Friday, February 13, 2009

When CAPTCHAs fail - phpBB Drug Spam

As many forum owners quickly discover, there is a reason that most popular forum software allows CAPTCHAs as a requirement for user creation. The image above shows what appears to be an automated tool seeing heavier use recently that posts to phpBB forums. A quick Google search for coreod offers examples of the spam - but the gotcha here is that at least some of the forums that these were posted to use CAPTCHAs, and that many usernames are used.

There are a number of tricks that can help:

  1. Ask the bot additional questions: "Are you a bot?" or "How did you find out about this forum?" often net responses using the userID that the bot fills forms in with.
  2. You might also add a hidden form field in the new user form - bots will fill it, users won't.
  3. Delete users who do not respond to verification email within a reasonable timeframe.
  4. Use an RBL (Realtime Block List)
  5. Use user limitation plugins - Russel John's blog has an older post with some good starting ideas. The phpBB support site requires registration, but has a number of posts on the same topic.
If you're a forum admin, you'll have to commit to some time spent cleaning up your user list. You may also want to use a Google Alert to help monitor for spam on your site.