Preventing robots from posting on a phpBB forum is easy enough if your prospective users are content to wait for an administrator to moderate the registration, but that isn’t going to suit everybody.
Requiring moderation on the part of the administrator is also a pain for the administrator, who has to deal with the registration emails and decide who is real person and who is not.
I came across this problem for http://www.planningmatters.ie/pmbb
When you first become aware of the problem, your impulse reaction is to head off to Google for a tried and tested solution, but the problem is that once a solution gains any currency, the robot authors figure it out and you’re back to square one again.
My first solution was to edit the email that is sent to users awaiting activation, asking them to forward that email back to me to confirm they were a real person. I also set up a cron job to run an SQL script to delete non-activated users from the database, deeming that any user who had not been activated 7 days after initial registration to be a robotic user.
This isn’t ideal in that it requires an extra step for users, but it does mean that real users get through, and that your database is kept in shape.
However, I was still getting floods of email from attempted robotic registrations, so I set about editing the registration script (includes/usercp_register.php).
This script processes registrations based on whether or not the user has agreed to the disclaimer on the primary registration page. I set an extra PHP $_GET variable as part of the disclaimer agreement, and amended the later part of the script to check for that variable before processing the registration. I also set the extra variable equal to date(“DG”) which means that the variable changes every hour. You can see this by examining the discliamer links here:
The fact that the extra variable is not part of the standard phpBB install will ward off a lot of dumber robots, and the fact that it changes will ward off some smarter ones too. However, there are still a lot of robots out there that are clever enough to detect the verification method, so I was still getting some SPAM registrations.
To clear off the final few robots I knew I was going to have to involve the intellect of real users, in that this is probably the only thing that robots can’t replicate. Hence, I decided to add a really simple, but real, question to the registration page. To do this I edited the following file under the default template:
I inserted the following extra lines of HTML underneath the Visual Confirmation section:
<td class=”row1″><span class=”gen”>What is the day today?</span><br /><span class=”gensmall”>We ask this question to prevent SPAM registrations. SPAM robots won’t know the answer.</span></td>
<td class=”row2″><input type=”text” class=”post” style=”width: 200px” name=”day_today” size=”6″ value=”" /></td>
This adds the following question to the registration form:
“What is the day today?”
The answer to which 99.999% of real users on the forum will know.
To check the answer, I then added an extra line to the top of the main registration script:
The line I added is:
if (isset($HTTP_POST_VARS['day_today']) and strtolower($HTTP_POST_VARS['day_today']) != strtolower(date(“l”))) die();
This basically ensures that the answer to the question is the same as the day produced by the date() function (case insensitive) and if its not, the script dies.
Previous to adding this, and even with the other changes, I was getting about 20 robot registrations per day. After adding this, it dropped to about 10 per day, so there was still some work to do.
Finally, Occams Razor came to the rescue. I found out that the robots trawl for the “profile.php” script and the “mode=register” URI, so I set about trying to change these.
They need to be changed in:
(remembering of course to rename the file profile.php too)
I changed mine to:
profile.php -> pmatters.php
mode=register -> mode=signupuser
Now, FINALLY, I have stopped getting robotic registrations!!