Home / security

phpBB

Publish date 03/11/2008

If you have installed phpBB on your site and you notice that you get spammed a lot, - And this will happen, trust me, - There are some steps you can take that make it a bit harder for spammer(-bots).
Yes believe it or not most spam-post are done by bots and not by humans.

This is written for phpBB 3.0.1. But should work for all 3.x.x versions and most tips can also work for phpBB 2.X

Register

First of all, everyone should register before they are allowed to post.
So don't allow guest to post, just "Read only access".
You can set this in:
Users and groups > Groups > Groups' forum permissions
  > Look up usergroup: select "Guests" - submit
  > Select a forum: mark "all forums" - submit
And here Select for each forum "Read only access"
You can also select "No access" if you want the content of the forum to only be viewed by registered users.

To make it more difficult for bots to register, make sure they need to reply to a confirmation mail.
This can be done by setting the "Account activation" in
General > Board configuration > User registration settings.
This eliminates those registering with a fake email address
You can set confirmation "By User" or "By Admin"

  • By User: the user has confirm by clicking on a link they get by email
  • By Admin: The administrator must authorize each user.

In the same section you can also set "Allow e-mail address re-use"
Default it is set to "no", and you should leave it this way.
No reason why anyone should have 2 accounts.

Also a good thing is to keep the following settings in their default:

  • "Enable visual confirmation for registration" default: Yes
    When set to yes, new users must correctly fill in the code of CAPTCHA.
    This prevents mass registrations
  • "Maximum number of login attempts" default: 3
    After 3 failed logins, a user must also fill in the code of a CAPTCHA.
    This prevents the brute-forcing of accounts.
  • "Registration attempts" default: 5
    Number of attempts users can make at the confirmation code before being locked out that session.
The CAPTCHA can also be set in
General > Board configuration > Visual confirmation settings

The setting "check e-mail for valid MX record",
in General > Server Configuration > Security settings
is default "Yes", and should be left in "Yes".
It checks only that the domain name is valid, not that email-address on it's own. But this already eliminates some cheaters.

You can also set "Check IP against DNS Blackhole list"
in General > Server Configuration > Security settings
This setting checks if the IP is listed as a known spammer.
But this can slow your server down. I don't recommend it.

 

Posting

In General > Board configuration > Post settings
You can set "Flood interval".
this is the time a user must wait between posting 2 messages.
The default is 15 seconds. This should be enough.

In the same section you can also set "Maximum links per post".
Set it to a reasonable number of 5. Unless the topic of your board recquire lost of URLs to be posted.
Spammer usually post lots of URLs to lure user to their sites.

You can also limit the amount of links in a user signature:
"Maximum signature links" in
General > Board configuration > Signature settings

 

Dissallow certain user-names

In Users and Groups > User security > Disallow usernames
you can make sure users can not use words as (part of) their username.

For example you can add "bad_word".
So no user can name themself "bad_word", but "bad_word_1" is still possible.
So it is better to set "*bad_word*".
Now the can use "bad_word" nor "bad_word_1" or "my_bad_word_5".

 

Dissallow words

You will notice that some user are not so pollite in their posts.
So it is not so bad idea to hide some words, to not offend other visitors of your forum.
This can be done by adding those words to the list in:
Posting > Messages > Word censoring
If you click on "Add new word" you can enter 2 fields.

  • Word: the word that you want to replace.
    Example: bad_word
  • Replacement: The replacement word
    Example: Nice word
Like with the usernames you can add * so it can't be used as part of a word.
Example: *bad_word* covers bad_word, reallybad_word and badwords.

 

Banning

If there are users that really go out of line, you can ban them.
Banning is denying then access to the forum, for a few hours, a week or for all eternity.
Their are 3 possible ways to do this:

  • Ban by usernames: If a user is registered you can ban him by his username
  • Ban by email: You can also ban by email. But it doesn't have to be a specific email, it can be an entire domain.
  • Ban by ip: If users are really persistent, you can ban their ip. You can even ban entire ranges. Be carefull with this though, you might block more people then you want to.

 

It is also important to set "Hide e-mail addresses" (General > Client communication > E-mail settings)
so your users email can't be harvested, and so aren't spammed.

 

In cooperation with SecurityHome.eu

 

TOP

Security: