Forum spam made chaos

This is a known problem, but unfortunately this does not get the attention it deserves. (At least to my knowledge)

You can try out netrixes addon for spam stuff

http://phpfusionmods.com/downloads.php?cat_id=1&download_id=27

Looks promising, will give that one a try.

For spam protection look here, Protect register.php against proxy registrations.

Soon I will post a modified login.php which will slow down brute force logins.
On my to do list is flood control on failed login attemps.

I have a different spam problem all together:

Over the weekend I deleted 46000 user names and approximately 85000 spam messages from my forum.

I have since changed the administrator log-in password for the website, the login for the ISP host as well as the password for the SQL Database. This morning I found there were still over 100 new user names in the database, which were not there yesterday. It seems the usernames are created however never show up on the "recent users folder", and then a few hours later they post in the forum.

The only way to catch them before they start posting is to look in the SQL database and sort by "user_joined", then highlight and delete user. This is of course the long way.

I have also just installed the " Protect register.php against proxy registrations" mod, found at http://php-fusion.org/forum/viewthread.php?thread_id=8&pid=13#post_13 to register.php however not sure just how much this will help, if at all because it seems this issue is much more deeply rooted. When I installed this particular mod, there were 19393 users and as of writing this post there are now 19408 leading me to believe that the problem is not proxy registrations.

Any help would be appreciated as I am one of the old school PHPFusion users however my site has constantly been updated and I am using the v7.02.05 release at the moment.

Merged on Oct 02 2012 at 01:19:49:
An update:

[ulist=circle]Note how posts on my site are not revealing the date and time stamp.
The site doesn't seem to be saving Recaptcha Public Key or Recaptcha Private Key
Doesn't save the bad word list
Doesn't save the maintainance message[/ulist]

I've installed Craig's "Registration Secure Question" mod because I too was having the same problem.

But as I asked Craig in a PM, I'm also going to ask the PHPFusion mods/programmers here... How are these registrations happening?

As it is the PHPFusion registration process has a Captcha test, and also requires someone to click on the activation link that's sent to their email address. So they actually require a working email address to receive the activation email. Yet in the last few days I've seen over a hundred accounts registered (using Hotmail or Outlook.com email addresses) that have somehow successfully gone through this whole registration process over and over again. HOW?

Has someone created a program/bot that can register hundreds of random Hotmail/Outlook email addresses, beat the Fusion Captcha test, automatically click on the activation link, and then post spam on Fusion Message Boards? It seems far fetched.

And if they can do all that, why does the extra step Craig incorporated with this mod work?

It really has me baffled!!

Programmers can too create recognition systems that can actually read captchas and enter them correctly.

Now this is the whole point of increasing the "letter distortion" in order to go against the bots AI.

For more advanced spamming applications, you have human interactivity in which a user such as you or I can read the captcha first hand and enter allowing the bot to do the rest.

Now once a bot registers, their are no other precautions in place other than the flood control which is easily bypassed.

I have an application currently in development to stop just that, I've actually allowed bot registration to run rapid and with no spam being successful since it's implementation - I'll have further word on it shortly.

Well yes it may work. Spammers use software that find common cms features:
register.php site
PHPFusion footer search
shoutbox

Trying to know your enemy, you have to know him.. What I did...
Generally spammers are laughing at PHPFusion developers, cause it's easy to spam. Some improvements proposed were never implemented to 7.xx.xx.

Forget Captcha - its broken.. Try the easy way. I found analysing how spammers work. Try to change easy way, just register.php to your own like matr1x did, it will work -> http://www.php-fusion.co.uk/forum/viewthread.php?thread_id=31460

Yes it's MUCH better than any captcha, so do the trick!

one thing IMO that will stop alot of the spammers is checking the registration email and ip with stop forums spam db.

used to be an add-on that did this not sure if it works with the current fusion version but in all honesty it should be hard coded into fusion. with the ability when a spammer gets though it can be reported back to the SFS db

I've made various attempts and found that my Captcha is not appearing. For verification, visit www.gojuryu.net

Because is not enabled?

Oh - It's enabled, and I've tried every setting available. Just does not show-up.
http://gojuryu.net/register.php

Replace register.php and check Error log.

We've been receiving similar complaints since from our clients too, where do no reason the captcha seems to be broken and an incredible volume of new registrations are observed. Can someone please suggest what's going on ?

I tried browsing for a solution to this issue and found this thread, can anyone please suggest if it's actually worth giving it a shot. If yeah then I can recommend it to our clients for the time-being.

Any advice would be highly appreciated.

Any mod?

I have some spam preventing mods on http://php-fusion.org/

While I was having issues with this, anywhere from 4 to 10 new registrations a day, and they being spam. I started using the Simple Question, and have not had a problem since.

It does cut out a lot of spam, not all spam, you will still get idiots registering.

The email-activation feature is just stupid as it is programmed now. If it did work the bots would not be able to register because the bots use bogus emailadresses. And they ofcourse dont use the activationlink sent to the emailadress because they never get the email. - They register directly without having to use the email-activation thingy, even that it is activated in the settings.