[jppi]

Inspired by a couple things I've seen or read about elsewhere, I added some code to MyVidsRock.com, which also uses phpBB, to try to deflect automated spam registrations.  I have that site set up to not allow posting until I have manually enabled it for each user (and thus I've never had any message spam), but I still needed to go in and delete several spam accounts every day.  In the first day following installation of this custom code, not one new spam account has been created, and I can tell that half a dozen spam registration attempts were blocked (thanks to the link tracking provided by simurl.com).

The code shown below is not exactly what I used, for security reasons, but it's close enough that I believe it should work directly, or with minimal tweaking.

In .../templates/subSilver/profile_add_body.tpl, add two new form fields.  One is an intelligence test (not to make sure users are smart, just to make sure they have human intelligence, meaning "they" aren't a script), the other is a hidden field.  For example, find:

Code: Select all

<!-- BEGIN switch_confirm -->

...and after it add:

Code: Select all

<tr>
     <td class="row1"><span class="gen">The opposite of hot is: *</span></td>
     <td class="row2"><input type="text" name="humanCheck" size="25" maxlength="50" class="post" style="width:200px" /><input type="hidden" name="hidden_required_field" value="" /></td>
   </tr>

Of course, you can extract the strings there to the language file if you feel that is necessary.  Next, in .../includes/usercp_register.php, add code to handle the new fields when the script is handling a new registration.  For example, find:

Code: Select all

if ( isset($HTTP_POST_VARS['submit']) )

...and a few lines below it, after the session ID check, insert:

Code: Select all

   if ( $mode != 'editprofile' )
   {
      // Two custom fields for trying to stop spammer registration, let's see if this works...
      // hidden_required_field must be blank, contrary to the implication of the name
      // humanCheck must contain the word "cold" (case-insensitive and ignoring trailing spaces or punctuation)
      $hidden_not_empty = ((isset($HTTP_POST_VARS['hidden_required_field'])) && ($HTTP_POST_VARS['hidden_required_field'] != ''));
      $answer_not_cold = (strtoupper(substr($HTTP_POST_VARS['humanCheck'],0,4)) != 'COLD');
      if ($hidden_not_empty || $answer_not_cold)
      {
         // Didn't get those fields right.  Send them somewhere else...
         header ("Location: http://one.revver.com/watch/52410/flv/affiliate/7340");
         exit();
      }
   // Back to phpBB, already in progress...
   }


[kconnors]

Like you said, anything that helps having to chase down these spamming clowns to ban and delete their user names. Thanks Stuart, you rule.

Kevin

[jppi]

I think the most valuable part is having a hidden form field that must remain unfilled, because scripts will dump junk into every available field.  (Doing otherwise requires human intelligence to see what fields are really needed and what must be blank, and that defeats the "efficiencies" of scripting the spam)  Since I made this change, I've still not had a single spam registration, and literally hundreds have been deflected.

Considering the amount of spam seen here (and the very graphic nature of the photos that are sometimes embedded, which I'd hate to have my kids exposed to when they're visiting this site), I highly recommend modifying the registration code soon to use the must-be-blank field.

I support Stuart's recommendation 100%.  It seems like a great return on a relatively modest investment.

[click]

Great work Stuart! Thanks for sharing!  :D

Lately, I've noticed a huge increase in the number of spam accounts on the mF site that can be 100% confirmed. It's really annoying, too. The latest not only showed up as 3 different Member accounts, but also included 3 different posts in the forums. The message was about how to avoid spammer accounts from happening and linked to the spammers forum page, with instructions on how to block such things. Even if it was a legitimate offer, it's not a very professional way to advertise.  :roll:

Kevin / Michael: Is the phpBB code, or something similar, going to be implemented on this site?

[jppi]

I should add that the code above was originally written for the older version of phpBB. That approach still works in the new version, but the new version also provides a moderation queue, which allows spam to be posted but nobody (other than moderators) can see it. I've talked with Michael about using the moderation queue, and from what he said about it in a spam-related thread in the general discussion forum, that may happen. The downside to using it is that regular (non-spammer) new users have to wait a bit before their first message(s) appear to the public, and there's some added minor (but ongoing) maintenance to grant those new (valid) users permission to post without that moderation delay.

It is certainly worth trying. I agree that having a field that can't be auto-filled by a 'bot should help a lot.

I'm guessing that it would not be too much to have 3 or so Q/A pairs that can be randomized (opposite of hot, color of carrots, etc.) for added security.

As long as there is a notice about a member's first post being delayed due to prevention of spam, I wouldn't think there would be many complaints.

Charlie