A trick for keeping spambots off the forum

AndySlater · Post by **AndySlater** » Sat Dec 09, 2006 9:36 pm

I've noticed that we tend to get quite a number of spams on this forum that are so stupid they just have to be bots.

I run a forum for wargames terrain called TerraGenesis and although it isn't entirely problem free we don't get any of these. There are a number of reasons for that and some of them may not be appropriate here, however I saw a relatively simple solution to this a while back:

For a bot to make these kind of posts it has to:

1. Register for the forum.

2. Respond to the email verification.

3. Make the post.

Althought this might seem fairly sophisticated, it's not, because the bot is looking for phpBB forums and they all work the same...

...or do they?

The solution I spoke of is to add a 'question' to the registration form, along the lines of: In order to confirm that you are a human as oppsed to a spambot, please type the phrase "I am human" into the box below.

The contents of that box then need to be checked by the code that processes it. Now that the registration form is no longer a standard phpBB registration form, the bots are screwed.

Wolfwood · Post by **Wolfwood** » Sun Dec 10, 2006 7:32 am

Nah, most bots don't bother with registration forms at all. They write directly to the scripts that update the member list (skipping over the registration form entirely). There are a lot of mods that add verification stuff to the forms, but they only worked until the bots became smarter...

Ulli · Post by **Ulli** » Sun Dec 10, 2006 1:36 pm

Ouch, that sounds like an awful awful AWFUL piece of software, that doesn't bother to actually authenticate users.

PHP has always seemed like a really crappy language to me, but if users write totally insecure applications in it, that's even worse.

Never expose any part of a web app without authentication, and that's not hard to do for a programmer (one check for the session cookie, or for HTTP authentication).

Well, brave new world.

JensAyton · Post by **JensAyton** » Sun Dec 10, 2006 3:12 pm

Ulli wrote:
Ouch, that sounds like an awful awful AWFUL piece of software, that doesn't bother to actually authenticate users.

PHP has always seemed like a really crappy language to me, but if users write totally insecure applications in it, that's even worse.

PhpBB is infamously bad in this respect. Most plug-ins are worse.

AndySlater · Post by **AndySlater** » Sun Dec 10, 2006 5:26 pm

Wolfwood wrote:
Nah, most bots don't bother with registration forms at all. They write directly to the scripts that update the member list (skipping over the registration form entirely). There are a lot of mods that add verification stuff to the forms, but they only worked until the bots became smarter...

I'd be surprised if that's there case because there's a awful lot of stuff in phpBB to prevent the code from being hijacked, however if you are right, the solution is even easier: just change the name of the script and the legitimate calls to it from the phpBB code. Any bot designed to attack a standard phpBB forum will no longer be able to find it.

Bots may have become 'smarter' but they are still dumb-ass programs written by jerks who would have less time on their hands to write them if they were smart enough to write useful code.