I was recently asked to look into cutting down the number of spambot registrations on a particular phpBB-based message board. Captcha's are enabled (and being beaten), and registration must be validated before posting - which does cut down on the spam.

However most of the spam registrations seem to merely be for the purpose of using the user profile for advertising - presumably for search engine juice.

(I'm not a phpBB expert, and their website appears to be down currently, so I'm somewhat limited by the tools available in the administration interface, rather than any arcane knowledge that might be gleaned searching through discussion boards and what-not.)

Firstly, we need to make the board a less attractive target. That means blocking user profiles from being indexed by search engines. There appears to be no forum admin control to switch on the META tags for exclusion, so we need to create a robots.txt .

User-agent: *
Disallow: /profile.php
Disallow: /memberlist.php

The management controls on phpBB allow banning of email addresses or IP addresses, which isn't really suitable for what we're trying to do. Instead we activate mod_security for POST requests to the registration page (/profile.php) i.e. any attempt to register or modify an existing registration.

<IfModule mod_security.c>
<Location /profile.php>
  SecFilterEngine On
  SecFilterScanPOST On
  SecFilterSelective ARG_website "viagra"
  SecFilterSelective ARG_website "coupons"
  SecFilterSelective ARG_email "biz$"
</Location>
</IfModule>

The three filters here are just examples. In this scenario any attempt to register a website containing the strings "viagra" or "coupons", or to use an email address ending in .biz (ouch), will return a 403 "Forbidden" page. The arguments can be found by looking at the source of the registration page itself.

Of course, it's possible you'll end up blocking legitimate users with this kind of string matching, so you may want to put some kind of explaination in the error page.

Put the following in the VirtualHost configuration, and create a custom error page that expains there's a spam filter in place and give an email address for falsly filtered users to contact.

ErrorDocument 403 /err/403.html

update: phpbb.com is back up, and a guide to antispam methods within phpbb can be found on their support forum.