Quick anti-spam hacks for phpBB

A little off topic this, but I thought I’d share with people. One of the sites I run has a forum that, because of pressures of time, is still running phpBB version 2. It’s going to be upgraded to version 3 shortly, but I’ve not quite found the time.

I already have a quick hack in place that checks the IP address being used for registration; periodically I download a Geographic IP address database from Software 77, and load it onto my server. A quick lookup then lets us display a different message to people from certain countries (essentially, anywhere outside the EU, Australia and New Zealand) letting them know their account has to be approved by an admin.

The main bit of this particular hack is a function called untrustedIP, which returns TRUE if the IP address appears (GEO-IP mapping isn’t exact) to be from a country where we’ve either had lots of spammers, or where the things talked about on the forum aren’t relevant. This has succeeded in keeping the forum pretty spam free over the last few years.

In the common.php file, I have this code:

// this is a GEO-IP hack for country related authorisation
// query the database for the user ip address, and set the auth options
// based on the permitted countries
if (untrustedIP($client_ip)) {
 $board_config['require_activation'] = USER_ACTIVATION_ADMIN ;
// end of the GEO-IP hack

That’s fine, as far as it goes, at the cost of extra work keeping the database up to date, and authorising people who might be from elsewhere. Anyone who wants to code for the function, and the database structure, let me know. Or upgrade to phpBB3, which is more sensible.

But recently, I’ve seen even more registrations than usual, and some of these don’t even seem bothered about posting their spam to the forum – they don’t post, even if they are from IP addresses in the UK. Their main aim is to get the links to their crappy websites into the forum memberlist, which is visible to everyone (there are other hacks that make it visible to only people who are logged in, but I’ve not bothered with those).

As a general rule of thumb, these days I take the view that anyone who enters an ICQ number when they sign up to the forum is a spammer. No one else seems to use it anymore. So, there’s long been a warning on the sign up page that if you do enter a website or ICQ number when you register, your account may be deleted for being a spammer. (You can always enter it later, if you want).

Given the increasing number of spammers doing this, I’ve now made another quick hack. In the includes/usercp_register.php file you’ll find a bit of code that looks like this (line breaks added for clarity):

else if ( $mode == 'register' )
if ( empty($username) || empty($new_password) ||
     empty($password_confirm) || empty($email))

I’ve simply changed the if statement, adding two new conditions to it, between the last two brackets :

|| !empty($icq) || (!empty($website)

The effect of that is to tell people they’ve forgotten to fill in a compulsory field, if they enter anything in the ICQ or website field. It’s not the best message, but I said this was a quick hack. And I already have a note on that page telling people not to put anything in those two fields. I don’t particularly care if spammers get confused, either.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.