Regarding The Spam Posts.

We could introduce something like KVR has, links will only work after at least 10 posts are made. That would make the forum uninteresting for spammers.

then spammers will generate ten post in each thread, all with tons of links :)

There are other solutions that also work but they also generate more CPU load because they attack the database.
The best method is killing the spamscript writer and the server admin that deliberately hosts the scripts, unfortunately, this option is out of reach because no law allows that yet :P.

There are thousands of websites using the Invision Board software - all with identical signup forms - so its a very trivial matter for a spam bot programmer to examine the layout of this form, figure out which fields are required (username, password, etc.), then create a script which submits all the necessary information automatically. The script reads from a list of URLs which the programmer has collected simply by searching Google for compatible forums, and it works through them one by one, resubmitting this bullshit day after day after day. Even the URL collection process can be automated very easily by a bot which searches Google! The programmer can be lazy as hell in all of this, occasionally creating a new script which matches a popular forum/blog/whatever signup form, adding thousands of new victims to his list.

The exact same methods are then used to automatically submit posts to the forum itself.

But in my opinion the laziness of these spammers can be exploited. They are only interested in something that is quick and easy for them to use. They don’t want to waste any extra time making special setups for all the different websites out there - they are only interested in something which will work on many identical (vulnerable) systems.

So my suggestion for our problem here…

Someone who is good with PHP (Bantai - you’re pretty good, right?) should examine the code for the Invision forum package. Insert a new hidden input field into the signup form and perform a check for this field when the data is posted to the form handler script. In my experience this small change is usually enough to break the spam bot because it is not aware of this new field (the field is not part of the default signup form template). The bot programmer usually won’t bother creating a special rule in his spam script just to handle one modified forum in his list of thousands. And if he does make a special rule, then we simply change the data field to something new. Eventually he will get sick of creating new scripts for our little forum and he will f*ck off to other more profitable victims where he doesn’t have to waste so much time.

Something I do myself which makes it a bit trickier for them is to change the name and value of the hidden field every time, usually just simply based on the date and time (current hour in the day):


<form action="signup_handler.php" method="post">
( other stuff from normal signup form ... )<br>
<input type="hidden" name="&lt;?php print md5(date('YmdH')); ?&gt;" value="&lt;?php print md5(date('HdmY')); ?&gt;"><br>
<input type="submit" value="Submit Form"><br>


$magickey = $_POST[md5(date('YmdH'))];  
if (!isset($magickey) || $magickey != md5(date('HdmY'))) {  
 // bad signup...  

There’s absolutely nothing fancy happening here, in fact the information could quite easily be extracted from the page and then correctly submitted by the spam bot. This “trick” simply relies on the fact that the bot will probably never actually bother to do this. Why would it waste time and bandwidth - not to mention make the script more complex than it needs to be - by attempting to correctly recreate the structure of every signup form on its list, when it can just assume they’re all identical and try to brute force it? The results from the brute force approach will always be good enough for the spammer.

This simple method has stopped all spam coming through the contact form on my website, as well as a guestbook script I wrote for a friend which was filled with spam pretty much every day. Maybe it will work here too, I dunno. It’s worth a try I think.


And here is was ready to suggest that only bought renoise users should be allowed to post. Sounds like an interesting idea dblue.

The extra hidden field is a great idea (and pretty easy to add), but then it should be something very illogical


This sounds like it’s worth a try. I had something similar on my site, which worked quite well, but the spammers circumvented it after some time. Though i only had a fixed name for the hidden input field, which might be the reason. An additional idea might be, to rename the form fields in the registration form to something else. If their software is looking for an input field named “mail” and their software can’t find it, they might fail to register, even if they ignore the hidden field.


Making the forum only available for registered users is a bad idea, i think. What about the people, who want to ask questions before buying, or just want to get help, when making their first steps with the free version.

Yep, exactly. In something I did recently all the form input names are actually md5 hashes which change every hour, so you get something like this:

<input name="b068931cc450442b63f5b3d276ea4297" value="">  
<input name="0c83f57c786a0b4a39efab23731c7ebc" value="">  

In my form processing script I simply check for submitted values like: $email = $_POST[md5(‘the_real_email_input_name’)];

Again, it’s just a simple little trick which I don’t claim to be perfect, but at least to the casual viewer it is very strange.

To the spam bots which are analysing the form and trying to figure out the correct structure, how the hell is it going to know which is the username field, or the email field, when they are all obfuscated with the md5() function? All it will see is a lot of form fields with very strange names, and -hopefully- it will not understand how to process them. The downside is that someone has to rewrite some PHP in the forum software, but it’s a small price to pay I think.

To really confuse the bots, the signup form could even be programmed to insert the form fields in a different order each time, so one time it’s username, password, email… but another time it’s username, email, password, etc. This on top of the field name obfuscation would lead to quite a confusing system for them to figure out.

That’s a very interesting approach, i’ll try it out on my site, when my redesign is finished. :)

I have a self-created guestbook which eventually started to get spammed - always with messages where they tried to create “<a href”-links (which of course didn’t work as I disabled html-execution of messages). When I started getting bored of deleting spam-messages I added a check for “<a href” - if it existed in the message, the message was simply dumped instead of saved in the database.

It seems to work great so far, as normal visitors enter urls (when they do at all) the normal way (not trying to create links).

I have something similar in my guestbook, but since i allow very few BBCode tags for formating, they seem to try it with [url=…] tags. Though i do have a customized script running.

Changing the order does not really work out because the value and name will be found anyway, changing the original value-name will work out.
Adding hidden fields may be something a script scan on automatically if there i found out recently.
This won’t work because the value has to be given and they just take the variable name and value, so a changing hash-name won’t work.

However using hashnames for the input content shall work because they can’t input something if they don’t know what it is for.

This will work for bots that expect something to be filled in and just do this blindly, but won’t work for bots that scan the fieldname and its value possibly you may confuse some bots if you don’t add a "value = " tag.
But i heard somebody doing this on his site and this seems to work neat most of the times.

Doing something against the spammers seems more urgent, then i’ve thought, got this picture from someone. I’ve censored the pic with a black box.


Someone who does not seem to have the jpeg buffer overload patch yet…
And if they don’t have this patch this is either because they are too ignorant to run their updates or they have an illegal version of XP which they can’t update anymore.
But yes, it seems urgent to do something about it.

The registration pages now have an extra custom value that should be filled in. Let’s see how smart this spambot is.

Does it work? I’ve only seen one spam post since.