Virtual Brain Online Logo

Bookmark: Root \ PHP \ Anti Spam Bot modification for PunBB

Anti Spam Bot modification for PunBB

Last Updated: 2009-06-24

Update: Instructions for FluxBB can be found here FluxBB CAPTCHA mod

This is a mod for PunBB, the mod is available as a download which allows you to simply extract the files within, copy them to your PunBB root directory and overwrite the existing files. This page also explains how to manually adjust the required file to get the mod working. After the mod is installed, the PunBB registration process will have these additional features:
- register.php will no longer accept POST values directly, the input form where a new user enters his/her username and E-Mail address must be loaded first.
- register.php will ask a simple question which must be answered correctly. Unlike other solutions, my modifications will ask different questions which are randomly selected from a file which contains the questions and answers.
- Fixed problem when a user running the Firefox web browser enters an incorrect value and needs to go back, the submit button will stay disabled until the page is reloaded. Java script removed to fix issue on register.php

I am running a few forums with PunBB and never had any issues with spammers until a few days ago. I did not visit my forum for a few weeks because it pretty much ran by itself. One of my forum's target audience is minors and I was shocked to find the entire board flooded with all kinds of porn spam. A solution had to be found quickly before I loose my users and before I get into trouble for not protecting my young visitors....

I checked the PunBB mod forum but was unable to find a solution which satisfied me. So I fired up Kate and came up with a human validation scheme not based on identifying images because the more I use them, the more I beginn to hate them. You can find my previous work on CAPTCHAs here.

My modifications to the registration process of PunBB protect against spam bots directly submitting POST variables to register.php and require the user to answer a simple question, such as: "What is five plus one?".
This easy to answer question is pretty hard for a computer to answer because the computer needs to recognize the question first.
Furthermore, the math problem is written out, a user may answer 6 or six so the validation step must support both ways to answer the question.

This sample image displays the modification in action

All modifications to PunBB are limited to the register.php file. But before we get started I would like to suggest another modification to the register.php file. The file disables the submit button via javascript. If a user running the Firefox webbrowser enters an incorrect value and needs to go back, the submit button will stay disabled until the page is reloaded. Since Firefox is a very popular browser this should never happen, regardless if this is a browser bug or by design.
Line 268 should be changed from:

<form id="register" method="post" action="register.php?action=register" onsubmit="this.register.disabled=true;if(process_form(this)){return true;}else{this.register.disabled=false;return false;}">
<form id="register" method="post" action="register.php?action=register">

OK, let's get started. If you are running an unmodified version of register.php, PunBB 1.2.17, you can download the zip package below and overwrite the existing file.
If you have modified your register.php or just prefer to modify register.php file yourself you can follow the instructions below to implement the protection. You also need to download the zip file but only copy QandA.php file into the PunBB root directory.

Rename register.php-PunBB-v1.2.17 to register.php if you are running PunBB 1.2.17
Rename register.php-PunBB-v1.2.21 to register.php if you are running PunBB 1.2.21 for version 1.2.17 and 1.2.21 for version 1.2.17

Open register.php with a text editor such as Kate or Notepad.
Goto line 36 and add the following lines after } and before "Load the register.php language file...."
//This is part of the human test, it will ensure that the values submitted to register.php come from the form and are not part of a spambot submitting POST variables directly to register.php
$hum_id = session_id();

Now goto line 85 (PunBB 1.2.17) or line 83 (PunBB 1.2.21) and add the following lines after the { and before the comment "Check that someone from this IP didn't ...."
//Human validation, first check that the session ID is present in the session array.....
//This one should catch most "simple" bot programs because the form requires that step one is loaded. It prevents bots from submitting variables to register.php directly
if( $hum_id != $_SESSION['hum_sumtest'] ) {
message('Mhhh, maybe you should try and submit your values via the form and not submit them directly to register.php ..... byebye bot....');
} //if( $hum_id != $_SESSION['hum_sumtest'] )
//Now check that the correct human test answer was given, don't do anything if this fails
if( isset($_POST['human_test']) ) { $hum_answer = $_POST['human_test']; } else { $hum_answer = Null; }
if( !isset($_SESSION['hum_qna_i']) ) { //Ensure that the Question Index has been stored in the last step
message('Missing Question Index, please contact the administrator of the forum and report the issue, thank you.');
} //if( !isset($_SESSION['hum_qna_i']) )
$hum_q_index = $_SESSION['hum_qna_i']; //This is the question index, used to lookup the question
$hum_answ_correct = False; //Set to True if the answer given is correct
require_once 'QandA.php';
//Now test that the answer is correct, all tests are done in lower case
$hum_answ_cnt = count($hum_qna[$hum_q_index]); //First check how many possible answers there are
//Now loop through answers to check if the answer given is actually in the list of correct answers
for( $hum_x=1 ; $hum_x < $hum_answ_cnt ; $hum_x++ ) {
$hum_qna_line = $hum_qna[$hum_q_index][$hum_x];
if( strcasecmp( $hum_answer, $hum_qna_line) == 0 ) {
$hum_answ_correct = True; //The answer is correct, cool
} //if( strcasecmp( $hum_answer, $hum_qna_line) == 0 )
}//for( $hum_x=1 ; $hum_x >= $hum_answ_cnt ; $hum_x++ )
//The loop is over, check if the correct answer was given and issue error if not
if( $hum_answ_correct == False ) {
message('You supplied and incorrect answer at the "Human Test" field, please try again');
} //if( $hum_answ_correct == False )
//This should be it, the user should be human and not a bot

Now goto line 335 (PunBB 1.2.17) or line 333 (PunBB 1.2.21) and add the following after </div> and before <div class="inform">
<div class="inform">
<legend>Human Test</legend>
<div class="infldset">
Please answer the question below to verify that you are not a computer program, thank you.<br>
//If the form is not loaded but the values send via POST directly to register.php then
// $_Session['hum_sumtest'] will be empty at the next step.
$_SESSION['hum_sumtest'] = $hum_id; //Save generated value in session array
require_once 'QandA.php';
$hum_cnt = count($hum_qna) -1; //Find out how many questions there are, -1 since the count starts at zero
$hum_qna_i = rand(0, $hum_cnt); //Get random number within question range
$hum_question = $hum_qna[$hum_qna_i][0]; //Get the question and save it
$_SESSION['hum_qna_i'] = $hum_qna_i; //Store the index of the question
Question: <strong><?PHP echo $hum_question; ?></strong><br>
Answer: <input type="text" size="30" maxlength="100" name="human_test" value="" />

That is it as far as modifications to register.php, now you need to download the Questions and Answers file and place it into the same directory where register.php is located in. The file already contains a few simple questions and answers but I urge you to replace them with your own. Edit the file with a text editor such as Kate or Notepad and follow instructions within the QandA.php file on how to add your own questions.

Important Notes Regarding Question Selection:
Because the validation scheme supports many questions it is possible to make the mod almost useless if you have a lot of questions with the same answer or very short answers.
Assume that you have added 10 questions, most of the questions are simple math problems such as 1+1 or 2-1 which only have a one digit answer, then a spammer can adjust his SPAM bot to attempt a brute force attack. When brute forcing, the bot will attempt to try any possible combination so any simple question can be broken very quickly.
It is a good idea to apply standard password policies to the answers, no answer should be shorter then 6 characters.
It is also a good idea not to include the word which is supposed to be typed into the answer field within the question.

Here are a few not so good examples:
- What is 1+1?
- Write the word red into the field below.

Here are a few good questions you may want to modify to build your question/answer file:
- Remove all occurrences of the number 2 from the word "2jel2ly2" and type it into the box below (without quotes)
- Fill in the missing character and enter the word into the box below: cof_ee
- Fill in the missing character and enter the word into the box below: mat_ematics
- What does one hundred PLUS thirty PLUS twenty five PLUS two hundred equal to?
- What year did Apollo 11 land on the moon?
- Write the number one thousand three hundred thirty three in numbers.

Please report any problems or suggestions via the Contact Form.


Title: works great on MyBestBB
Posted By: neofutur On: 2009-05-02 21:11
Running: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/2009033116 Mandriva/ (2009.0) Firefox/3.0.8


Add Your Comment:

Note: All posts require administrator approval. Please allow 24 hours for message approval.

Plain text only, less then 65 000 characters.

Adding ten and five is?

Please answer the question above and type the answer into the text box below.