YaBB Spam Bots
Since the beginning of May 2006, the forum on this site has been plagued by comment spam usually taking the form of a lengthy, unfunny joke or quirky news story followed by some links to online pharmacies. Whilst I want to keep the forum a relatively uncensored area, I felt that the spam would lower the usefulness of the facility and so I resolved to do something about it.
I did some research and found that lots of other YaBB users had been hit in a similar way, but the best advice from the YaBB developers was to upgrade to the latest version. Good advice, since YaBB 2.0 has lots of anti-spam features, but I have customised my installation quite a bit and didn't want to have to re-apply all those changes. My research continued...
I tried a few things:
- I disabled guest posting - this had no effect since over 90% of the spam posts were by registered users
- I banned the offending users by username, IP address and email - this didn't work either since a new user would be registered for each spam post
- I tried preventing registration by filtering against email address - this proved to be a losing battle
- I placed a big notice at the top of every page explaining the spammers were not welcome - again, no effect
None of these things really worked but each gave me a little bit more information to work with. It seemed that the offenders were automated software programs - probably running on innocent peoples' PCs that had been infected with spyware. If that really was the case, then all I had to do was change the registration procedure sufficiently to ensure that the bots would no longer work.
Now the information in this post starts to get a bit technical, I'm not about to explain how YaBB works, let alone how CGIs are supposed to function. If you're of a technical bent, then read on...
I changed the form used to register a new user so that the "action" parameter used to register a new user changed from "register" to "registernonspam". This had no effect whatsoever, the pesky spam bots were cleverer than I thought. The action parameter was specified in the form's action, so no amount of renaming would have any effect. Then I hit on another idea...
At the end of registration, the potential new user is presented with a set of terms and conditions, to which they must agree before being allowed to continue: I could rename this agreement and replace it with a spambot trap!
So, I renamed the radio buttons that controlled the registration agreement, and added a hidden question - "Are you a Russian spambot?" that had hidden radio buttons using the old "regagree" name. That way, when the bots answered yes to the regagree question, they would reveal themselves as spambots. Here is the relevant source:
<B>$txt{'585'}</B> <input type=radio name="obfusticate" value="yes">
<B>$txt{'586'}</B> <input type=radio name="obfusticate" value="no" checked>
<div style="display: none;"><br>Are you a Russian spam bot? <B>Yes</B>
<input type=radio name="regagree" value="yes">
<B>No</B> <input type=radio name="regagree" value="no" checked></div>
Then I had to adjust the code that would accept or deny registration:
if($FORM{"obfusticate"} eq "no") {
$yySetLocation = qq~$scripturl~;
&redirectexit;
}
if($FORM{"regagree"} eq "yes") {
die "Fuck off you Russian spammer";
}
The full copy of my Register.pl can be downloaded here.
I realise that this code is not the best in the world, but it's working so far and I've placed here in the hope that it will help others who are struggling to deal with spam on their YaBB forums. No doubt the YaBB developers would prefer me to release this in the form of a board mod but I think it needs a certain amount of coding ability and should not be treated as a black box fix.
Let me know if this was helpful to you.
However, I don't think it's a good thing to post this solution as spammers will be interested too. Even though it's not an overly subtle solution it's an implemented (and published) solution, so it's a lot better than someone dreaming up a way people might be trying to prevent spam registrations (if you see what I mean).
Of course, you might be super clever and have published this solution but not actually be using it yourself.
I'm having this same problem on my Yabb board. Plus I tried all the steps you did. I'm willing to give this solution a try, but I am cgi-challenged. Do all these edits take place in the register.pl file.
How exactly do they trap the bots?
Many thanks,
Sky
Yes, all of the edits do go in the register.pl file, which can be found in the yabb/Sources directory - don't forget to back-up your file before you make any edits.
When a bot visits your forum, it opens the registration page and looks at the registration form, filling in values for username, password and email. When it comes to a radio button called "regagree" it ticks the "Yes, I agree" button thinking that it is agreeing to the terms & conditions of the site - only to flout them later.
This modification renames the radio buttons for the terms and conditions so the bot would have to work much harder to find them. It also adds a new radio button called "regagree" which asks "Are you a spambot?". The new button is invisible to normal web browsers but will be found (and ticked) by the bots.
Obviously, we then throw out every new user that declares itself to be a bot.
Hope this helps.
I edited the script and it appears to be working (I hope).
I logged out and tried to register as a new user and it let do it without a hitch.
Also, I've noticed alot of users registering with this email account:Username@cashette.com
http://www.cashette.com/myCashette/CashetteMail/homepage.htm
Have you ever heard of cashette?
Thanks again for this wonderful piece of info. I was surprised you did not get more of a response on the Yabb forum about this solution. Will it work for the newer versions as well?
Sky
I've not heard of cashette but a quick google shows that they appear to have caused a few problems with automated mailing lists.
It's good to hear that the updates seems to be working for you. I couldn't say whether these changes will work with newer versions of YaBB as I haven't upgraded - as you can tell I've made quite a few customisations
Anywaym good luck keeping the spambots out, if they get around these measures then check back and we can work on it.
Andy
Well no new spam or no new bogus members!
Before I came across your solution, I was ready to move the forum (A real pain to do).
The forum I maintain is a neighborhood association, so everyone was up in arms over the xrated content and links.
Thanks again, I'll check back from time to time.
Very Best Regards,
Sky
Some kind of CAPTCHA would be required to definitely prevent bots from registering, but they are not invulnerable.
In the end, this system works for me so I decided to publish it.
The extremely helpful StegRock has augmented my changes with a CAPTCHA solution that looks pretty solid to me.
I'll keep this page updated as new information comes in.