phpBB3 Spam Protection Tutorial

How to protect your phpBB3 forum from spam

In this tutorial we'll give you some tips on how to protect from spam your phpBB3 board. Unfortunately, you can't stop absolutely all spam messages, especially if your board is popular, but you can reduce their number significantly. The problem is caused mostly by spam bots and the suggestions here are directed mostly at stopping them.

Real people are a bit more difficult to stop if they are determined to register on your board, but you can always ban usernames, IP addresses, email addresses, if you see that a registered user on your board is there to spam. As we said, most spam messages come from bots, so they are the main concern.

Guest Posting

By default, in phpBB3 guests have read access only (with the original forum permissions). This means that guests can't post messages in your forums, they have to become registered users first. If registration is not required, this makes it a lot easier for bots, and your board may become overflooded with spam.

However, if you want guests to be able to post messages, you can give them this permission. To do this, log in to the administration control panel, click on the Permissions tab, then on the Forum permissions link on the left. Select any or all the forums from the forum list and click on Submit. Then select Guests from the Manage groups list and click on Edit permissions. You'll see that the Role drop-down menu is set to Read Only Access. From there you can give guests more rights, including the permission to post messages.

If you enable guest posting make sure that CAPTCHA (visual confirmation) is enabled for guest posting: Posting tab>Post settings>Enable spambot countermeasures for guest postings to Yes. The setting is set to Yes by default, so just make sure you haven't accidentally disabled it. With this setting enabled, guests have to recognize an image (numbers and letters) before they can post a message. CAPTCHA makes it much more difficult, but not impossible, for bots to post spam messages.

CAPTCHA (Visual confirmation)

Make sure that CAPTCHA is enabled from the User registration settings of your administration control panel (General tab>User registration settings>Enable spambot countermeasures for registrations). It's actually enabled by default, so make sure it stays that way. With this setting enabled, when people register they have to type the combination of letters and numbers shown in an image. Although the image is sometimes difficult even for people to decipher, it helps to reduce automatic registrations performed by bots.

Some bots, however, can register despite the visual confirmation. What you can do is to make the CAPTCHA image a bit more difficult to recognize. To do this, click on the Spambot countermeasures link on the General page of the administration control panel. On the new page there's a section labeled Available plugins. Click on the Configure button that's there to change the settings of the default plugin (GD Image). To make the image harder to read you can enable foreground noise. It's disabled by default. You can also change the values for x-axis and y-axis background noise. They are set to 25 by default.

Spambot Countermeasures Settings

You can tweak the settings on this page a bit and use the Preview button to see what the image looks like. Once you're done click on the Submit button.

Enable Account Activation

By default, after users register they can immediately access their accounts. There's no further activation required. To make it more difficult for bots to register, as well as to discourage some human spammers, you can enable account activation. You can do this from the administration control panel. Click on the User registration settings on the General page of the admin panel. The first setting there is Account activation. It's set to No activation:

Account Activation Options

The activation can be performed by you personally, if you mark the button for By admin, or you can leave the activation to the user by marking By user. If the activation is performed by the user, this will ensure that they have a legitimate email account. When the user registers, an activation link will be sent in an email message to his/her email address. So, before the user can log in to your board, he/she has to access the email address and open the link to activate the account.

Add Extra Fields to the Registration Form

You can make it harder for bots to register by adding some extra fields to the registration form. By default, the registration page has fields for a username, email adddress (two fields), password (two fields), as well as a language drop-down menu, time zone drop-down menu and a visual confirmation field.

The easiest way to add extra fields is from the administration control panel. Click on the Users and Groups tab and then on the link Custom profile fields on the left. On the new page that opens you'll see a drop-down menu from which you can choose what type of field to add: numbers, single text field, textarea, boolean (yes/no), dropdown box, date.

Custom Profile Fields

After you select the type of field, click on the Create new field button. In our example we'll select Dropdown box.

When you select the field type and you click on the button, you'll see a page with some settings. You don't have to configure all of them. There are several options that you have to configure regardless of the field type you've chosen, and there are a few that are specific to each field type.

Custom Field Settings

You have to provide a name in the field for Field identification. This name won't be seen by the users; it's for the database (type something without spaces). In our example we've chosen to include a drop-down menu from which users can select their favorite color, so we've typed in this field color_dropdown.

Another thing you have to do is to mark the checkboxes for Display on registration screen and Required field. In this way the field will be displayed on the registration form and users can't skip it if they want to register. You also have to type something for Field name and Field description. These will be visible on the registration page. For Field name you can use a question or whatever you want to label the field, and you can use Field description to give the users some additional explanations, or what the requirements or the allowed values for the field are.

In our example, we have named the field What is your favorite color, we have given a short example description, and in the textarea for Entries we have listed different colors plus an additional value called Choose your color, which will be the default value when the registration page is displayed. The Entries option is specific to the drop-down box field type. Whatever field type you choose, after you configure the options on this page, click on the button in the lower right corner of the screen. The button is called Profile type specific options. As the name suggests, on the next page there are some field type specific options. Don't worry, they are just a few.

For example, with the drop-down box type you can choose the default value (e.g. Choose your color) and the value which is equal to non-entered value. So, in our example, if the user doesn't choose a color from the drop-down menu, but leaves the default Choose your color, he/she won't be able to register. With the single text field type, for example, you can specify the length of the input box and the minimum and maximum number of characters. In this case it's recommended not to leave the minimum number of characters to zero because in this way the user can skip this field in the registration form. You can check the options for all the field types and come up with a registration form that will be more tough for bots to cope with.

After you configure the options on the second page just click on the Save button.

Here is an example registration page with one field from each type added to the form:

Example Registration Form

Keep in mind that some of the custom field types can't really be set to have a right or wrong answer; users just have to choose or type something. With some, however, you can set conditions that have to be fulfilled in order for the answer to be accepted. In our example, the drop-down menu with the colors has a default value (e.g. Choose your color) that has to be changed; otherwise the registration form won't be accepted.

The number field (e.g. Type a number) has a minimum value of 1 and a maximum of 100, so the user is obliged to type a number between one and a hundred. The single field type is set to three characters, so that users have to type three letters and/or numbers. The date field, on the other hand, is labeled Yesterday's date, but any date will be accepted.

You can think of various combinations that are simple for anybody to answer. You can put as many custom fields as you like, but don't put too many or you may discourage people to register to your board. It's a good idea to change the questions/tasks periodically.

Anti-Spam MODs

If, despite the above measures, you still get a lot of spam, you can try some of the anti-spam MODs that can be found in the modifications database of the official phpBB site. For example, you can try Advanced Block MOD, Advanced Double Activation Pack, Sortables CAPTCHA Plugin, etc.

If you need help with installing a MOD, you can check out the tutorial on installing phpBB3 MODs manually or on installing phpBB3 MODs with AutoMOD.

HostKnox clients can request a free phpBB3 MOD installation by submitting a ticket through the HostKnox Support Portal.