Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2010-04-29 23:40:39

Kharel
Member
Registered: 2010-04-29
Posts: 2

Simple, DIY antispam--WITHOUT a CAPTCHA!

CAPTCHA systems, as we all know, are a bit of a pain, both for us and for users. Plus, 'bots are getting so intelligent these days that many of them can solve image-based CAPTCHAs more reliably than humans! With this in mind, I decided to enhance my installation of FluxBB with a few anti-spam techniques I've used in the past and found to be extremely effective. These anti-spam methods are designed to be completely transparent to the user, yet still deal with the vast majority of automated spambots.

Spambots come in several varieties, but most of them use one of two techniques:

1. Some 'bots fill out any form they come across--usually by reading the HTML source of the form's page, finding the names of input fields and the location to which the form submits data, and submitting a request containing spammy data to the form processor that looks like it came from the form.

2. Other 'bots rely on an initial human submission--a human working with the 'bot submits the form and captures the names of the fields that are submitted, as well as the submission values. The human (often someone hired from a very low-income country at a minimal rate of pay to find and prepare such submissions specifically for the spammer) then adds the information to a place where a spambot can find and use it. The 'bot then looks at the data, finds the URL to which the data is to be submitted, modifies the values in any message boxes to include the spam message, and submits the data to the form processor.


Armed with this information, it's possible to modify almost any form to automatically reject the vast majority of spam that's passed through it. I've created two sets of modifications that, when performed, should be successful in preventing spambots from posting. Note that this will not prevent them from registering, just from posting anything.

Noted below are the changes, the concepts behind them, the files to be modified, and the line numbers of the code that should be modified (using 1.22).




Change 1: "Honeypot" field
The idea here is to add a normal-looking form field in the HTML that the user will never see, due to a CSS rule. Since spambots look at the HTML content and rarely any external CSS styles, any 'bot that trolls through looking for a form to submit will see the nice juicy "message" box first and fill it out. Since this box is invisible to any user with a normal web browser, we know that if this form field is filled out it's almost certainly a spambot.

/style/imports/base.css
Add the following rule: .sp { display: none; }

/viewtopic.php
372: Add the following BEFORE the existing textarea element: <textarea name="message" rows="7" class="sp" cols="75"></textarea>

/post.php
494: Copy entire textarea element and paste it BEFORE the existing textarea element (there should be two textareas, complete with all PHP code)
494: Change the name attribute in the copied textarea element to "message" and add CSS reference: <textarea name="message" class="sp" ...
29: Add the following block of code:
if ( isset( $_POST['message'] ) && strlen( $_POST['message'] ) > 0 )
    die();




Change 2: Session verification
With this method, we insert the current time into a hidden field. If the form data is saved and spit back later with a spambot, we'll recognize that the form is too old and discard it, as the submission is most likely spam. In this case we're using 3 hours as the cutoff time; this can be changed to suit your needs. Even one day will block many spam submissions.

/viewtopic.php
371: Add the following: <input type="hidden" name="tm" value="<?php echo time() ?>" />

/post.php
478: Add the following: <input type="hidden" name="tm" value="<?php echo time() ) ?>" />
29: Add the following block of code:
if ( isset( $_POST['req_message'] ) && ( !isset( $_POST['tm'] ) || intval( $_POST['tm'] ) <= time() - 60 * 60 * 3 ) )
    die();

Last edited by Kharel (2010-04-30 02:24:54)

Offline

#2 2010-04-30 00:34:54

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,674
Website

Re: Simple, DIY antispam--WITHOUT a CAPTCHA!

Uhm... FluxBB doesn't use sessions, so the second example won't work.

Nontheless: We just opened up our brand-new modification repository. Why don't you package up your mod and release it there?


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#3 2010-04-30 02:17:00

Kharel
Member
Registered: 2010-04-29
Posts: 2

Re: Simple, DIY antispam--WITHOUT a CAPTCHA!

Sorry about that--this was my first time tinkering with FluxBB. Every other forum system I've modified in the past has used sessions; I just assumed that the value I was getting from md5( session_id() ) was valid. I'll modify the above snippets to work around this. Thanks!

Edit: There doesn't seem to be much of any documentation that I could find about packaging FluxBB 1.2 modifications. Am I missing something?

Last edited by Kharel (2010-04-30 02:23:01)

Offline

#4 2010-04-30 06:24:17

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,674
Website

Re: Simple, DIY antispam--WITHOUT a CAPTCHA!

We're working on putting them together, true. Sorry about that, you'll have to wait just a little.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#5 2010-04-30 10:06:16

sirena
Member
From: AU
Registered: 2008-05-10
Posts: 172

Re: Simple, DIY antispam--WITHOUT a CAPTCHA!

Kharel, just for info you may also like to examine some of the previous work on the subject of CAPTCHA-less anti-spambot measures - by Jacky and others - eg:

http://fluxbb.org/forums/viewtopic.php?id=3051

They provide some good approaches and ideas.

Offline

Board footer

Powered by FluxBB