How to Stop Spam On phpBB Forums

February 2009 Update: it seems that this page got very popular, and it’s not surprising: the method described here is simple and really works. Unfortunately due to the large number of help requests I am getting, I can’t provide you personal assistance in implementing the solution described. If you would like one of my developers to implement this solution on your forum, feel free to contact us at Stop Forum Spam Now and we will be glad to help you.

I am running several phpBB-based forums, and they all started receiving serious amounts of spam recently. Excepts for the daisys slots where the security made is very precise that no spammers can ruin the game. It was proven plenty of times! It seems that the spammers are now able to break the captcha in the registration and even pass the e-mail activation. I found a very simple solution for this. I read something about what is malware to avoid attacks. And from that moment on – the spam stopped.

The idea is to ask the spam bot a question which it does not expect, but it will be no problem for the users to answer. I’ve added to the registration form the question “How much is 5+2 ?”. Most of the new forum members were able to answer it on the first attempt. But spam bots had no clue.

So until someone bothers to write a spam bot specifically for my forums – I am okay. When it happens, I’ll just change the question. It can be many things: “What was the color of the white horse of Hammurabi?” or “How long did the six-day war lasted?” and so on. You got the point.

Here is how to do it.

In the template directory, edit profile_add_body.tpl, and add a new row the the form:

<tr>
    <td class="row1"><span class="gen">How much is 5+2 *</span></td>
    <td class="row2">
        <input type="text" class="post" style="width: 200px" name="math_question" size="6" maxlength="6" value="" />
    </td>
</tr>

Browse to the registration page on your forum to see that it looks right.

In includes/usercp_register.php, look around line 260, and add the condition that checks if the question was answered properly:

    else if ( $mode == 'register' )
    {
        if ( empty($username) || empty($new_password) || empty($password_confirm) || empty($email) )
        {
            $error = TRUE;
            $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $lang['Fields_empty'];
        };

        if (!isset($_POST['math_question']) || $_POST['math_question'] != '7') {
            $error = TRUE;
            $error_msg .= (isset($error_msg) ? '<br/>' : '') . "Incorrect answer to the mathematical question...";
        }
    }
This entry was posted in howto. Bookmark the permalink.

174 Responses to How to Stop Spam On phpBB Forums

  1. DM says:

    Thanks for this. I am beyond appreciative for this effort and am so lucky to have found this today.

    I had a hard time figuring out how to modify the includes/… file but once I figured that out, it seems to be working perfectly. I deleted over 250 fake registrants in the past several days – over the past year and a half I can’t even imagine the hours I’ve spent deleting them all.

    Death to spammers.

    D

  2. WxWitch says:

    Thanks so much!! This is just fantastic and saves me a lot of crap!! Again thanks.

    WxWitch

  3. dudemjk says:

    Thanks alot, I really appreciate it.

  4. Kev says:

    Excellent script thank you! Included it and tested it without any problems. Have been hit by spam users ever since I set the forum up and was getting in excess of 20 ‘new’ members a day! So far I haven’t had any spammers since I integrated your script!

  5. Michael says:

    Hi,

    I can’t edit the profile section either. It reports that the maths question aint answered but I don’t see it anywhere on the profile page.

    The rest of the soloution is working superbly 🙂

    Anyone have any ideas about the profile section?

  6. Matt says:

    I’m in the same boat with the profile issue – if you submit changes to your profile an error comes up saying you haven’t answered the question, even though the question isn’t displayed anywhere!

    Anyone know how to either disable the spam filter on the profile page or make the question appear on the profile page?

  7. ethan says:

    Thank you very much. my forums are @ http://www.secfootballblogger.com/forums/ . Now I do not have to worry about spam and porn on my forums. this idea was simply genius. Thank again.

  8. Ross says:

    This approach saved my Forum. I was getting so many spambot members that I spend most of my time deleting them. Since I added this question, no spambot members. Thanks!!!!!

  9. imer d says:

    hi, i have php nuke in my site and , i was looking for an antispam , i and i came here, when i read , the aritmetic question , y said “is a good idea” but , what if we insert a picture or any letter with a diferent color , o think the spam have no eyes to see the color o the picture, example ¨WHAT COLOR IS THIS(color text)? or WHAT DO YOU SEE IN THE PICTURE(PICTURE)?

    do you think is a good idea?

    sorry about my english

  10. Pacific says:

    Well, this is great stopper for email registrations, but I am still getting about 5 postings/day from the spammers.

    How do I stop them from making comments if they are not registrered? They have a name, but are listed as a guest.

    I seem to missing a (“radio”) button somewhere that allows comments with or without registration. Or else they are bypassing a checkpoint somehow.

    Thanks for your help!

    Pacific

  11. Brassard says:

    I am trying this out on my Safety Forum, (BrassardSecurity.com)
    Thank you for the post!
    I’ll let you know how it works out for me.

    Ken

  12. Brassard says:

    Twenty-four hours now and not one spam post or account.

    Seems to work GREAT !!!

    Thanks !!!!!!!!!!!

    Ken

  13. Anthony says:

    I have been reading up on several ways to prevent spambots from spamming web forms. I came up with a simple technique that doesn’t use image validation but simple number validation. Each time a user enters my form, I generate a unique ID and a 5-7 digit number code. I save this unique ID to a database and its associated number code. When the form is submitted, if hidden field unique ID is the same and number code that you typed is correct then it submits the info and deletes the record, otherwise it will assume spam and not submit info. Again, it can be broken but that come into how complex I display the 5-7 digit code.
    ATK Contact Form is an example. So far it has worked!
    ATK Solutions

  14. Shevie says:

    Samet, you totally rock. Bless your heart. We’ve held up launching our smoking cessation support website because of the spambot issue.

    Tried changing the folder from “forum” to something else. That failed, of course. Found a photo verification MOD on both phpBB and phpBBhacks web sites. Tried to implement it, but could not find where to place some of the code and questions on both forums went unanswered (’cause nobody knew the answer?). Neither my wife or I know php and were feeling quite frustrated and generally PO’d at the so-called experts.

    Tonight she found this blog and our site is ready to launch. Took about 10 minutes to make the changes and test them out. You know, the simplest solutions are the most elusive.

    I really like Varmint’s idea of using an all word question and answer, too.

    Bless your heart, Samet. Thank you very much.
    Shevlin Ryan
    Co-Owner/Co-Adminstrator
    Wholistiquit.com

  15. Dee says:

    How do I access the templates you mentioned? I use phpbb1

  16. Shevie says:

    Hi, Dee. I just dropped by to add more praises and saw your post. I hope you haven’t given up and are still checking for answers.

    Download the 2 files and use Notepad or any other TEXT editor to make the edits. I use Notepad++, a freeware program.

    It’s now 11 days and not one spambot registration. A friend registered and it went smooth & easy. 🙂

    I’m totally sold on this.

    Shevie

  17. Asma says:

    Hi,

    I run an automobile forum using phpBB. Spamming was off the hook. Around 20 registration per day and nasty posts. Looked for solution for ever on google. with no luck i tried this myself and reduced spamming 99 % for phpBB. Adding to what Mike at the top does this solution has few more steps. Check it out at http://appleicase.com/board.htm

    Cheers

  18. You are the man!

    I just started my forum a week ago and got hit right away.

    Your fix works like a charm and very easy to do!

    I’m definately going to give you some link love.

    How did you get it to work for your blog comments?

    I run my own wordpress blog. Check it out!

    Thanks

  19. Winston says:

    Where in the profile_add_body.tpl file do I insert the paragraph:


    How much is 5+2 *

    And WHY hasn’t any of the other hundred people here asked this question already? It should be the most obvious and fundamental question that should have been asked first. Shouldn’t you tell someone WHERE they should insert something in a file?

    Thanks,
    W
    http://www.happierabroad.com

  20. Winston says:

    Where in the profile_add_body.tpl file do I insert the paragraph:

    How much is 5+2 *

    And WHY hasn’t any of the other hundred people here asked this question already? It should be the most obvious and fundamental question that should have been asked first. Shouldn’t you tell someone WHERE they should insert something in a file?

    Thanks,
    W
    http://www.happierabroad.com

  21. Shevie says:

    You put it where you desire the question to show up. In my case, I wanted it to be just before code for the CAPTCHA visual confirmation box.

    It is inserted directly above:


    which about line 58, or so.

    You can see what it looks like at http://wholistiquit.com/forum/

    Shevie

  22. brassard says:

    Put it around line 60.
    Here is the code around that area from MY site, to help you locate where to put it in YOUR site.
    Hope this helps.

    Ken

    {L_NEW_PASSWORD}: *
    {L_PASSWORD_IF_CHANGED}

    {L_CONFIRM_PASSWORD}: *
    {L_PASSWORD_CONFIRM_IF_CHANGED}


    How much is 5+2 *

    {L_CONFIRM_CODE_IMPAIRED}{CONFIRM_IMG}

    {L_CONFIRM_CODE}: * {L_CONFIRM_CODE_EXPLAIN}

  23. brassard says:

    Sorry, but the code got taken out in my earlier post.
    Again, around Line 60 you should see where it goes then test the page to see ifm it’s where you want it.

  24. Shevie says:

    Apparently I can’t just copy code to these comments.

    It goes in directly above two comment lines that mark the beginning of the CAPTCHA code. One says “Visual Confirmation”, the next one says “BEGIN switch_confirm”. That will place the question on top of the CAPTCHA box.

    I also changed the numbers just in case some smart-a$$ed spammer reads this thread and thinks to get around it. You can make the question anything you want, you just have to make the accommodation for the right response in the includes/usercp_register.php file.

    Shevie

  25. Winston says:

    Ok I finally got it to work. I think it’s better to put the “how much is 5+2” question at the top of the registration page though, right above the “Username” field, rather than the bottom, so that human users will be likely to see it and not skip it.

  26. Winston says:

    One more question. If I wanted to let the system accept both “7” and “seven” as the correct answer, how would I do that? In the second code, would I put — = ‘7’ or ‘seven’ — ?

    And if I wanted to change the question to something else, how would I do that exactly?

    Thanks,
    WuMaster
    http://www.happierabroad.com

  27. Shevie says:

    You should be able to OR in another response for ‘seven’.

    Make sure to pay attention to the closing parenthesis for the if statement.

    If you want to change the question, change the ‘7’ to ‘whatever’.

    Shevie

  28. Shevie says:

    OK, one more try at posting code here.

    if (!isset($_POST['math_question']) || $_POST['math_question'] != '7' || $_POST['math_question'] != 'seven')

  29. Shevie says:

    Ah, so that’s how it’s done 🙂

  30. Nadav Samet says:

    Actually, you probably meant:

    if (!isset($_POST['math_question']) || ($_POST['math_question'] != '7' && $_POST['math_question'] != 'seven'))

    (as the condition you suggested will always evaluate to True)

  31. Shevie says:

    Oops. Yep. Boolean bites me from time to time.

    Thanks.

  32. Dee says:

    I can’t seem to make mine to work. Even when I typed in the wrong answer I managed to register. The second part of the code I inserted in line 260 exactly of usercrp register php. Am I doing the right thing? I swear a few days ago I tested it and it worked. It refused to register and said I had given the wrong code. But I was still getting the usual spambots so I decided to test again and found out it is not working anymore.

  33. Dee says:

    It’s me again. I just tried to register without answering the maths question and managed to register even though there is an asterisk to say the field must be filled. Obviously I am not doing something right here. When I checked into Admin index I could see about 50 guests online all of the same IP address!!! Guests are not allowed to read or post but I can stil see them in my admin index as being online browsing my forum. Can someone please enlighten me on this?

  34. Shevie says:

    Hi, Dee. I just checked mine and I must put the right answer in or I get an error. A wrong answer or no answer will fault the registration process. Something must have changed. Did you add any mods or upgrades or restore from a backup?

  35. Dee says:

    Yes I recently updated from 2.0.21 to 2.0.23

  36. Shevie says:

    Since the question is apparently showing as it should, then I’d look at the includes/usercp_register.php file to see if that file’s part in this was mod’d correctly. That’s where the user input is taken and processed.

  37. I’m sorry to tell you but this doesn’t really work anymore 😛
    The spam seem to be too advanced or something. On my forum i added the above script (tested n working) while i already had visual & email verification enabled for the registration process.
    Those god damned spambots kept registering and posting in the usual rates! :/

    Btw those rates have been very highly increased since a month or something ago. I have an average of around 50 new registrations per day!!!!!!!!!! Fortunately not all of the spambots post, cause in that case i would be f**k*d!

    So… any more help?;P

  38. Shevie says:

    I have had one bogus registration since I installed this the end of January this year. Before that I was getting an average of about 5 per day.

    You can change the formula and answer, which is what I did, or you can require a text answer to the formula, or you can really mix it up as Varmint suggested (If red riding hood wore a blue hood, what color hood would red riding hood be wearing?).

    What I’d really like to see is a box where the applicant must fill out why they desire to join my site and that information sent in the registration request e-mail I receive. Unfortunately, I haven’t seen a mod that will do that.

  39. so what u suggest is that i change the question? ok, i’ll try that and may god help me ;P

  40. shevie says:

    I had suggested something like “If you are in Denver, what state are you in?”, but then it occurred to me that there are many who may not know the answer, even people here in the US (maybe even in Colorado). And, of course, there is the spelling issue.

    That’s what’s nice about Varmint’s suggestion, the correct answer is in the question. However, a slick programmer could code an intelligent enough program to extract it.

    There is a suggestion on another board to reject any registrations that are submitted if the selected time zone is GMT – 12 because that is the middle of an ocean where nobody lives. The explanation says that bots tend to take the first selection in a drop-down and that is the first time zone selection. Easy enough for another slick programmer to get around, though.

    Maybe something like “What is this rock we are on? Has h in it.” Answer, of course, is earth. I do believe that would be hard to anticipate and code for.

  41. Freethinker says:

    This is awesome, dOOd THANKX a Zillion! installed
    like butta….now we shall see the final test, NO FLIPPIN BOTS signing up….

    Much <3

  42. Snomon says:

    This worked beautifully (ran for a month) until yesterday and today. Looks like I need to rotate the math question or change it to text form like this blog (t w o + f o u r) and make the answer in text form (six). That should stop them for a while!

  43. kaheli says:

    Thanks!! I have a friend who runs a forum for a band and she was overcome by spammers. As the forum is run off of my website, I used the code and it works great 😀 I did the math in text form, as suggested by the later posts. Thanks again!!

  44. Mike says:

    Sweet This worked ALMOST perfect… Had to rearrange where you put it and remove some things, but it works perfect.

  45. Rabastan says:

    This would be great for my website, as our members are becoming very offended. Is there anyway you could give me instructions on how to implement this into a phpNuke site?

    Rab
    PS I am willing to beg if needed

  46. cajuns says:

    I have been using this fix on my forum for quite a while now, and it’s worked great, thanks! Recently I had some bots starting to come back, I just changed the question and answer, works wonderful, thanks so much again!

  47. Pacific says:

    This is a great idea for the Registration, but I have bots that post on my forum that bypass the registration process.

    I have the setting “do not allow postings without registration” checked, (no anonymous postings)

  48. cajuns says:

    Did you double check all of your categories to make sure they all were set to “do not allow postings without registration” ? I know I had missed a few, and that is how some bots on my forum were posting without registering.

  49. Chevy says:

    Help!!!! I updated the profile_ad… file no problem, i figured out where i wanted the question to go and bang it was great.

    Now onto the second part of this mod.the usercp_… part

    as soon as i added the script into like 260 and uploaded back to my server it went coocoo.

    Now when i open my regi-page its all the code, and i dunno what to do now,
    i have undo done the changes and reuploaded the file, but still it has the same damn issuse.

    HEEEEEEEEEEEEEEELLLP
    thanks.

  50. Chevy says:

    okay so i found out i needed a php editor.
    so now here is the next issue
    Parse error: syntax error, unexpected T_ELSE in /mnt/w0301/d12/s14/b02d048b/www/twistedmuscle/twistedmuscle/forum/includes/usercp_register.php on line 260

    now can someone help me