securing a phpbb forum

eurotrotter · 09-06-2009 11:24am #1

hey gang

hope yer all well

i set up a forum website there recently and it came into a spot of bother with a lot of material of a certain nature being posted on it- yes u guessed it PORN!

unreal stuff altogether, so bad i had to disable the forum, until after my exams, so now that my exams are finished im looking at trying to resolve this issue, but i dunno where to start

its a phpbb forum, how does one go about protecting such a site

thanks very much
ed

http://freefreefree.ie/

Eoin · 09-06-2009 1:59pm

Was it just bots posting spam links on the forum, or was the site actually hacked? If it's the latter, then set the forum so admins have to approve new memberships, and also look at using captcha in your sign-up page.

eurotrotter · 09-06-2009 2:03pm

eoin wrote: »

Was it just bots posting spam links on the forum, or was the site actually hacked? If it's the latter, then set the forum so admins have to approve new memberships, and also look at using captcha in your sign-up page.

wats captcha?

nice one for the advice

Eoin · 09-06-2009 2:18pm

Captcha is when you are shown an image of numbers and/or letters and you have to enter them into a textbox. It stops a good few spambots.

Another simple method which seems to work is to create a textarea that is invisible to the user, so they can't enter anything into it. However, spam bots tend to populate every form field. Therefore if you get a signup that has entered something there, you can assume it's a bot so you ignore it.

I don't know PHP, but it would be the equivalent of this:

If Request.Form("txtRandomNameHere") = "" Then
     ' probably not a bot, register user
Else
     ' value entered, so probably a bot. Do not process registration
End If

lostprophetsie · 12-06-2009 3:12pm

I had the exact same problem even after enabling captcha which is included with PHPbb, tried then setting the option of approving users which did work but its very easy to miss a genuine member when you have 30-40 spam addresses signing up each day.

Eoin · 12-06-2009 3:17pm

Try the hidden field idea, it's supposed to be quite efficient. You'd need to be comfortable enough editing the PHP files though.

jhegarty · 12-06-2009 3:18pm

Another option is to force approval of a users first post.

bigbadcon · 12-06-2009 3:35pm

If you were to display a simple addition question on your form instead of Captcha with 2 randomly generated numbers would that stop bots?

Eg

random number 1 + random number 2 = User input

Can bots tell whether your looking for a numeric value or alphanumeric??

Deliverance XXV · 12-06-2009 4:51pm

On one of my forums I have no spam registrations in the last month opposed to 10+ a day.

Changes I made were...

Users now have to verify their email address.

Installed advanced captcha plugin (Different & changeable backgrounds for the captcha to make it harder on bots registering). Cant remember proper name but if someone wants a link I'm sure I can rustle it up.

Hope this helps

Hydrosylator · 12-06-2009 4:56pm

Captcha's are the best in my experience.
I tried having sums and other questions, and it never made a huge difference.

This was using phpBB2, with Anti-spam ACP.

You can use something like Bad Behavior to stop spammers from even getting to the registration page. I had a big a problem with spammer registration as spammer posts. You'd be amazed how quickly a database can become unusable.

From what I've seen, phpBB3 is a big step-up in anti-spam measures.
Even with that though, you just can't rely on automated spam control.
If you have a forum you want to be checking it five times a week, every time you get spam:

block the spammers name
block the spammers email
block the spammers ip number
delete the spam and the account, of course

If you want to be really draconian, limit the IP ranges allowed to post on the forums. It looks like you want to have a site for people giving away free stuff in Ireland, so you could limit the IP range to allow Ireland, Britain, and a few other western EU countries. That would, based on my experience, eradicate almost all spam.

Sadly it's not as easy as it sounds, you have to find out the ip ranges used by each country you want to allow or block, and they're not as coherent or sequential as you'd hope.

Also you would be stinging genuine people abroad who wish to use the site. If you think your business model can handle that for now though, it might be what's right for you.

That said, I do believe that good forum monitoring is the most important solution.

eurotrotter · 17-06-2009 7:23am

hey gang

thanks amillion for all teh replies

im gonna enable captcha, but dont have a clue where it is on the admin panel

can someone plz guide me in the right direction

thanks v much
ed

Sully · 17-06-2009 9:00am

The phpBB captcha isnt effective from what I read, there are extensions for phpBB which improve the security of this. Id ask in a phpBB Support Forum or do some googling. Iv moved away from all the free BBs are there not great tbh and with spam bots on the rise its harder to keep them abay on a free forum.

lostprophetsie · 17-06-2009 7:50pm

From what I remember it is just in the General Board Settings under the Admin panel but as Sully was saying, it really isn't much use I had just as much spam after enabling the captcha feature.

securing a phpbb forum

Comments