PHPBB

If you are not comfortable installing this on your own, I'll do it for you. If you're using PHPBB 2.0.23 and the SubSilver template, I will install it for $25 via Paypal. (If you're using a different template or need an older site updated to the latest PHPBB, I can do that too, but it will take longer and cost extra). Contact me.

I've been meaning to document this for a while now, and I finally made myself write it up. The simple measure I will describe has been working for my PHPBB website since last December. It has kept spam accounts from registering and posting anything on my site.

This idea involves asking a question during registration that spam bots do not know how to answer. You can choose any question and answer that you want. The website that I run PHPBB on is a sailing website, so I asked a question that sailors could answer. For this example I chose another question.

You have to change two files, templates/(your template)/profile_add_body.tpl and includes/usercp_register.php.

In templates/(your template)/profile_add_body.tpl, add this after the <!-- END switch_confirm --> line (about line number 68):

In includes/usercp_register.php, add this after else if ( $mode == 'register' ) { (about line number 275):

So there you have it. I'm sure there are some sophisticated PHPBB mods out there that will do the same and more for you, but this simple change has saved me a lot of trouble. I'm keeping my fingers crossed that it will last.

Update 2007-05-23: I omitted one other mod to make this work. You also need to edit your includes/usercp_register.php file. Find the line if ( $mode == 'editprofile' ) (about line number 941) and modify that block to look like this:



Update 2007-06-24: Several folks wrote in expressing confusion about where these blocks of code belonged. I apologize, and I amended the article to give approximate line numbers where the mods belong. I used PHPBB 2.0.22 as my reference. Note that if you have made other modifications to your PHPBB files, the line numbers might not be quite right.

Update 2007-06-27: Bug fix. See comment #7 below.

Update 2007-09-29: A lot of people have written in having trouble with this modification when it comes to users editing their profile. To avoid problems, I have applied the modification to a new copy of PHPBB 2.0.22 and tested it. I made copies of the modified files and they are available to download. The modification as it appears in this blog post is what I used, and it works fine for me. I did not make any of the other changes from the comments (except the bug fix from June which has already been incorporated into this post).

Update 2008-02-27: The update works just fine for me in PHPBB 2.0.23 as well. Neither profile_add_body.tpl nor usercp_register.php were changed between 2.0.22 and 2.0.23.

A commenter to a previous article asked exactly how I delete inactive members from a PHPBB forum that I run. So I'll try to explain. This solution runs on Linux/Unix systems...I'm sure it could be done for Windows, but I'll leave the particulars to you.

It's really two separate steps. First, you need a script which will handle the deletion of inactive members. I called mine cron.php. It deletes all inactive PHPBB users who don't activate within 48 hours. It looks like this:

#!/usr/bin/php -q
<?php
  // cron job to delete inactive users older than 48 hours
  $db=mysql_connect('server','user','password');
  mysql_select_db('your_phpbb_database_here',$db);
  $strSQL="DELETE phpbb_users u, phpbb_user_group ug, " .
    "phpbb_groups AS g FROM phpbb_users u, " .
    "phpbb_user_group ug, phpbb_groups g WHERE " .
    "u.user_active=0 AND u.user_id>0 AND " .
    "u.user_id=ug.user_id AND ug.group_id=g.group_id " .
    "AND g.group_single_user=1 AND " .
    "FROM_UNIXTIME(u.user_regdate)<" .
    "DATE_SUB(NOW(),INTERVAL 2 DAY);";
  mysql_query($strSQL,$db) or die(mysql_error());
  mysql_close($db);
?>

You'll need to make sure the /usr/bin/php points to the location of PHP on your system, and replace the MySQL server name, user, and password with yours.

Now that you have a script, you need to tell the system to run it daily. You can do this with a cron job. If you have command line access to your website, you might be able to do this with "crontab -e". But my webhost has an administrative panel that lets you set up cron jobs on the web. If you can't set up a cron job, you could put the script into a web-accessible folder and periodically call its URL, either manually or through an automated process on your local PC.

This idea works great if the majority of your spam registrations don't activate their account. Usually they just want their spam links in your member list. But I'm finding that more and more spammers are activating and posting, so it remains that we want to stop spammers from registering in the first place. I'm experimenting with another method, which I'll post about when I see some results.

Update 2007-11-28: I replaced my original SQL statement with the SQL in comment #1 below, which I finally tested and it seems to work well.

It's becoming frustrating to be a PHPBB administrator, at least if you want to keep your memberlist clean. Form bots out there create fake users on your site in the hopes that your memberlist will show their spam URL. It's been an ongoing, and losing battle, to keep them out.

• First I tried to change the account creation form slightly.
• Next, I instructed search engines to not index the memberlist and user profile pages.
• Several months ago I turned on PHPBB's "captcha" feature that was included with a more recent version
• Last week, I removed the URL field completely from the signup form, and any bot that tries to submit it will fail. This might have stopped some of the bots, but there are still fake users being created. Their profiles list no websites, but you can still tell they are bogus when they list their interest as "pills" on a sailing website!

I think my next move will be to create a cron job to delete user accounts that are not activated within 24 hours, as many spam accounts never activate.

Update 2006-08-22: The fake users keep coming. So I came up with a cron job that runs this query once per day. It will remove inactive PHPBB users older than 48 hours. This gives time for the new users to properly activate.

DELETE FROM phpbb_users WHERE user_active=0 AND user_id>0 AND FROM_UNIXTIME(user_regdate)<DATE_SUB(NOW(),INTERVAL 2 DAY);

The user_id>0 part is to avoid deleting the Anonymous user, which has a user ID of -1 on my installation.

In a previous entry, I detailed how I used some code from PHPBB to integrate its session management with my existing website. The idea is to include just enough PHPBB stuff to get PHPBB sessions working, and nothing else. Due to some session code changes introduced in the PHPBB update to version 2.0.20, I had to change the code some. Here is how it looks now:


In addition, I had to copy the dss_rand() function out of PHPBB's includes/functions.php file into my startup-script. I think that's preferable to including the whole block of functions, but that's another option. You have also have to modify the message_die() function inside dss_rand() because I'm not including that function. I just used PHP's die() function and only included the text of the error, not the PHPBB specific parameters.

Update 2006-07-17: This code is OK for PHPBB 2.0.21 also.

The PHPBB board that I maintain recently picked up a new user account: Analina. The user signed up with the email analina@gmail.com. The user left a link to visualpicz.com, which redirects to a page full of prescription drug links.

At first I thought it was someone who signed up manually, but I think this was automated, and it bypassed my basic bot preventer. The reason I think it was automated is because if you do a Google search on "analina phpbb" you get over 37,000 results! I guess I need to improve my bot prevention scheme.

So I'd advise PHPBB admins to delete that user and ban that gmail email address. It would also help if all PHPBB board would tell search engine spider to not index the memberlist and user pages, which would render spammer links useless.

I have been working on integrating a PHPBB forum with an established site for a client. Their site has a pre-existing user base and sign-in method, and I didn't want to disturb that.

This knowledge base article at phpbb.com details the basics of bringing PHPBB sessions into your other code. It includes common.php, which, if you read the source code, includes everything and the kitchen sink for PHPBB: general functions, template code, authenticaion/permissions code, etc. I decided to try to trim it down, as the only "feature" I needed from PHPBB on the main site was to keep a PHPBB session alive while the user used the main part of the website. This looks like more code than suggested in the PHPBB KB article, but it's really less code overall, and it seems to work.



This method is working OK for me so far. I've got several other steps to really get things integrated. One problem is that the existing site's code uses a global variable to access the database known as $db, and guess what, so does PHPBB, but they're not compatible.

I'm also toying with the idea of stripping out PHPBB's existing session code and replacing it with my own which will connect the main site and the forum. I need to see how well PHPBB's session code is written and if it's mostly separated from the rest of the PHPBB code. But you might give this code a shot if you want to work with PHPBB's sessions.

Update 2006-04-12: I had to update this code to work with PHPBB 2.0.20. I also changed the PHPBB message_die() function to PHP's die() function since I'm not including it from the PHPBB functions.

On a board where I run phpBB, a recent member registered with the name "deixxervaisul". The profile says the member is in the United Kingdom. He left his occupation as "King of the Web" and the email address deixxervaisul@flashcubicle.com. The member didn't try to leave a website and never made a post. I left it alone.

Today, while looking at another phpBB board that I occasionally admin, I noticed a new user with the same odd name. The profile info is the same. The subject matter of the two board is completely different, so I have a hard time believing these are both real users.

A Google search on "deixxervaisul" pulls up 113,000 hits. I didn't go through them all, but the first 100 hits or so point to that username on more forums, and not just phpBB either. The poster must be using some automated tool, which means he probably circumvented my basic bot prevention method.

I'm not sure what the motivation was to create these accounts, but I'm going to delete them from my boards. Maybe the poster is trying to get search engines to index the domain of that email address?

I'd encourage phpBB admins to make their memberlist and profiles unavailable to search engines, as I described in an earlier post.

Back in November I detailed a method for preventing the majority of automated "linkspam" accounts being created in PHPBB message boards. At the time I wrote "it can't prevent someone from signing up with a junk link manually." I figured that no spammer had the time to sign up to forums manually. Well, I was wrong. Some of these people apparently have plenty of time on their hands. I guess when someone takes the time out to send me spam over my personal web page contact form, it shouldn't surprise me that they'll use bulletin board software as well.

Just today I removed an bogus account linking to portale-erotico.com. I checked my logs and the user had found my site via Google Italy, doing a search for "general forum". That user then manually went to the trouble of creating an account. The user had the IP address of 62.10.13.75 which links to a dial-up account in Italy. Doing a Google search on the linked domain shows several other PHPBB sites that have member accounts linking to that site.

That guy was a one-time deal, so far. I've had a bigger problem with someone promoting chi-origin.be. This person creates accounts like someword1234 where the word and number change, but the number always seems to be four digits. Then they list bogus locations and interests, etc., which also seem to change between attempts. I've had to delete these accounts 4 or 5 times already, and I've yet to track the IP, but I'll find that out if they do it again. One time the spammer even took it upon himself to send private messages promoting that domain to other members on the site.

I did a Google search on that domain and again, it shows several sites that have fake accounts promoting that domain. I even found another forum (written in Latin!) where someone else was getting private message spammed by them too.

The chi-origin.be domain is hosted in the US, and I complained to the web provider, probably to no avail. I also wrote a complaint to Google.

I'm not sure how to best deal with this kind of spammer, though I'm thinking of removing the web link data field entirely.

I hope in the future that the PHPBB authors put "noindex,nofollow" robot meta tags on the member list and member account pages so that these spammers aren't encouraged to use this tactic. In the meantime, I think I'll set that tag on my pages just for good measure.

Here's how I set the tag...I hope it's correct:

In both memberlist.php and includes/usercp_viewprofile.php, just above this line:

include($phpbb_root_path . 'includes/page_header.'.$phpEx);

I added this:

// MOD BY MIKE TO ADD noindex,nofollow meta tags
$template->assign_vars(array('META'=>'<meta name="robots" content="noindex,nofollow">'));

Seems to work! I also added a text note by the Website field in templates/subSilver/profile_add_body.tpl to tell link spammers that the pages they intend to spam are not indexed by search engines.

When I overhauled my sailing community website (now at www.daysailer.org), I decided to use a free and popular web forum package called PHPBB. My home-brewed forum was getting old in the tooth anyway. PHPBB has features that not only make the forum better, but easier to maintain.

The downside is that PHPBB is everywhere, and that makes it a target for spammers and their automated bots. In this case, PHPBB has a Member List page which displays the site's members and optionally, their web address. The link spammers create bogus user accounts to take advantage of this and get their spammy website listed. I've only been running the forum at daysailer.org for a month, and I was seeing about one spam signup a day. One day I had three. I knew I had to do something or otherwise I'd show up on the site one day and there'd be a thousand of them. For some reason most of the spam links were for sites in Russia, but there are probably others out there.

Since these automated bots rely on PHPBB's user registration form looking a certain way, I decided to change the form a bit. I found this forum post to be a helpful description of how to do it. I followed those instructions, but varied things a bit for our site. The technique is to put a hidden field on the form that the bots don't know about, and fail if someone tries to register without submitting that hidden piece of data. It can't prevent someone from signing up with a junk link manually, but it seems to work with the bots. We haven't had a bogus account signup in over a week now. We'll be safe until the bots figure out how to grab and send the hidden data.

Publishing interactive content on the web seems to be one small battle after another....

Update 2006-12-18: A lot of people seem to be finding this post. Please be sure to read the other articles in my PHPBB Category as I have also tried other spam-prevention ideas.