Hey, I built a phpBB forum for a friend of mine, and it's actually prospering quite well! But a couple weeks ago, he started getting messages in the admin email box basically that were forwarded to him because they couldn't reach their original destination. Some bot or something has been going in and setting up accounts, with some levitra or viagra website or something with fake email addresses. The only reason we found out is because he was getting undeliverable messages back from those addresses.

We have the image verification on to prevent bots. So how could they be doing this? Is an actual person going and making these names?

We didn't have email verification turned on, which just meant that he had to go and delete a bunch of bogus accounts. So we turned on email verification.

But that won't stop them from creating the accounts, they will just not get finalized. How long does phpBB wait for the email confirmation before deleting the accounts? Any way to stop these attacks?

It's very possible that it's a real person who is creating the accounts, and then letting the bots loose posting with them. You should definitely enable email confirmation so members need to verify their emails before they can post.

You can periodically prune emails waiting for verification to keep your database size down. You can also periodically send emails to users who haven't verified after a particular amount of time reminding them about your website.

It's very possible that it's a real person who is creating the accounts, and then letting the bots loose posting with them. You should definitely enable email confirmation so members need to verify their emails before they can post.

You can periodically prune emails waiting for verification to keep your database size down. You can also periodically send emails to users who haven't verified after a particular amount of time reminding them about your website.

Good stuff. Guess that's all we can really do. We've implemented email verification, and I guess I'll just tell the owner of the site to do some housekeeping every now and then. Thanks again for your input, and keep it up, the site rocks. ;)

Thank you ... I use email verification but don't require image verification. I figure that if they have a valid email and they have to click the link in it, it's definitely a human registering, so image verification isn't going to add any additional layer of security onto that. I think it's mostly for people who have email verification disabled.

Yeah, good point. And now that I think about it, I think you're right in your first post about it not being bots. Because we did have the image verification turned on, it really couldn't have been bots, unless there's some new high-tech ones I don't know about. But it is kind of redundant to have both.

Yup. :) Image verification prevents against bots and email verification prevents against bots and makes sure emails are valid. There are some bots nowadays that can read very simple image verification (ie when the letters are not distorted).

You may also want to block the IP addresses of the repeat offenders, this can sometimes help. Their are many 'mods' avaliable on phpbb.com which can help against stopping auto bots joining your forum!

You may also want to block the IP addresses of the repeat offenders, this can sometimes help. Their are many 'mods' avaliable on phpbb.com which can help against stopping auto bots joining your forum!

I simply google every user that signs on, if they populate lots of forums with 0 replies I simply remove them. I've turned up "users" that these bots sign on lots of sites, these bots are not very sophisticated. I've also removed the website field from the registration feature on my forum I guess that if they want to join my forum they won't be miffed if I don't show their website.

You may also want to block the IP addresses of the repeat offenders, this can sometimes help. Their are many 'mods' avaliable on phpbb.com which can help against stopping auto bots joining your forum!

Yeah, we just installed a mod to log the ip's, and we have blocked one or two. I think that's about as good as it's going to get as far as automated blocking.

I simply google every user that signs on, if they populate lots of forums with 0 replies I simply remove them. I've turned up "users" that these bots sign on lots of sites, these bots are not very sophisticated. I've also removed the website field from the registration feature on my forum I guess that if they want to join my forum they won't be miffed if I don't show their website.

This is a good idea, however, the owner of the forum simply doesn't want to take the time to do that. We were looking for more of an automated method at blocking fake users.

dog that seems a very mundane task which takes up alot of time, their are alot of automated mods out their that can do the job for you.

Yes, I guess his method only works on very new (or closed) communities where you're excited about the one or two new members you got this week.

Yes, I guess his method only works on very new (or closed) communities where you're excited about the one or two new members you got this week.

Yeah, I do get stoked about those first few members!

Oh, those were the days!

Oh, those were the days!

Ha, don't you wish you were still enjoying those days like me. But you're Mrs. Big-time now.

I am also having trouble with people creating fake accounts and posting their urls in the www field of their registrations on my boards.

BBDOG, How do you go about disableing the www/URL feature for new registrants? I looked in the admin panel and could not find that feature. Am I missing it or do I need to hard code some file? (which I do not know how to do)

I am also having trouble with people creating fake accounts and posting their urls in the www field of their registrations on my boards.

BBDOG, How do you go about disableing the www/URL feature for new registrants? I looked in the admin panel and could not find that feature. Am I missing it or do I need to hard code some file? (which I do not know how to do)

I am using subSilver template. What you need to do is go into the templates directory and open profile_add_body.tpl locate all reference to website and remove them there should be 3.

Disabling it in the template will not solve this problem. The form submission can still succeed because it does not need to come from your website. You will need to remove it from the code that processes the form submission or just remove it from the memberlist.

I am using subSilver template. What you need to do is go into the templates directory and open profile_add_body.tpl locate all reference to website and remove them there should be 3.

Your rock BBDog. Thank you so much. I am also using the subsilver. I will try that. I just spent hours cleaning out my fake members, moving my boards and hiding them fromt he search engines.

Thanks.

Your rock BBDog. Thank you so much. I am also using the subsilver. I will try that. I just spent hours cleaning out my fake members, moving my boards and hiding them fromt he search engines.

Thanks.

Yes and like stymiee said, it will not solve the problem as a whole. The fake entries can still reach your database, which may mean you will still have to spend time deleting them.

I put my board behind a password protected directory. Hopefully this will help. Thanks for your advise. I was very useful.

I put my board behind a password protected directory. Hopefully this will help. Thanks for your advise. I was very useful.

If the directory is password protected, how will potential new members be able to view it?

It's very possible that it's a real person who is creating the accounts, and then letting the bots loose posting with them. You should definitely enable email confirmation so members need to verify their emails before they can post.

You can periodically prune emails waiting for verification to keep your database size down. You can also periodically send emails to users who haven't verified after a particular amount of time reminding them about your website.

There's a brand new black hat seo program in the works that does exactly this--sign up as a fake user to a phpboard without a captcha in order to post their url within the profile. Even with the captcha, who knows, they may develop tools to read it.

There's a brand new black hat seo program in the works that does exactly this--sign up as a fake user to a phpboard without a captcha in order to post their url within the profile. Even with the captcha, who knows, they may develop tools to read it.

That has existed for years. Ask anyone with a phpbb forum.

When you guys say "email confirmation" do you mean the user will receive a confirmation email to create an account or to validate an account that has already been created?

I am a phpbb admin, and the only option I see is to enalbe tha latter.

What I need is to prevent spammers to create accounts in the first place, but I couldn't find any option that will enable such a feature.

The default image verification that comes with phpbb is useless. Can this be made more spammer prone?

plaxo

There is a phpbb mod called Visual Confirmation. I've heard great things about it and plan to install it this weekend on my phpbb site.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.