Elegant anti-spam solution

I wanted to keep my minibb forum open for non-registered users but shortly I was plagued by tuns of spam. And I found much easier and elegant solution than ugly CAPTCHA.

Just add this code to the main_post_form.html template - somewhere under "postText" textarea:

<noscript><p>Anti SPAM protection, fill in this field with text &quot;nospam&quot;: <input name="chckforspm" size="6" /></p></noscript>
<script type="text/javascript">
document.write('<input type="hidden" name="chckforspm" value="no' + 'spam" />');
</script>

Users with enabled javascript will see form without a change. Users with disabled javascrit will have to fill word "nospam" to the new field. Robots that generate SPAM can not work with javascript, they also don't know what word to fill in.

Of course you can use any other word than nospam.

Step two:

Just add this code on beggining of index.php

if ($action=='ptopic') {
if ($chckforspm!="nospam") { echo "Anti-spam check failed! Click Back and fill in word &quot;nospam&quot;!"; die;}
}

And that's it... You can also include script or function to handle anti-spam check.

I don't know why you think the Captcha is not elegant - you can easily adjust the colors, look etc to your own website... :)

Tastes differ, tom322. :-) (I do not mind CAPTCHA.) Thanks to Risa for offering an alternative anti-spam solution.
- mb

Did you check it how it's working? I might use it on another unrelated website if it's working good ;).

Actually, I think it's working good. But the problem is - the spammers will know what "keyword" to use to continue spamming (unless you change the keyword often....).

Risa
If it would be so easy, Captcha never was invented.

I can easily crack your code and write a function, which bypasses it like it would be a human. Your suggestion means nothing in automated spam programs world.

The POST string which such kind of program needs to pass, may look something like that:

?action==ptopic&postMsg=postMsg_text&topicTitle=topic_title_text&chckforspm=nospam

Knowing secret phrase program needs to verify, and URL variable under which it needs to be passed, there's nothing genious to work around this.

By the way, the second mistake in your code is that it will work only when PHP's setting register_globals is set to ON. It should use $_POST array. In most common configurations nowadays, register_globals is set to OFF. But this doesn't really matter, because your solution is weak, anyway.

Most common Captcha solutions, including our own, are working different way. Secret phrase can not be read from source code, but is stored in a session. That way automated programs have no chances to read it and emulate it. This is still the only one way to fight automatic spam.

it doesnt work. if you have java script enabled, you see no difference. if you disable it you can see a form. even if i post a message with not filling it in, the post appears. 10 minutes after i changed the code as you said i had 3 spam messages...

I tried this with simply a hidden form variable, but that didn't work, I had to get javascript to set a variable inside the SESSION and put that same variable as visible on the web page. Then, when the form was submitted, the submitted value is compared to what was in the session. This works around the spam engines because the variable the form needs to send changes every time and it's not possible to read a "gif" file (mine didn't use the gif, it especially makes random numbers in a string a red color font, but the spam engines aren't that smart.)

To fix the javascript she is using, she can generate a random string using php or javascript, and then encode it like I do, and then check it against the SESSION variable content like I do.

Guys,

until the value you need to insert as verifycation code, is somewhere visible in the source of the page, it's not serious and can be very easy to hack. Even if you write a tricky JavaScript function to encode the value, then decode it back again (using JS function), it is still possible to program the same type function in PHP, which decodes the encoded value...

It all doesn't matter, until the verifycation code is available in the source. It only matters, when it's available in the session; and even this can be hacked, if somebody is curious about hacking exactly your forums. But this is already a criminal offence - thus miniBB captcha addon provides a workaround even about that...

Why isn't there a captcha addon for registering?
I do not have any intention to let guests posts but when bots can register without any problem this doesn't make a different.

In experience I've had the most problems with bots registering and not with bots posting spam (as I never let guests posts)
Bots spaming as a members I've already had enough (with phpbb)
If there is already something anti bot registering please let me know.

Why isn't there a captcha addon for registering?
There is: http://www.minibb.com/captcha.html

So there is no free anti spam solution?
What is the point of having a forum if you are 100% sure that bots will register and post spam?

That the PM plugin is not free I can understand but basic anti spam security should be in a standard install.
If you aren't even basically protected against spam in the free version why would you want to buy extra addons.

Sorry but anti spam protection should be a basic feature in every script.
Not doing this is just helping the enemy and by this you help make the internet a big trash bin where you need to search interesting posts within millions of spam posts.

That's my idea at least.

So there is no free anti spam solution?

You can set it up to require that a new user must click on the confirmation link in the email before he/she can post. You can also manually accept each new user. Bots won't go through this process.

The minibb captcha could also used by other features than registration (could be set up for any forum action so that it's 100% spam proof). And you receive an open source. So I don't think it's just yet another "anti spam protection."

Besides, it costs less than $10... Come on, if the developers were based in the US, it would have costed at least 2-3 times as much. Plus, after the transaction fees the authors receive possibly about $8. Being serious about the project spending $10 for something that has proven to work 100% as advertised is nothing.

Guest_Rik

So there is no free anti spam solution?

I think Anti-Guest addon is the one could help you. miniBB also provides other methods/alogorithms of protection.

Check here:
http://www.minibb.com/forums/12_4434_0.html
http://www.minibb.com/forums/2_3786_0.html

Starting any forums in "opened" mode is a good method. Until they become well-known and nobody spams them, it could mean they are not popular and maybe even useless. So when you feel they are becoming spammed (and that way they are becoming "known") you may invest a bit and continue to promote them.

If you think more deeper why Captcha is not free, you may discover that miniBB just provides the gradual investment plan. You could install the absolutely free software and later won't be able to find a person who will maintain or fix it for you free. You could buy an expensive software which has it all-in-one for the all-in-one huge price, but won't even know why you need this or that feature. With miniBB, you install the basics and pay exactly for what you need.

If you think we could support this project free forever, it's a big mistake. Even if something is free, somebody pays for it.

Also if you think $10 is a big price - welcome to program this addon yourself... it's open source.

Paul,

first of all I do understand you can't support this project for free forever. And I do not find $10 a lot (it's very cheap to be honest), also the other plugins aren't expensive.

But I do think spam protection should be in the basic packet.
Yes it is good to keep unpopular forums open in the beginning to get more people but nowadays spam bots do not check if your forum is popular. From the moment you have a google PR and your in their list, they will send you spam even if your forum is zero active.

And I can promise you that after your forum is full of spam (200 spamposts in 1 day isn't that creazy) no real person will ever visit your board again. I've had this with a phpBB board that I had put on a site with a starting PR and less than 100 visitors a day.
The forum itself had less than 5 visitors a day and 1 post every 2 or 3 days.
Till I got on a bots list. I hadn't checked the forum for around a month and my surprise was big. All at once I had over 1000 members and a forum full of posts (all spam)
The real members I had all left, and since then the forum is completely dead.

Just to explain that anti spam is important from the first moment you start a forum.

I hadn't checked the forum for around a month and my surprise was big.
I think here lays the gist of the problem. Running a serious forum (or any other website) is at last a part-time job. I cannot imagine to check in to a forum once a month only; there's no ideal forum software that would: review the posts, clean spammy or offensive messages, or automatically create useful posts by itself. Why even create a forum if it's not even interesting for the webmaster to work on it more than once a month...