TFBW's Forum

I haven't had any real activity in the forum yet, although I've had to weed out a few junk posts (spam) despite the need to register as a user. Given that the main point of removing anonymous posting is to eliminate spam -- and it's not working 100% -- I'm going to try making all the forums public. This means that you can post new topics or reply to existing ones without registering. There are still benefits to registration, such as the ability to edit your posts and a couple of other nicities, but the strict need to register is abolished for now.

Of course, if it gets seriously abused, I'll remove public posting, and I expect to be harsher on anonymous posts when it comes to judging whether they are on topic or junk. I have to strike a balance between facilitating public discussion and not facilitating web-spam.

Well, it's clear that making the forums public does result in an increase in spam. There are forum-spammers with automated scripts for posting their crap on any phpBB forum they can find, and I'm getting a couple such posts a day.

These are relatively easy to spot and weed out, but it means that the forum is in constant need of attention so as not to pollute the web with link-spam. I have a solution for this, but I'm not entirely happy with it. That solution is to disable BBCode, which is the means by which links can be posted in a comment. The spammer-scripts are too stupid to realise that their BBCode won't work, so I still have to weed out the spam by hand, but I've removed whatever benefit the spammers were getting from making the post. The spam is now a mutual waste of their time and mine, rather than a waste of my time to their benefit.

This isn't a pretty solution, however, because phpBB has no concept of BBCode being a security issue. I can't restrict BBCode to registered users, for example. In fact, when I disable BBCode entirely, it still includes BBCode controls in the "post a reply" page, even though it won't work as advertised. This strikes me as really daft. Maybe they have their act together for the upcoming phpBB v3.0, but I'm not counting on it.

At this rate, I'm going to feel like killing the forum before it even has a chance to get started.

A little more research into the matter of forum spam has been modestly educational. I'm pretty unhappy with phpBB's complete lack of relevant features when it comes to spam combat, but I have been able to perform a couple of hacks at the Apache level which seems to have deflected most of the crap. So far.

There are two major forms of abuse going on here. One is not visible, and is the result of a worm that has been going around, exploiting an old phpBB vulnerability. I get dozens of attempts per day -- from compromised sites running phpBB -- trying to assimilate my forum into the zombie collective. This particular forum has never been vulnerable (it's too new), but I've also worked out an Apache ".htaccess" hack which denies these cretins access. It's not a great hack, but it works, and it's a wonderful thing to not be wasting any CPU time on abusive crap.

The other form of abuse -- the visible one -- is the result of spammers with dedicated software for plastering their junk in every forum they can find. Judging by my Apache logs, these slimebags use botnets -- collections of compromised end-user PCs -- to do their dirty work. This makes banning them piecemeal a useless task. I have still managed to block the most prominent of the activity, however, because the special software they are using has some very conspicuous bugs. I refer to such poorly written junk as "ratware", and this ratware creates a very distinctive spoor in the Apache logs. I have another ugly-but-working hack in place to deny access to this ratware.

It's somewhat satisfying to see the "403 Forbidden" responses roll by in the Apache access log. Now all I need is some actual discussion here.