miniBB gets a lot of interest regarding its effective protection methods from spam. Actually, if the spammers begin to attack your forums, it's the good sign. Spammers will not post on the site which is difficult to find. That only means your forums already have an audience of visitors. But at this moment we could give a 100% warranty that miniBB is fully protected from automated bots attacks. In this thread I will try to quickly explain how to achieve the level of protection you choose.

miniBB could be set up to allow or disallow guest posting; it is allowed by default, and this is the only correct way when you start your forums. Later when your community grows and gets instant visitors, you could set it up for registered members only; anyway, this really wouldn't prevent from bots spamming, because the account could be registered manually and then its login/password used in the automated program to log-in and spam.

However, we need to separate guest actions from the member actions, because member actions usually require more resources and more difficult software to spam. That's why two basic processes we need to protect initially, are:

- Registering new accounts;
- Posting new messages and/or topics by guests and members.

In a few cases, it is also important to prevent forums from the external monitoring, protecting:

- Search function.

If you have installed some of our premium add-ons like "File Bank" or "Polls", here are also some points we shall keep in mind:

- Uploading a file by a guest user in "File Bank";
- Voting by a guest in "Polls".

All the mentioned above currently could be controlled by our premium "Captcha" add-on. On our own forums we get a lot of automated attack attempts each day, but none of them passes through, except when posted manually (there is actually no protection from the manual spam). Take a look at the Captcha improvement codes to make it even more secure.

Captcha protects your forums from automated registrations, posting new messages and/or topics, it could also protect the search function and the aforementioned add-ons. Configuring Captcha, you could achieve additionally that even registered members with less than X posts are asked to enter Captcha code, or its session could be re-generated each time when somebody performs a human-check-required-action.

However few users may not like Captcha-based protection, because they have seen on other websites the phrases provided are sometimes not recognizable or difficult to solve even for a human. Or - sometimes the web hosting doesn't allow to use graphic libraries for generating an automated picture, that's why it would be physically impossible to install such add-on (and that's why we do not include it in the basic free package by default).

Despite our "Human Authorization" add-on is designed to be as simple as possible, and it effectively runs with any basic hosting plan provided nowadays, if you do not purchase our premium add-on, you also have a way to apply one of the free 3rd party solutions like:

Danny's miniBB recaptcha MOD provides reCAPTCHA service incorporated in miniBB;
Alternative to GD-based Captcha: solving math questions provides to solve simple math riddles.

Please note those protection methods may be limited in functionality and support. Distributing our Captcha add-on on a paid basis, we really mean it is worth the money, and its quality and premium support would satisfy you. Here is more about why this add-on is not free.

Because spammers mostly try to put their own URLs in the forum message, we have a simple yet nice plugin disallowing quests from posting URLs and other URL parts like certain domains, or any other piece of phrase you specify.

You could also pay attention to the topic explaining why some simple methods like mentioned would not work when protecting from spam bots. By now Captcha-based algorithms are so far the most secured.

If you would be still interested in how to protect your forums without Captcha, and without any external "human" questions or riddles, the only way of doing it is to open forums for registered members only. And the only way how to recognize a spam bot from a human in the registering process, is to verify his email address. For this, miniBB contains an option $closeRegister which generates user's password automatically and sends it on the email. Without reading this email and so without knowing the password sent, user can't enter forums. Enabling this simple option, you would need to pay attention to what to implement additionally.

This method however has a serious problem: nowadays many email filters block automated messages sent in verification purposes, and it could block the email from your forums, too. That's why many users couldn't receive such messages and couldn't register. You may lose some audience with it.

All aforementioned options are set under setup_options.php file, and all plugins are installed with instructions provided under readme.txt file. If you don't have an idea how to modify this file properly, or how to apply anything from the aforementioned correctly, address your task to professionals. Keep in mind this thread should explain everything you should know about how to protect miniBB forums from spam. If you don't know how, it doesn't mean it's impossible, and it doesn't mean you have a credit to be repeatedly answered.

Thank you for your understanding and miniBB choice!

Paul,
do you think it is useful to add a black-list check to the registration process?

Sites like http://www.stopforumspam.com offer an API you can use to check if an IP-adress exists in their database. I have used if often to check on a dubious new member.

CAPTCHA protects against bots, this could protect against manual registering of spammers.

Thanks for your reply,
Arne Suverein

For me it would be too risky to use an API of an unknown company (plus it would never be 100% effective/accurate and could block legitimate users).

I don't trust IP databases :-)

I am often discovering my own IP in the blacklist, despite I am sure I never sent unsolicited emails from it or something like this. It happens because the recepient of your IP was using a software which thought this IP is "bad". This may happen, if you sent a blacklisted URL in the email body, for example.

Once upon a time I also have got a notification that our project's URL (i.e. minibb.com) for some reason is contained within FortiGuard blocker URLs list. I've sent a request to FortiGuard to remove this domain from their blacklists, and then even replied me something like:

So there are many things around IP blocking stuff.

But technically, such add-on is very possible to implement. As usually, I could offer you to invest into it and make it open source for everybody.

how i can able just memeber of forum can post not guests

Search is your pal:
Only registered users

I have the CAPTCHA premium addon but bots are still spamming my forum! I have even modified the captcha settings and put in new fonts, but the bots are still getting through.

Please help!

You could try to use .htaccess protection.

malarkey77: why did you decide that exactly bots are spamming? Nowadays they also could be just users from anywhere which are paid for flood and spam postings. On our board, we also experience this sometimes.

There is no protection against human spam - except you may try Anti-Guest add-on for start up accounts.

kuopassa
I think what is described on that page, is a very very imperfect way of protection. Physically we can't collect all spammer IP addresses or create blacklists - first, because they could be tricked to save non-harmful sites; second, they could expire in a time and used later by quite "normal" users which won't be able to access a website anymore...

A flood a new users have registered on my forum and continue to do so.

So far none have made any posts, but I expect that one or more of them will start at some point and I want to prevent that.

The usernames and e-mails addresses, while unique, are too similar to be a coincidence.

While I cannot be certain as yet, I have every reason to believe that each of these new users is coming from the same person or source.

I have the CAPTCHA option configured and enabled, so either it's the the same human manually registering again and again under different usernames, or some type of bot has figured out how to bypass the CAPTCHA, or something else...?

I was using the CAPTCHA defaults of 5 chars and no grid, have changed those for now.

I see that in order to ban a user's IP, they need to have posted so that we can see their IP. Does minibb capture a user's IP just when they register?

Thanks for any assistance!

Yes, please see Paul's post "Saving IP adress used during registration" for details. (Would like to see the solution made available from the official downloads area - just to make it easier for people to find.)

In that case, you might like to consider adding miniBB's Pre-moderation add-on to your anti-spam arsenal.

Of course, you can also limit the number of messages per day from users.

All the best -
marsbar

Works great, thanks so much!

Mark

I don't think that synchronization with the site or captcha helps in any way