Man, the spambots almost killed our forums this year, too. I'll have to ask Terry what he ended up doing exactly, but he installed a couple of mods on our phpBB board that have helped out a lot. One requires the entry of an invitation code in order to register, which he posted in plain view at the top of the forum. Real people can read it, but not the bots. He also installed a mod that allows us admins to delete more that one account at a time, which was a real time saver.

A quickie fix that we found to contain spam posts, was to make a section that has the word "general" in it. 99 of spam posts ended up there (which you can then use to create an IP ban). It doesn't stop the spam accounts, though.

Good luck -- I know it's lame.
 

This is why I left phpBB and ponied up the big bucks for vBulletin. One or two spam attacks a month now, and it's got lots of cute features. Not worth the money, but the lack of spammers is!
 

I can't recall what or where exactly, but Shamus Young of Twenty-sided claimed that he did something that cut his spam from 1000 per month down to 1 per month. I think it was in one of the DM of the Ring commentaries.

You should ask him.
 

Scott - I'll look into that invitation code idea. That's a clever idea. If you hear anything else, please let me know.

Hamumu: Why is VBulletin better for preventing spammers than phpBB?

Fortunately the pace has slackened - I haven't gotten any more since posting - but it's pretty dang annoying.
 

I think you can't get the source to Vbulletin without paying for it, so that's all you need to know. Hackers don't pay, so reverse-engineering ways to get in is a whole lot tougher. Apparently its captcha must not be hacked yet either, which phpBB's is (I think). Spambots troll the web looking for telltale signs of a phpbb forum, and then hop right in. It's an entirely automated process. I think spamming vBulletin requires a true manual signup. I notice whenever I get spammed, it's an account that was created a long time before.

I don't know, I just speculate. But the fact I do have is that my spam problem which had become epic (epic enough for me to say $150/yr was okay!) is now all but gone.
 

I'd recommend adding the captcha mod. It is pretty simple (~3 minutes) and after adding it my spam went from dozens of spam posts a day to 0. On all 4 forums I applied it to. For 6 months and counting. All phpBB, no spam.

http://www.phpbb.com/community/viewtopic.php?f=16&t=344831&st=0&sk=t&sd=a&start=0
 

unfortunately when it comes to spam, building a better mouse trap leads to smarter mice.

"gold farming" and "power leveling" are viable income sources for some people in 3rd world countries. So is captcha translation.

Applications exist now that take a captcha images, stamp them with an id and place them on a queue which then gets picked up and displayed on the screen for some poor guy to "translate" into machine readable ascii. When he submits the answer "dvdzmytl" (or whatever) the system that submitted the captcha image gets a callback and presto, the spambot army marches on.
 

I also found this valuable little site:

http://www.phpbb-security.com/

Nice automated test for vulnerabilities. I doubt it's perfect, but I appreciated the information.
 

Russell:

That link isn't working for me. Can you email it to me?

jayb

at rampantgames dot com would be awesome. Thank you!
 

Your Captcha is total crap; all I'd have to do to subvert it is crank the contrast way up and run OCR on the text there. There's no distortion, and the fuzz there will be filtered out no problem with any decent captcha-attack OCR application.

There are pre-packaged captcha-beating scripts for spammers that can do that in the blink of an eye.

Maybe you can pick up a better piece of Captcha software (or hack the PHP to ask a human-answerable question) because this one is amateur grade for sure.
 

Yeah, the Captcha that I have is the default one that comes with the phpBB installation. It's clear that upgrading it is one of my top priorities.
 

I just installed a new captcha system. Hopefully that will stem the tide a little bit...
 

captcha is useless to prevent spammers from registering.

what realy makes the difference, is having one non-standard fields, that the bots will fail to compile.

i had a mod which allowed me to ask a question with a fixed answer (such as "What is the capital of Italy"?)

bots didn't fill the field, and couldn't register.


yesterday i've installed phpBB3, so i'm stick with that captcha until a new mod comes out, i guess, but i suppose it hasn't been broken yet