PHPBB Fake Members

It’s becoming frustrating to be a PHPBB administrator, at least if you want to keep your memberlist clean. Form bots out there create fake users on your site in the hopes that your memberlist will show their spam URL. It’s been an ongoing, and losing battle, to keep them out.

  • First I tried to change the account creation form slightly.
  • Next, I instructed search engines to not index the memberlist and user profile pages.
  • Several months ago I turned on PHPBB’s “captcha” feature that was included with a more recent version
  • Last week, I removed the URL field completely from the signup form, and any bot that tries to submit it will fail. This might have stopped some of the bots, but there are still fake users being created. Their profiles list no websites, but you can still tell they are bogus when they list their interest as “pills” on a sailing website!
I think my next move will be to create a cron job to delete user accounts that are not activated within 24 hours, as many spam accounts never activate.

Update 2006-08-22: The fake users keep coming. So I came up with a cron job that runs this query once per day. It will remove inactive PHPBB users older than 48 hours. This gives time for the new users to properly activate.

DELETE FROM phpbbusers WHERE useractive=0 AND userid>0 AND FROMUNIXTIME(userregdate)<DATESUB(NOW(),INTERVAL 2 DAY);

The user_id>0 part is to avoid deleting the Anonymous user, which has a user ID of -1 on my installation.