How to Stop Simple Machines Forum Spam

Note: See updates below.  The working solution is in update 3, and it’s ridiculously simple.  :D

The Code Cortex Forum has had major spam issues since it started, and I knew that it wasn’t likely that so many spam bots out there were actually figuring out the captchas.  Today I finally figured out how these bots were registering so easily.  I won’t say exactly what I did to stop the spam bots, since if everyone does the same thing, they’ll just adapt, but I’ll show why it’s so easy for them to register, which should be enough to see how to solve the problem.

The following is from “Sources/Register.php”:

if (!defined('SMF'))
	die('Hacking attempt...');

Yes, you’re reading that correctly.  That’s all that’s done to check whether or not it’s Simple Machines Forum (SMF) doing the registration, and it’s the same in all installations of SMF.  This is paired with the following line in “index.php” (not “Sources/index.php”):

define('SMF', 1);

So, in order for a spam bot to register a user, all it does is run that line, set up some HTTP parameters, and then run the Register.php file on your forum.  This can be prevented by adding a small amount of code to your index.php, and a small amount of code to Register.php that checks that the code you added to index.php was run.  This is effectively what SMF was trying to do, but they have the same piece of code for every installation, so the spam bots can just hardcode that and continue undeterred.

I’d like to see someone come up with an automatic way of generating different code on each package installation/update so that I don’t have to redo this change whenever I update the forum packages.  Best of luck to you all in stopping the spammers out there!  :)

Update:

Okay, so maybe I spoke too soon.  Since the change 6 hours ago, I’ve had two spam users and one spam post, which is about average, so I suppose it didn’t help much.  :(

Update 2:

Well, they won’t entirely prevent spam bots from registering, but I’ve got a pair of partial solutions that are a bit more crafty and much more successful.  One thing I’ve got on the Code Cortex Forum is a Spam board that’s invisible until you’re logged in, and it’s the board that appears first.  I’ve now modified Post.php and Profile.php so that whenever anyone tries to post on this board, instead of posting a message, their account is immediately deleted along with all posts or topics they may have made before.  If you’d like the code, just comment below or send me an email (you can find my email address on http://www.neildickson.com/).

I’ve also made a little script that gets all of the email addresses and user IDs from the forum, checks them against http://www.stopforumspam.com/ , and deletes any that appear there.  It tends to time out if more than 30 or so accounts are being deleted, but that’s not too big of an issue if I just run it once every few weeks now that I have the automatic deletion above.  Running it several times today cut down the number of forum users from over 500 to just 99.

I’m still curious as to how the spam bots register in the first place, since if SMF did things properly it shouldn’t be feasible to determine the letters in a captcha from the image, page data, session info, and the fact that the forum is using SMF.  However, I haven’t got time to look into this now.

Update 3:

So I’ve figured out how spam bots have been getting in, and I haven’t had a single new spam bot in 2 days after changing a single character in Register.php.  Near the bottom of the Register() function, it generates the code to appear in the captcha and saves it in the session data on the server.  If you have it generate ANYthing different from what it would by default, the spam bots can’t get in.  You could do this by switching the order of characters in $character_range, adding/removing characters in it, making the captcha a different length, or any combination thereof, plus some other stuff if you really wanted.  Piece of cake, but again, I’d like a plugin to do this automatically. :D

About these ads

~ by Neil Dickson on April 4, 2009.

12 Responses to “How to Stop Simple Machines Forum Spam”

  1. Trying Update 3. hopefully it would work.

  2. Hopefully it works as well for you as it has for me and a few other people who’ve talked to me about it. I still get the occasional spammer, but I can weed them out manually at my leisure with the help of http://www.stopforumspam.com/ instead of having to clear it out every day. :)

  3. I literally just opened a forum this morning and already got two spam posts. I tried your solution by changing the array in the Register.php – hopefully it works. Thanks for the post.

  4. I just tried something that may or may not help. It would mean your site would have to be “registered members” only. I turned off all “guest” functions, and the spam has subsided.

    I only did this a few minutes ago, so not sure yet – but I was getting constant spam before.

    There must be a way that the spammers use “reply” function to get their crap out there.

  5. I was able to stop forum spam by installing a simple math verification tool found on the SMF web site. Works very well, no bots every are able to register, but they are always there trying to. Failure bots!

  6. Thank you very much for these tools and suggestions to stop spam bots with SMF. I will implement all of them. I have also found something quite interesting with these spam bots. The majority of these spam bots that have been attempting to infiltrate our forums are using the following host servers: rdns.ubiquityservers.com, BE-OVH xninet.com, dynamicIP.rima-tde.net, kimsufi.com, and bb.netvision.net.il

    I have found a most useful free IP and hostserver lookup tool that will give you all the possible IP and server information to enable you to report these spam bots: http://cqcounter.com

    In addition, I have discovered that the majority of these spm bots are using Google’s Gmail server for the email listing in their registration attempts. Here is the url for Google’s account abuse report form:

    http://mail.google.com/support/bin/request.py?hl=en&contact_type=abuse

    Hopefully, these information will be useful to you too. May honor always know your deeds well!

  7. Thx for information.

  8. Hi Neil,
    I’d like to tell you about a new CAPTCHA alternative to check out. We all know we need CAPTCHAs to stop spammers from abusing our sites. We also know that users hate typing out twisty letters or ad phrases. Automated spam filters make mistakes and require constant checking. FunCaptcha presents a mini-game that blocks the bots while giving your users a few moments of fun. It’s a real security solution hardened by experts and automatically updated to provide the best protection. Try a demo on our site! http://swipeads.co

    Users complete our FunCaptcha faster than other CAPTCHAs, with fewer frustrating failures and no typing. They work on all browsers and mobile devices, using HTML5 with a fallback to Flash. Visually impaired users can complete an audio challenge. We have several ways to deploy (http://swipeads.co/setup/), including PHP and a WordPress plugin (http://wordpress.org/extend/plugins/funcaptcha/)

    If you get in on the ground floor now, you can be first in line to start earning money with upcoming FunCaptchas that integrate advertising. They will require no typing or extra time, and remain as secure as ever.

    Learn more, give feedback, and ask questions at our website. Our epic battle against bots doesn’t have to be a headache. Let’s fight while having some fun!

    Thanks,

    Chris Macaulay

    info@swipeads.co

  9. I’m trying to cut down spam on my version of SMF but it’s a lot newer. Any of these methods still work for you? Thanks!

    • Unfortunately, this post became a bit self-defeating, in that the spambot writers started using my forum as a testing ground, so once they started, it didn’t take very long before none of this worked. Alas.

      • Hey guys,

        I’m the dev behind funcaptcha.co – I suspect it’d be pretty easy to implement FunCaptcha into the form if this register.php is the main CAPTCHA output method. All you need to do is include the funcaptcha.php library and check against it.

      • Thanks for the reply, Neil! That’s unsettling news, but I appreciate you taking the time to respond.

        Kevin, thanks for the input. I will try that if/when I have further problems.

        I actually have the spam under control for the time being. For registration, I’m using a combination of the “Extreme” captcha setting and a simple verification question. The problem I had before was I forgot to set the “Number of verification questions user must answer” textbox to “1”, so it wasn’t being used.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 111 other followers

%d bloggers like this: