How to Stop Simple Machines Forum Spam
Note: See updates below. The working solution is in update 3, and it’s ridiculously simple. :D
The Code Cortex Forum has had major spam issues since it started, and I knew that it wasn’t likely that so many spam bots out there were actually figuring out the captchas. Today I finally figured out how these bots were registering so easily. I won’t say exactly what I did to stop the spam bots, since if everyone does the same thing, they’ll just adapt, but I’ll show why it’s so easy for them to register, which should be enough to see how to solve the problem.
The following is from “Sources/Register.php”:
if (!defined('SMF')) die('Hacking attempt...');
Yes, you’re reading that correctly. That’s all that’s done to check whether or not it’s Simple Machines Forum (SMF) doing the registration, and it’s the same in all installations of SMF. This is paired with the following line in “index.php” (not “Sources/index.php”):
So, in order for a spam bot to register a user, all it does is run that line, set up some HTTP parameters, and then run the Register.php file on your forum. This can be prevented by adding a small amount of code to your index.php, and a small amount of code to Register.php that checks that the code you added to index.php was run. This is effectively what SMF was trying to do, but they have the same piece of code for every installation, so the spam bots can just hardcode that and continue undeterred.
I’d like to see someone come up with an automatic way of generating different code on each package installation/update so that I don’t have to redo this change whenever I update the forum packages. Best of luck to you all in stopping the spammers out there!
Okay, so maybe I spoke too soon. Since the change 6 hours ago, I’ve had two spam users and one spam post, which is about average, so I suppose it didn’t help much.
Well, they won’t entirely prevent spam bots from registering, but I’ve got a pair of partial solutions that are a bit more crafty and much more successful. One thing I’ve got on the Code Cortex Forum is a Spam board that’s invisible until you’re logged in, and it’s the board that appears first. I’ve now modified Post.php and Profile.php so that whenever anyone tries to post on this board, instead of posting a message, their account is immediately deleted along with all posts or topics they may have made before. If you’d like the code, just comment below or send me an email (you can find my email address on http://www.neildickson.com/).
I’ve also made a little script that gets all of the email addresses and user IDs from the forum, checks them against http://www.stopforumspam.com/ , and deletes any that appear there. It tends to time out if more than 30 or so accounts are being deleted, but that’s not too big of an issue if I just run it once every few weeks now that I have the automatic deletion above. Running it several times today cut down the number of forum users from over 500 to just 99.
I’m still curious as to how the spam bots register in the first place, since if SMF did things properly it shouldn’t be feasible to determine the letters in a captcha from the image, page data, session info, and the fact that the forum is using SMF. However, I haven’t got time to look into this now.
So I’ve figured out how spam bots have been getting in, and I haven’t had a single new spam bot in 2 days after changing a single character in Register.php. Near the bottom of the Register() function, it generates the code to appear in the captcha and saves it in the session data on the server. If you have it generate ANYthing different from what it would by default, the spam bots can’t get in. You could do this by switching the order of characters in $character_range, adding/removing characters in it, making the captcha a different length, or any combination thereof, plus some other stuff if you really wanted. Piece of cake, but again, I’d like a plugin to do this automatically.