Page 1 of 1

Minimizing spam on phpBB 3.0.6 and above

Posted: Thu Jan 19, 2012 3:04 pm
by KBleivik
1. Background.
Even if I have overridden the default registration process, a lot of spam bots register on this bord. Since it is the bulletin board of I could have stopped registration. Deactivating the board is one easy possibility via the ACP, but then unregistered user will not be able to read the board. So even if deactivating the board block new users from registering, it is not the solution to the problem. For a while registered users have been blocked from posting. Some days ago I opened one subforum for posting posts that should be approved by me. Readers and members of the forum don't see those posts that have to be approved. For me the posts are marked with a question mark. So what happened? After a few hours that sub forum got a lot of new posts that should be approved and all of them were spam. It took me some minutes to delete the posts and set the forum back to the state before I allowed posting posts for approval in the actual sub forum. I thought of another route, deny bot access, but that will block known good as well as bad bots and it would not stop many of the bad spam bots from posting.

2. What is a spam bot.
A spam bot is software that is able to register and tries to post on your forum. There are thousands of them, and if you try to fight them manually, it will take much of your resources.
Simply put, a spam bot (with relation to phpBB) is a script that is able to register an account and/or post spam on your board.

Is spam a security threat?

No. While spammers may seem like they are breaking through your defenses, they actually don't do anything that a regular users couldn't do (register, post, etc). Spam is therefore not a vulnerability and should not be considered as such.
Source: Knowledge Base - What Is Spam?

They are not a direct security threat, but they eat bandwith and fill up your board. Your database may increase so much that it becomes difficult to handle. It take time to download or back up a big database. So indirectly they are a security threat since they take up so many resources that your board or forum breaks down.
How do they work?
Spam bots do what they are programmed to do; nothing more. Not having the ability to adapt on the fly puts bots at a disadvantage when put against informed administrators such as yourself. The trick for dealing with bots is to stay one step ahead of their authors. Nearly all anti-spam MODs focus on changing the registration/posting form in order to prevent bots from being able to fill out the information properly.
Source: Knowledge Base - What Is Spam?

3. What about human spammers?
Human spammers are of course more difficult to fight than spam bots.
The trick to fighting human spammers, therefore, is to remove any incentive they would have of targeting your board.
Source: Knowledge Base - What Is Spam?

Human spammers will also sign up on this board and try to post. The problem with them are the same as with spam bots. They steal bandwith, fill up your database and make the experience for serious members worse. In short your forum gets slower and slower until it reach a point where it breaks down.

4. The goal
So the goal is to block spam bots from registering and minimze the activity from human spammers. Since this is a bulletin board and nobody is allowed to post aside from me, we have to live with human spammers registering as long as it is possible for a human to register. A solution is of course to remove them from the database with some filters. If you know mysql, you can do it seamlessly yourself by dumping the database to an sql file and set the filters yourself. Here
As explained in this viewtopic.php?f=40&t=202 thread, we had to delete al lot of members because there were an extensive spam bot registration at the end of 2010 and later. When that operation was finished, the old database was still more than 100 Mb in size. Our intention was to upgrade from version 2.0.22 to version 3.08 via 3.02. That did not function because of problems with the old database having a lot of zero values after the deletion of about 220 000 members. So the members are deleted, but the empty rows are still in the database and we got conversion errors.

For that reason we exported the database as a flat sql file, deleted the old database, recreated that database and imported the sql file to the new empty version of the old database without using AUTO_INCREMENT for zero values. That reduced the database to about 6 Mb's and now the upgrade from phpBB 2.0.22 to 3.02 was OK.
Source: ... f=40&t=203

is one example.

5. Preventing spam in phpBB3.

The official link: ... #p12961708
At this time, the Q&A CAPTCHA plugin seems to be the most effective single solution against spambots (and some human spammers). For this technique to be effective, you must use simple but non-obvious question and answer combinations. For instance, "What programming language is phpBB written in?" is an effective question, while "What colour is the sky?" or "2+2 = ?" are not. These questions are particularly effective on niche forums where one can ask a question that is not immediately obvious to the general populace.

To enable the Q&A CAPTCHA, browse to Spambot countermeasures on the General tab of the ACP, then select "Q&A" under "Installed Plugins". Select "Configure", setup your question and answer pairs, then submit the forum.
That is the minimal solution. Read the whole article for additional steps and discuss the topic here: ... &t=2122697

if you have questions. Also see:

A list of validated CAPTCHA plugins (and other antispam MODs).

Knowledge Base - Custom Profile Fields as an Anti-Spammer Tool

Scam warning / Good practices for hiring developers

6. Mass deletion of inactive users.

That is very simple with the phpBB 3.08->

In the ACP on the GENERAL folder, in the lower right corner you can
  1. View inactive users by clicking the link.
  2. Set the number of users to be viewed per page. Use 5000 or more if you have a lot of registerers, that has not visted the forum and you do that operation very seldom. It takes time to load the page, so be patient. When it is loaded, scroll down to the bottom, mark all and hit the delete button.
Related link:
Mass delete of inactive users (again)