Virtual Brain Online Logo

Bookmark: Root \ PHP \ Anti Spam Bot modification for PunBB

Anti Spam Bot modification for PunBB


Last Updated: 2009-06-24

Update: Instructions for FluxBB can be found here FluxBB CAPTCHA mod

Summary:
This is a mod for PunBB, the mod is available as a download which allows you to simply extract the files within, copy them to your PunBB root directory and overwrite the existing files. This page also explains how to manually adjust the required file to get the mod working. After the mod is installed, the PunBB registration process will have these additional features:
- register.php will no longer accept POST values directly, the input form where a new user enters his/her username and E-Mail address must be loaded first.
- register.php will ask a simple question which must be answered correctly. Unlike other solutions, my modifications will ask different questions which are randomly selected from a file which contains the questions and answers.
- Fixed problem when a user running the Firefox web browser enters an incorrect value and needs to go back, the submit button will stay disabled until the page is reloaded. Java script removed to fix issue on register.php

Article:
I am running a few forums with PunBB and never had any issues with spammers until a few days ago. I did not visit my forum for a few weeks because it pretty much ran by itself. One of my forum's target audience is minors and I was shocked to find the entire board flooded with all kinds of porn spam. A solution had to be found quickly before I loose my users and before I get into trouble for not protecting my young visitors....

I checked the PunBB mod forum but was unable to find a solution which satisfied me. So I fired up Kate and came up with a human validation scheme not based on identifying images because the more I use them, the more I beginn to hate them. You can find my previous work on CAPTCHAs here.

My modifications to the registration process of PunBB protect against spam bots directly submitting POST variables to register.php and require the user to answer a simple question, such as: "What is five plus one?".
This easy to answer question is pretty hard for a computer to answer because the computer needs to recognize the question first.
Furthermore, the math problem is written out, a user may answer 6 or six so the validation step must support both ways to answer the question.

This sample image displays the modification in action


All modifications to PunBB are limited to the register.php file. But before we get started I would like to suggest another modification to the register.php file. The file disables the submit button via javascript. If a user running the Firefox webbrowser enters an incorrect value and needs to go back, the submit button will stay disabled until the page is reloaded. Since Firefox is a very popular browser this should never happen, regardless if this is a browser bug or by design.
Line 268 should be changed from:

<form id="register" method="post" action="register.php?action=register" onsubmit="this.register.disabled=true;if(process_form(this)){return true;}else{this.register.disabled=false;return false;}">
to
<form id="register" method="post" action="register.php?action=register">

OK, let's get started. If you are running an unmodified version of register.php, PunBB 1.2.17, you can download the zip package below and overwrite the existing file.
If you have modified your register.php or just prefer to modify register.php file yourself you can follow the instructions below to implement the protection. You also need to download the zip file but only copy QandA.php file into the PunBB root directory.

Downloads:
Rename register.php-PunBB-v1.2.17 to register.php if you are running PunBB 1.2.17
or
Rename register.php-PunBB-v1.2.21 to register.php if you are running PunBB 1.2.21
PunBB_Human_Test-1.1.zip for version 1.2.17 and 1.2.21
PunBB_Human_Test-1.0.zip for version 1.2.17

Open register.php with a text editor such as Kate or Notepad.
Goto line 36 and add the following lines after } and before "Load the register.php language file...."
//This is part of the human test, it will ensure that the values submitted to register.php come from the form and are not part of a spambot submitting POST variables directly to register.php
session_start();
$hum_id = session_id();


Now goto line 85 (PunBB 1.2.17) or line 83 (PunBB 1.2.21) and add the following lines after the { and before the comment "Check that someone from this IP didn't ...."
//Human validation, first check that the session ID is present in the session array.....
//This one should catch most "simple" bot programs because the form requires that step one is loaded. It prevents bots from submitting variables to register.php directly
if( $hum_id != $_SESSION['hum_sumtest'] ) {
message('Mhhh, maybe you should try and submit your values via the form and not submit them directly to register.php ..... byebye bot....');
} //if( $hum_id != $_SESSION['hum_sumtest'] )
//Now check that the correct human test answer was given, don't do anything if this fails
if( isset($_POST['human_test']) ) { $hum_answer = $_POST['human_test']; } else { $hum_answer = Null; }
if( !isset($_SESSION['hum_qna_i']) ) { //Ensure that the Question Index has been stored in the last step
message('Missing Question Index, please contact the administrator of the forum and report the issue, thank you.');
} //if( !isset($_SESSION['hum_qna_i']) )
$hum_q_index = $_SESSION['hum_qna_i']; //This is the question index, used to lookup the question
$hum_answ_correct = False; //Set to True if the answer given is correct
require_once 'QandA.php';
//Now test that the answer is correct, all tests are done in lower case
$hum_answ_cnt = count($hum_qna[$hum_q_index]); //First check how many possible answers there are
//Now loop through answers to check if the answer given is actually in the list of correct answers
for( $hum_x=1 ; $hum_x < $hum_answ_cnt ; $hum_x++ ) {
$hum_qna_line = $hum_qna[$hum_q_index][$hum_x];
if( strcasecmp( $hum_answer, $hum_qna_line) == 0 ) {
$hum_answ_correct = True; //The answer is correct, cool
} //if( strcasecmp( $hum_answer, $hum_qna_line) == 0 )
}//for( $hum_x=1 ; $hum_x >= $hum_answ_cnt ; $hum_x++ )
//The loop is over, check if the correct answer was given and issue error if not
if( $hum_answ_correct == False ) {
message('You supplied and incorrect answer at the "Human Test" field, please try again');
} //if( $hum_answ_correct == False )
//This should be it, the user should be human and not a bot

Now goto line 335 (PunBB 1.2.17) or line 333 (PunBB 1.2.21) and add the following after </div> and before <div class="inform">
<div class="inform">
<fieldset>
<legend>Human Test</legend>
<div class="infldset">
Please answer the question below to verify that you are not a computer program, thank you.<br>
<?PHP
//If the form is not loaded but the values send via POST directly to register.php then
// $_Session['hum_sumtest'] will be empty at the next step.
$_SESSION['hum_sumtest'] = $hum_id; //Save generated value in session array
require_once 'QandA.php';
$hum_cnt = count($hum_qna) -1; //Find out how many questions there are, -1 since the count starts at zero
$hum_qna_i = rand(0, $hum_cnt); //Get random number within question range
$hum_question = $hum_qna[$hum_qna_i][0]; //Get the question and save it
$_SESSION['hum_qna_i'] = $hum_qna_i; //Store the index of the question
?>
Question: <strong><?PHP echo $hum_question; ?></strong><br>
Answer: <input type="text" size="30" maxlength="100" name="human_test" value="" />
</div>
</fieldset>
</div>

That is it as far as modifications to register.php, now you need to download the Questions and Answers file and place it into the same directory where register.php is located in. The file already contains a few simple questions and answers but I urge you to replace them with your own. Edit the file with a text editor such as Kate or Notepad and follow instructions within the QandA.php file on how to add your own questions.

Important Notes Regarding Question Selection:
Because the validation scheme supports many questions it is possible to make the mod almost useless if you have a lot of questions with the same answer or very short answers.
Assume that you have added 10 questions, most of the questions are simple math problems such as 1+1 or 2-1 which only have a one digit answer, then a spammer can adjust his SPAM bot to attempt a brute force attack. When brute forcing, the bot will attempt to try any possible combination so any simple question can be broken very quickly.
It is a good idea to apply standard password policies to the answers, no answer should be shorter then 6 characters.
It is also a good idea not to include the word which is supposed to be typed into the answer field within the question.

Here are a few not so good examples:
- What is 1+1?
- Write the word red into the field below.

Here are a few good questions you may want to modify to build your question/answer file:
- Remove all occurrences of the number 2 from the word "2jel2ly2" and type it into the box below (without quotes)
- Fill in the missing character and enter the word into the box below: cof_ee
- Fill in the missing character and enter the word into the box below: mat_ematics
- What does one hundred PLUS thirty PLUS twenty five PLUS two hundred equal to?
- What year did Apollo 11 land on the moon?
- Write the number one thousand three hundred thirty three in numbers.

Please report any problems or suggestions via the Contact Form.

 

Title: works great on MyBestBB
Posted By: neofutur On: 2009-05-02 21:11
Running: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009033116 Mandriva/1.9.0.8-0.1mdv2009.0 (2009.0) Firefox/3.0.8
hi,

Thank you very much for this mod, it is now integrated on MyBestBB , my premod version of punbb 1.2.*

I badly needed this kind of things, having nearly one thousand bots registering each day on http://mybestbb.ww7.be
Title: nice try brother
Posted By: tusherdcc On: 2009-05-26 22:11
Running: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008112016 Firefox/3.0.4 Flock/2.0.2
very good try brother . i am in need of this. thanks to you and keep up good working
Title: Punbb 1.34
Posted By: Saxamo On: 2009-06-24 07:47
Running: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)
Hello there,

Will this mod still work with version 1.34 of Punbb? Do any of the modifications change? Is this something we will have to redo after each update of punbb?

I appreciate your help and your time..

Kind regards,
Saxamo
http://www.saxamo.com
Title: RE: PunBB 1.34
Posted By: Mirko Kaiser On: 2009-06-24 08:48
Running: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11) Gecko/2009061314 Firefox/3.0.11 (.NET CLR 3.5.30729)
Hello Saxamo,

I have not written a guide for PunBB 1.3.x but I don't see a reason why the mod would not work for version 1.3.x since it only adds a bit of code to the registration procedure of PunBB.
I have tried adding the mod to the 1.3 release and ran into problems creating the question input on the registration form.

Since the mod changes the register.php file you need to apply the modification every time the register.php file is updated by a later release but updating the file only takes a few minutes so it is not a lot of work.
Title: YOU RULE!
Posted By: Saxamo On: 2009-06-24 09:25
Running: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)
Thanks so much.. I appreciate your help, time.. You rock! Thanks!
Title:
Posted By: Ray On: 2009-06-27 15:21
Running: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00
Hi Mirko,

We were getting spam registrations and spam threads on our PunBB forums (v1.2.16) even when we were using reCAPTCHA on the registration page!

Currently using your mod on our PunBB forums and will monitor new signups in the following weeks.
Even though your mod says it works for 1.2.17, I'm guessing it will work for 1.2.16 as well!

-Ray
Title: PunBB 1.2.15
Posted By: Peter Poland On: 2009-08-14 06:46
Running: Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13 (.NET CLR 3.5.30729)
PunBB 1.2.15 It`s works as well THANKS ! ! !
Title: Script is not fool proof
Posted By: Sypie On: 2009-11-29 10:51
Running: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; nl-nl) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
If you change the array to your own language, like i did, you can't skip question 3 for example. If the array is Q1, A1, Q2, A2, A2, Q4, A4 it will search for Q3.. which is empty so it doesn't show a question on the register page.
Q=Question, A =Answer.

So maybe a warning in the array script is on it's place: don't miss a number in the array.
Title:
Posted By: AsciiFriend On: 2010-12-31 07:47
Running: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
I'm getting an error on the registration page that looks like this:

Warning: require_once(file:///Downloads/QandA.php) [function.require-once]: failed to open stream: No such file or directory in /home/domainname/webapps/x/register.php on line 348

Fatal error: require_once() [function.require]: Failed opening required 'file:///Downloads/QandA.php' (include_path='.:/usr/local/lib/php') in /home/domainname/webapps/x/register.php on line 348

Obviously think I've followed steps above, but might have missed something.

Title: RE: AsciiFriend
Posted By: Skylinux On: 2010-12-31 10:25
Running: Opera/9.80 (X11; Linux i686; U; en) Presto/2.7.62 Version/11.00
Hi AsciiFriend,

that kind of error only comes up when PHP can not find the file on the file system. Linux/*nix is case sensitive so please double check that the file and directory names are written the exact same way.
/Downloads/qanda.php is not the same as /downloads/QandA.php

I hope this helps.

BTW, this mod is actually quite old and I have replaced it with CAPTCHAv2 which is database driven and comes with an interface. I recommend that you check it out: http://www.network-technologies.org/tiny.php?id=1

I am currently working on the next update to CAPTCHAv2 which will add PHP APC support to reduce database connections to zero when the result is cached.

Sincerely,
Title:
Posted By: Thanks On: 2011-01-09 18:57
Running: Mozilla/5.0 (Windows; U; Windows NT 5.1; sv-SE; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Thanks a bunch saved my life :)

 

Add Your Comment:

Note: All posts require administrator approval. Please allow 24 hours for message approval.

Name:
E-Mail:
Title
Plain text only, less then 65 000 characters.

Which one of the following words is the name of an animal group: letter milk insects computer chair

Please answer the question above and type the answer into the text box below.