PHPBB Anti-spam Registration Question

Saturday, April 21. 2007

PHPBB Anti-spam Registration Question

If you are not comfortable installing this on your own, I'll do it for you. If you're using PHPBB 2.0.23 and the SubSilver template, I will install it for $25 via Paypal. (If you're using a different template or need an older site updated to the latest PHPBB, I can do that too, but it will take longer and cost extra). Contact me.

I've been meaning to document this for a while now, and I finally made myself write it up. The simple measure I will describe has been working for my PHPBB website since last December. It has kept spam accounts from registering and posting anything on my site.

This idea involves asking a question during registration that spam bots do not know how to answer. You can choose any question and answer that you want. The website that I run PHPBB on is a sailing website, so I asked a question that sailors could answer. For this example I chose another question.

You have to change two files, templates/(your template)/profile_add_body.tpl and includes/usercp_register.php.

In templates/(your template)/profile_add_body.tpl, add this after the  line (about line number 68):

<!-- BEGIN switch_add_profile -->

<tr> 

  <td class="row1"><span class="gen">Anti-Spam Question:</span></td>

  <td class="row2">

    <span style="font-size: small;">Enter the name Luke Skywalker's

    father. Check your spelling!

    Requiring this question to be answered will hopefully limit

    spammers who try to sign up.</span><br />

    <input type="text" class="post" style="width: 200px"

      name="bonusq" size="25" maxlength="255" value="" />

  </td>

</tr>

<!-- END switch_add_profile -->

In includes/usercp_register.php, add this after else if ( $mode == 'register' ) { (about line number 275):

// mod by MB to require human data to prevent spam bots

if(trim(strtolower($_POST['bonusq']))!='darth vader') {

    $error = TRUE;

    $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) .

      'You did not answer the Anti-Spam question correctly...' .

      'please try again.';

}

// end mod

So there you have it. I'm sure there are some sophisticated PHPBB mods out there that will do the same and more for you, but this simple change has saved me a lot of trouble. I'm keeping my fingers crossed that it will last.

Update 2007-05-23: I omitted one other mod to make this work. You also need to edit your includes/usercp_register.php file. Find the line if ( $mode == 'editprofile' ) (about line number 941) and modify that block to look like this:

if ( $mode == 'editprofile' )

{

  $template->assign_block_vars('switch_edit_profile', array());

} else {

  // Else block is Mod by MB 2006-08-11

  $template->assign_block_vars('switch_add_profile', array());

}

Update 2007-06-24: Several folks wrote in expressing confusion about where these blocks of code belonged. I apologize, and I amended the article to give approximate line numbers where the mods belong. I used PHPBB 2.0.22 as my reference. Note that if you have made other modifications to your PHPBB files, the line numbers might not be quite right.

Update 2007-06-27: Bug fix. See comment #7 below.

Update 2007-09-29: A lot of people have written in having trouble with this modification when it comes to users editing their profile. To avoid problems, I have applied the modification to a new copy of PHPBB 2.0.22 and tested it. I made copies of the modified files and they are available to download. The modification as it appears in this blog post is what I used, and it works fine for me. I did not make any of the other changes from the comments (except the bug fix from June which has already been incorporated into this post).

Update 2008-02-27: The update works just fine for me in PHPBB 2.0.23 as well. Neither profile_add_body.tpl nor usercp_register.php were changed between 2.0.22 and 2.0.23.

Posted by Mike Boone in PHPBB at 13:45 | Comments (33) | Trackbacks (0)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

I've written a script that provides a randomly selected arithmetic problem involving one of four possible common operators. It creates a select list from which the user can select an answer, one of which is the correct answer. This list always varies and the answer is never the one visible. This is applied to registrations and to anonymous posts. A decoy equation is planted in the source code.

Another gadget for registrations varies the name attribute of the username input field. The string starts from a random selection of letters from the alphabet and winds up transformed and converted three different ways before it's finally added to the attribute.

For anonymous posts there is also a widget that replaces the normal message textarea with one that prevent user from pasting content either with the keyboard or with gui menus. This is meant for the human spammers who have no patience for typing when it comes to adding numerous links. Of course, it applies to bulletin boards with policies that allow anonymous posters to post links.

#1 Alan on 2007-04-22 02:24 (Reply)

Thanks it worked!

#2 Brenda on 2007-06-01 11:31 (Reply)

awesome! thanks for this. i've been looking around for an easy-to-follow and concise set of instructions... simple and efffective

#3 bryan (Homepage) on 2007-06-13 04:04 (Reply)

I want to thank you for a great simple fix. I was getting over 100 spam registrations a week before I implemented this on our forum. So far so good - not a single one!

#4 Aaron (Homepage) on 2007-06-16 08:48 (Reply)

Nice, simple and elegant. Thanks for the mod, I've installed it and tested it. Say bye bye spambots

#5 Dallace (Homepage) on 2007-06-23 00:58 (Reply)

I thought the correct answer was Anakin... Or was it Anakin Skywalker?

#6 Dmitry Shechtman (Homepage) on 2007-06-24 08:24 (Reply)

I figured someone would bring that up sooner or later.

I was hoping users would replace that with a better question of their own, but I've seen a couple boards with the question as-is. You could always modify the answer-checking block to allow them all.

#6.1 Mike Boone (Homepage) on 2007-06-24 10:03 (Reply)

A heads up:
I needed to edit if(trim(strtolower($_POST['bonusq']!='darth vader'))) to if(trim(strtolower($_POST['bonusq'])!='darth vader')) otherwise Darth Vader would register as a wrong answer.

Thanks for a simple and hopefully effective mod

#7 Christian on 2007-06-27 09:18 (Reply)

Thanks for catching that bug. Actually my intention was for it to read:

if(trim(strtolower($_POST['bonusq']))!='darth vader') {

I have corrected the entry.

#7.1 Mike Boone (Homepage) on 2007-06-27 09:26 (Reply)

A brilliant mod and many thanks Mike. We implemented it a couple of months ago and no spam since. Fantastic.

#8 Bruce Blackshaw on 2007-07-09 02:03 (Reply)

Mod worked great for me, however, once I made the changes my users can no longer edit their profiles?

#9 Pete on 2007-07-12 15:36 (Reply)

Hmmm...make sure you have the code blocks in the correct places, otherwise you could interfere with profile updates. Use the suggested line numbers as a guide.

#9.1 Mike Boone (Homepage) on 2007-07-17 10:40 (Reply)

Thanks! I just implemented it on my forums, so hoping it will go okay!

Note: I discovered the answer must be in all lower case, just FYI.

#10 Kellee (Homepage) on 2007-07-16 16:15 (Reply)

The answer in the code should be lowercase, but the answer supplied by the user shouldn't have to be, as that's what the strtolower function does...it takes the user input and makes it lowercase before comparing it with the answer in the code.

#10.1 Mike Boone (Homepage) on 2007-07-17 10:37 (Reply)

I have something like this on my vb site, but you know what really kills the spammers dead in their tracks? Have the mod randomly display a question from a list of questions & answers determined by the admin.

That way if they figure out one of the questions, they have a whole slew more to figure out. Should keep the dumber spammers out. Works like a champ on my vb board, haven't had a spammer in months. (My phpBB board, that's another issue...)

#11 GeekFury (Homepage) on 2007-07-29 12:29 (Reply)

Using the code you have here my forum members had trouble editing their profiles (it checked to see if 'darth vader' had been entered in a field they couldnt see while editing their profiles).

So, the fix:
Change
if(trim(strtolower($_POST['bonusq']))!='darth vader')

TO
if(trim(strtolower($_POST['bonusq']))!='darth vader' && $mode != 'editprofile')

Hope this helps

#12 Evan Pugh on 2007-07-31 11:07 (Reply)

Thanks for posting this. When I get a chance I will update all the code as well as publish copies of the files from PHPBB + the modification.

#12.1 Mike Boone (Homepage) on 2007-08-13 14:47 (Reply)

wow!
Thank you sooooooo much. It really works. In fact I made it very simple. I added a 8-digit at the bottom of my bulletin board and the question is the type the number. Bingo!
It works and there are no more spam since that day nad if it is too complicate for a person to find the number at the bottom, I will probably be happy to not have this person to join my bulletin board :o)

Thanks a lot for this script.

Normand

#13 Normand (Homepage) on 2007-09-19 15:42 (Reply)

I have implemented the mod. Thanks see it at http://www.jobscat.com

#14 Siddharth (Homepage) on 2007-09-21 13:56 (Reply)

My forum users were having trouble editing their profiles. They managed to update them if they input their passwords (all 3 fields) each time, but otherwise it told them they were missing info.

To fix it, I moved the first segment of code on usercp_register down beyond all of the password information. I had to put it in brackets (as it wasn't if you just copied it from the page above) and I made sure to add the other suggestions on this page, but regardless everything started working fine. I made sure it stayed on the same level as it would if you pasted the code directly after the mode == 'register' line, though by taking it out of the password area entirely it stopped giving me trouble.

All of that side, I've had great success keeping spam out of my forum with this. I couldn't easily edit profiles for a while, but even then it was well worth it. Now that everything is functioning properly, life is good.

#15 William Bloodworth (Homepage) on 2007-09-26 00:23 (Reply)

When I uploaded the files you linked for download the mod worked fine but when I tried to simply add the snippets of code to my already existing files nothing changed.

In my current files there is a birthday Mod included which requires the user enter their birthdate upon registration and it then adds the birthday to the forums calendar. I really don't want to lose this feature and thought I could simply add the code where you instructed and that it should work but the qurestion no longer showed up. it was as if i hadn't added the code at all.

Is there a way I can keep the birthday mod in tact and still use this anti-spam mod?

Or am I just doing something wrong? Any help would be appreciated as I would love to use this mod.

Thanks in advance.

#16 Kelly on 2007-10-10 19:07 (Reply)

When you have multiple modifications you have to be careful when editing the files. I would suggest you download a program like WinMerge (http://winmerge.org/). It will let you compare my modified files to your files that have the other mods. Then you can decide where the code should go.

#16.1 Mike Boone (Homepage) on 2007-10-13 08:56 (Reply)

Thank you so much for the information. I downloaded the Winmerge program and was able to incorporate the codes you listed above into the existing altered codes in my files. it was very easy to do and I had the new altered files uploaded in a matter of minutes.

I'm hoping the question will work to eliminate the spambot problem as well as it has for others.

Thanks again for your help.

kelly

#16.1.1 Kelly on 2007-10-14 16:57 (Reply)

For some reason, I can't get the actual question to show up on the registration page. Can anyone think of anything I"m doing wrong? I modified the profile_add_body.tpl file exactly.

Thanks.

-Wil

#17 wil on 2007-11-27 23:14 (Reply)

A couple things:

First, make sure you made those changes to the profile_add_body.tpl file inside the template subfolder that you're using. If you're using SubSilver only, then you should be OK on that.

Next, the question will appear only when switch_add_profile, so make sure you made the changes that are shown in the "Update" sections as well. Or just download the files from the link at the end of the post and use them, or compare them with yours using a tool like WinMerge.

#17.1 Mike Boone (Homepage) on 2007-11-28 13:58 (Reply)

Thank you so MUCH. We have a terrible spam bot problem and there hasnt been a single bot registration since I put the mod in.

I usually get between 10-20 a day!

#18 Tp on 2007-12-04 14:19 (Reply)

Yes, the idea is very simple but surprisingly effective for more than year now. And I expect that such protection will be effective for a lot of time. Sometimes I write about it in my blog about spam bots and captchas: http://bbspam.com/

#19 Oleg (Homepage) on 2007-12-07 00:39 (Reply)

I was using this MOD when a user told me he could's change his password in his profile. I downloaded the MOD posted on 2007-09-29 and after uploading it, and trying to change a password in the profile I get this response:

Fatal error: Call to undefined function: session_reset_keys() in /var/www/vhosts/reelanimalsfishingshow.com/httpdocs/phpBB/includes/usercp_register.php on line 545

The password DOES get changed, but am getting the fatal error.

#20 mj (Homepage) on 2008-01-07 14:52 (Reply)

Sorry, this got buried in my inbox. Anyway, I'm not sure about the error, but make sure you are using PHPBB 2.0.22, as the session code changed somewhere around 2.0.20.

#20.1 Mike Boone (Homepage) on 2008-02-06 15:51 (Reply)

I installed this script and get the same error.

I added the following line at the top of the script

error_reporting(0);

This basically stops the user from seeing the error and they get a blank page.

(This is a quick and dirty hack I did to keep the error message from revealing some virtual directory info I'd rather not have out there)

I don't recommend this as it will confuse your users but it works in a pinch.

#20.2 Desus (Homepage) on 2008-02-25 09:45 (Reply)

Are you running PHPBB 2.0.22 or 2.0.23?

#20.2.1 Mike Boone (Homepage) on 2008-02-25 13:10 (Reply)

> Are you running PHPBB 2.0.22 or 2.0.23?

It's on an older board running PHPBB 2.0.22
We're in the process of updating to phpbb3 but until that finishes we're still running 2.0.22

Sorry I forgot to mention this, I saw what you said earlier about the change in the session handling from .22 to .23

#20.2.1.1 Desus (Homepage) on 2008-02-26 08:01 (Reply)

The fix should work with 2.0.22. You should download the files from the link above and compare them to yours with WinMerge or something similar. Perhaps there's some discrepancy between your files and mine.

#20.2.1.1.1 Mike Boone (Homepage) on 2008-02-27 09:05 (Reply)

I had been looking everywhere for something to get rid of all the spam accounts on my role playing forums. I installed this two nights ago... and haven't seen a single inappropriate sign-up yet! Changing the question to fit my sites was easy, as I just picked a question about the game's information (makes it easy for me to also see if people signing up are actually reading the rules and stuff! *Bonus!*). Thank you SO much for this!

#21 Chelle the Cat (Homepage) on 2008-04-16 15:28 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry