It seems I already provided the code above, which completely disables filling in the website field.
Did you install the code correctly? If so, how it is possible that users still record website value?

I have plans to release the add-on which could be scheduled or run manually, and it will remove profiles, which let's say were registered 2 days ago, no posts made from them, and they have website field written in. In most cases such profiles could be considered as the 'spam' accounts and they could be removed. But these are only plans. I have abnormally lots of jobs these days and do not have time for a free work by now...

Hi Paul,

If you read the various messages in the thread you will see removing the 'Website' field did nothing to stop the spam registrations, so I reactivated it to enable the easy 'spotting' of spam registrations...

I don't want to remove registrations that have had no post, as we have a lot of users that like to register 'just in case', but only post when they have a valid question.

Obviously, if they have the 'website' field filled in that would make them 100% spammer in my case as that field is not human visible.

The inverse-captcha capability I have mentioned before would be a good addition I think. It is use by the Tectite Forms we use for registration of downloads, and we have had ZERO spam since we have been using it (5 years or so).

It is a very simple process, but so far has been 100% successful in preventing spam forms download registrations.

So, how would you recognize a "just-in-case-registered"-user from the "spamming" user?

Then why wouldn't you just remove this field - from the database, from the Profile template?..
I'm seeing no sense in it, if it doesn't work for your website.

If you want to keep part of users with this field filled in, and remove part of users with this field as well, then I simply have no ideas how it could be done at the programming level. My opinion it has no automated solution except manual work.

I'm not sure I've read about "inverse-captcha" earlier in your posts above. What is this?

Sorry, I'm not explaining myself well.

As the 'Website' field is not Human Viewable all registrations that fill in that field are obviously Spammer - 100% guaranteed as they are using an automated system to register that can't tell the field is not visible to a real user... so there can be no alternative to them being spammers.

Based on this, rejecting ALL users that fill this field will ONLY reject spammer.

Removing the 'hidden website' field totally prevents easy recognition of spammer registrations.

Does that make more sense?

Inverse, or Reverse Captcha is using this process - having hidden fields - usually two - to separate human registration for spammer and bots.

See: http://www.tectite.com/fmdoc/attack_detection_reverse_captcha.php

As I say this has been 100% successful in preventing ALL spam from th download form we use.

Steve

The add-on I described above, was exactly about this. But, it also has a condition of user's amount of posts.
If there were no posts done, and If this field (website) is filled it with some value, in most cases it IS spammer - and it's not just for your forum.
This is all I have in plans at the moment.

Thanks for providing infos from the "tectite" - I think, this method is not related to Captcha at all. It could be used for any basic form protection, but this is only for "standard" spammers. Yes, it seems to be an easy way, but if someone wants to intrude to your website badly, there is a simple way to break it up as well.

I may consider this method, may be even adding something like this to default miniBB with no Captcha add-on installed, but... I only have time to think about it, not to work on - unfortunately, I am out of free time until the end of June.

Indeed - should work fine!

;-)

As for the Reverse Captcha, I agree it is not 'Captcha' but it works 100% in application (from our 5 years of use).
In comparison we have a lot of spammers hitting the forum... even with 'Captch' enabled, etc.

End of June would be great!!!

Thanks :-)

I've re-checked your proposals about "hidden fields protection" and I think they are still worth of doubt :)
You wrote that

I'm not sure I know what your app is about, but here we truly may talk about different things. Spammers register on forum because they think they URL is visible and clickable to public. The most important is this hyperlink's moment - they do not understand it's clickable for logged members only and has no effect on SEO... but in your app, there could be a case when registration doesn't require a password, signature or anything else to visible to public. Users just register to download a file and their profile is hidden - this may be a completely different case. In this case, spammers do not attack you because they do not see the sense of it.

I also have some few specific projects on the web which require registration, and which are not even protected by Captcha (just email validation) - so what, in a few years there are no bulk registrations, because profiles are not visible to public, and they do not contain anything SEO-specific which is worth for spammers... it's a different case.

But... the form "protected" by hidden fields could be tricked easily in many ways. I could even program a script in PHP which will bypass this "protection". It's a very primitive approach, created for similarly primitive hackers, I suppose - which could just take a ready software and apply it to some website by few clicks, with no having understanding of how and what works there...

So for me it seems the add-on which cleans up registrations within some time period, is still the best for miniBB in this aspect.

In the download form there is an area to add 'comments'.

Before we added the Reverse Captcha spammers would put Hyperlinks into the 'comments' field.
As soon as we activated the Reverse Captcha all spam stopped - 100%!

I think that proves it ;-)

Either way, it must be worth adding as additional protection???
It can't hurt, can it???

Steve

It would be worth to code it at the addition/solution level...

Well, I've analyzed CSS techniques a bit and it's very pity that CSS can not enable or disable fields on the form.
Else it would be possible to create a field which would have some class, let's say 'textForn'.
Then in CSS it would be possible to set it up as 'display:none'.
Then only those using browsers with enabled CSS could submit a form, but this field would be not submitted, and that would prove this is a 'human' user. At the time mostly all automated tools would submit this field without paying attention to its class or analyzing CSS...

But this is impossible. I've tried it -even if a form contains 'none-displayed' field, it's being submitted as the part of the form anyway. Only JavaScript could manipulate document's DOM.

There is quite a good method of verifying forms using JavaScript, based on cookies and $csrfcheck value we have built in miniBB, may be something like this could be plugged in... I'll think about it.

That sounds great Paul!

As an interim test, is there some code I can add to "bb_func_checkusr.php" to return a 'False' error, as as for incorrect entry in 'user name/e-mail address', if there are any characters at all in the Website field?

I assume that as some form of automated registration is being used the 'Spammer' will not see the error message?

Just a thought...

Steve

It's possible to do on the add-on's level... for example, pasting this in bb_plugins.php may work:

didn't check it out, so it's in your hands :)

Ta!

Will give it a try ;-)

Well, I've tested it, and it seems to work exactly as I hoped!!!

Will leave for a couple of days and let you know if we see any spam registrations getting through - we normally have multiple per day, so we should tell quickly how effective this is.

Cheers!

Steve

Ok, please inform how it went... thx.

Maybe it would be even better not only to check if field is empty, but also check if field is filled and has unique characters. Something like below, but I cannot make it work..