A captcha is nice but requires effort in making questions, and ensuring that their working. I found in the past I had to keep tweaking the questions to keep it working. Then there is reCaptcha, which, IMO, totally useless. Sure it helps a bit, but doesn't do an insanely good job. Then of course, all the default captchas built into phpBB are also useless, that's to be expected. phpBB being a popular BB system as it is, someone is gonna be trying to get through it's captchas, so I don't think it would be wise to make another captcha again just to have it broke again.

phpBB does have a DNSBL built in but to use it to prevent spam as-is is almost useless. Big chances of false positives.

So basically some additional antispam countermeasures under the hood of phpBB would be really nice to have, so that most board owners can cut back on spam posts out of the box without additional plugins, mods etc.

[brunoais]

One of the ideas behind phpBB is that each phpBB installation must not, by default, require any external access.
In StopForumSpam case, if you don't have allow_url_fopen turned on or curl available, how do you contact with the outside world? You cannot require something like that in the forum system, at least, set by default. We could, however, create such option in the ACP.

I could try to comment the other options but I can't or they fall down the the StopForumSpam case.

[callumacrae]

One of the ideas behind phpBB is that each phpBB installation must not, by default, require any external access.
In StopForumSpam case, if you don't have allow_url_fopen turned on or curl available, how do you contact with the outside world? You cannot require something like that in the forum system, at least, set by default. We could, however, create such option in the ACP.

I could try to comment the other options but I can't or they fall down the the StopForumSpam case.

There is already a DNSBL check built in, so that argument isn't really valid

[jsebean]

One of the ideas behind phpBB is that each phpBB installation must not, by default, require any external access.
In StopForumSpam case, if you don't have allow_url_fopen turned on or curl available, how do you contact with the outside world? You cannot require something like that in the forum system, at least, set by default. We could, however, create such option in the ACP.

I could try to comment the other options but I can't or they fall down the the StopForumSpam case.

There is already a DNSBL check built in, so that argument isn't really valid

Agreed. Also, anything that calls onto an outside source, such as SFS, should be disabled by default, for obvious reasons. And of coruse, Spam Words system would be disabled by default as well since you'd need to collect some words. I'm just saying options like this should be available for those having spam issues, then it would be maintained by the team and users will be sure they have some options available that will stick around.

[MartinTruckenbrodt]

Hello Jonah,
the new Advanced Block MOD 1.1.0 for Olympus offers the features you are requesting.
It offers plug-in systems for HTTP blacklists (at the moment included: Stop Forum Spam, BotScout, Akismet, Project Honey Pot), IP-RBL DNS blacklists and Domain-RBL DNS blacklists. The weight system is reducing the risc of false positives very successfully.
My experience of more than three years of discussion is that phpBB developers don't want to have these features improved or included. Their only argument is the risc of false positives. In past some people ment this would decrease the board performance.
I don't understand their arguments. The whole world is using blacklists to prevent email spam, bad web content, blog spam (e.g. wordpress), forum spam and so on. Only phpBB is thinking this would bring the evil into the core.

One important argument pro the use of blacklists: It's the only one really successfull feature to prevent human spammers whom are registering and posting manually.

Bye Martin

[Senky]

HTTP blacklists are ok, however they require registration, don't they? At least Akismet do, what about the others.

The main point of phpBB team is to include anti-spam not requiring... But there is an important question: if Wordpress can offer Akismet to the users as default, why phpBB not? Nowadays, no absolutelly free anti-spams are as effective as registration-requiring ones (reCaptcha, Akismet, ...)...

[callumacrae]

Akismet isn't free for commercial use, and they prompt people to pay why they want also. Akismet is *extremely* accurate, while the free HTTP blacklists that don't require registration tend to be a bit rubbish.

[MartinTruckenbrodt]

Hello,
in this point there are three types of HTTP blacklists:

1. free, no registration and key required for checking, but registration and key required for reporting new spam - e.g. Stop Forum Spam
2. free, but registration and key required for checking, too - e.g. Project Honey Pot
3. non-free, but they are offering free editions, too - sometimes there are restrictions, e.g. in the number of free requests per day - registration and key required - e.g. BotScout or Akismet

@Callum: Please give us a source for your statement about the difference in the quality of the different HTTP blacklists you are writing about several times. It seems you haven't tested it or compared yourself. So please give us an external source.

Bye Martin

[bonelifer]

It should be noted that BotScout steals it's data from SFS, and therefore why would anyone pay for them!?!?!?

[MartinTruckenbrodt]

Hello bonelifer,
I'm using BotScout for free.

Bye Martin