tips@lastplaceonthe.net

How to: Stop PHPBB forum spam registrations using ban lists

Reading Time: 3 minutes

Register

Image: Sharron Goodyear / FreeDigitalPhotos.net

I’m an administrator of several PHPBB forums. Some of them have been in existence for a number of years, initially as PHPBB2 and since the release of PHPBB3 as the updated software. I’ve heavy experience of code modification, tweaking and modifying the installation of such sites. These days, I tend to minimise the number of code changes for speed and security reasons, plus PHPBB3 brought us lots of features we used to have to mod our sites for in PHPBB2 to get.

One of the sites is my World of Warcraft guild forum. Until very recently, we’ve managed to avoid tonnes of spam user registrations. Even with the CAPTCHA options enabled and a user email confirmation routine active, we’re still seeing several spam accounts managing to gain access to our site. Thankfully, none have successfully posted yet; however I realise it was only a matter of time.

Dealing with these spam accounts is frustrating. Having to check all the activated user accounts to see which are real people is cumbersome, although it’s pretty clear who the spam accounts are because they have random avatars and the same kinds of entries in their profiles. For example, the country specified in location is somewhere most of our users wouldn’t be! Then there are the dozens of inactive accounts where they manage to clear the CAPTCHA routine but their email can’t be verified. It’s fairly easy to purge these, but it’s still time consuming.

Within PHPBB3 we saw the introduction of a semi decent banning facility in our admin control panel (ACP). You can ban IP addresses by individual IP, range of IP or wild card IP. You can ban user names and email addresses or email domain host names. I’d been manually adding IP addresses to this each time a spammer came along; however this added to the time taken to administer things. What I wanted to do was nip spam registrations in the bud.

I know you can change the activation routine such that an administrator needs to authorise any new accounts, but all this would do is involve me further. I’d get an email every time a new account was created so I’d have to check and see if it was real before activating it. Instead, I wanted a known spammer list to add to my PHPBB ban table. Thanks to Google, I found one!

spamlist1

FSpamlist are a site dedicated to dealing with spammers on forums. They have a number of tools you can use to integrate their database with your PHPBB installation, but I wasn’t keen to do this due to a connection from my site to theirs being necessary every time someone tried to register. Instead, I downloaded a snapshot of their IP spammer list and a snapshot of their spammer email list. I intended to import each of these into PHPBB but came a cropper.

The email domain list was simple to import. There was an option to download a PHPBB3 formatted file. The IP list was more difficult. It’s a comma separated list and PHPBB requires each IP to be presented on a new line. There are ways and means to change the format, below I detail how I went about it so you can do the same.

Download Notepad++ from SourceForge
Install Notepad++
Download the IP file from FSpamlist
Open the IP file in Notepad++
Select the “replace” command
replace
Tick “regular expression” and use “\n” (without the speech marks) for the replace with
replace21
Use “Save a Copy As” from the File menu
Open that list in Wordpad and then you can cut and paste it into your PHPBB ban list

NOTE: When I did this, I found that one of the IP addresses was mis-formatted. It appeared as something like 128.128.* when PHPBB requires the format to appear properly formatted like 128.128.*.* for it to be parsed so if you get an error indicating the IP list wasn’t imported, you need to search the list for such an IP. (The IP I’ve used is not the one I found but an example).

By adding all of these IP addresses you can cut a massive amount of spammers from even accessing your site in the first place, thus meaning they can’t even start the registration process. The email ban list serves as a secondary list in case a spammer comes in via a different IP given that they sometime spoof their IP, or simply find a new one to connect via.

Since employing this ban list, I have had zero successful registrations and only a handful of registrations that appeared on my inactive user list in the ACP. Big thanks to the guys at FSpamlist for their great work collating the IP list.

  • It is just now i added ip ban list, email ban list latest 1000 and username ban list latest 1000. i was getting around 5 – 10 spam users daily so let me c heck in the next 24 hours. Is there a possibility that a legitimate user’s ip would fall in to this ip ban list? 

  • Rob

    There is, with all these things, a chance that a genuine user will be in the same IP pool as know spammers; am sure those affected will contact you via some other means where necessary and you can then investigate. Worth the trade off IMHO

  • Are there any potential issues and ways this method may limit and prevent genuine registrations at all?

  • Rob

    Every solution carries a risk of excluding genuine visitors.

    It depends on how bad the problem you are experiencing is. Using the above we’ve never had a user say they can’t access out forums. (We had other ways of people being in touch).

  • Krimp

    Thanks! Exactly what I was looking forr!

%d bloggers like this: