Spam Hurdles Module (CAPTCHA's and other anti-spam tools)

All files from this thread

File Name	File Size		Posted by	Date
spamhurdles-1.1.2.tar.gz	67 KB	open | download	Maurice Makaay	01/14/2007	Read message
spamhurdles-1.1.2.zip	79.2 KB	open | download	Maurice Makaay	01/14/2007	Read message
log_postdata.php	802 bytes	open | download	Maurice Makaay	10/05/2006	Read message
czech-win1250.zip	1.2 KB	open | download	tom_czag	02/25/2007	Read message

Here's the Spam Hurdles module. This module sets up some hurdles for forum spammers. Let's all hope they will trip over them! The module was written to combine several anti-spam tools in a single, easy to use module.

Features:

Very easy to install
Install the module files and enable the module. That's all there is to it. Only one very small template change is needed if you want to enable a CAPTCHA during registration of a new account for Phorum versions prior to 5.1.16. For 5.1.16 and later, this module is a pure drop-in module.

CAPTCHAs can be enabled for registering accounts and/or posting messages

5 types of CAPTCHA built-in:
- plain text
- ASCII art
- GIF image, with ttf font support, so easy customization of the used fonts
- Javascript based image (javascript builds a character matrix using <div> elements)
- Mathematical CAPTCHA (a.k.a. MAPTCHA)

An option to create spoken CAPTCHAs
A lot of CAPTCHAs are hard to solve for vision impaired people. For those people, an integration with Flite (Festival-Lite) was built. If you have the program "flite" installed on your server, then you can configure this module to use that program to enable spoken CAPTCHAs.

Blocking of message forms that are submitted multiple times
If this option is enabled, then a unique key will be generated for each new message. As soon as the message is posted, this key will be invalidated for posting. This effectively prevents people from going back in the browser and resubmitting a (slightly changed) message (flooding) as well as spammers who directly submit posting forms to Phorum's post.php, without fetching a fresh unique key first.

Blocking of message forms that are submitted too quickly
If this option is enabled, Phorum will check how much time there is between starting a new message and actually posting it. If a message is posted too quickly, then it's considered to come from a posting robot. To prevent users from accidentally posting the message too quickly themselves (For example by typing only "yes" in the body and hitting the submit button), the posting button is disabled as long as the server would block the message. On the button, a countdown is shown to display how many seconds the user has to wait before posting.

Blocking of bots that post form fields that are embedded in HTML comments
If this option is enabled, then an extra form field is added to the posting form. However, this form field is embedded within an HTML comment block. Because of that, normal web browsers will fully ignore this extra field. On the other hand, some badly written spam bots will recognize the code as a form field. If such a spam bot posts a message including this extra form field, the message will be blocked.

Let the browser sign the message using JavaScript
If this option is enabled, then the browser will retrieve two pieces of data from the server. The browser will have to create a signature for this data (using MD5) and does so by running some JavaScript. The signing JavaScript code is put in the message editor in a scrambled way (using iScramble) and the browser will have to descramble it using JavaScript to be able to run the signing code.
Functionally, this is all done to force the use of JavaScript when posting a message. This can block those spambots that do not interpret JavaScript, but only try to post the unmodified form information that is found on the message posting page.

Examples:

This module is installed and enabled on my development server. There you can see it in action on both the stable (5.1) and development (5.2) versions of Phorum:

Phorum 5.1 registration
Phorum 5.1 post anonymous message
Phorum 5.2 registration
Phorum 5.2 post anonymous message

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce



Edited 20 time(s). Last edit at 01/14/2007 06:18PM by mmakaay.

added the mod in register.tpl, working like a charm on 5.1.14.
the voice module is a nice addon--great for people who have access to their server or good server support.

I uploaded version 1.0.2 to the first message in this thread.

Changelog for the new version:

2006-08-30 v1.0.2

    - Changed the JavaScript code for disabling the post button when
      the blockquickpost option is active. Now it checks if it can
      actually find the post button, so it won't spawn javascript
      errors if for some reason the form does not look like I
      expected there.

    - Since the Phorum cache will grow when spam hurdles are created,
      an option was added to do automatic cleanup of hurdles that are
      no longer in use. A cookie is set, to remember the last
      key that was in use. If another key is used in the module,
      then the key in the cookie can be cleaned up automatically.
      This will remove most of the stale data in the Phorum cache.

    - Added cache management to the module's settings screen, so the
      cache data that is generated by this module can be purged
      easily once in a while.

    - Added a Dutch language file to the distribution.

2006-08-30 v1.0.1

    - Added a configuration option to set the blocking method to use
      when a block is encountered while posting messages. You can now
      allow users to still post their message, only make the message
      unapproved, so a moderator can take a look at it first.

      If you were running version 1.0.0 of the module, then disable
      and re-enable the module to let Phorum see the new hooks that
      are needed for this feature.

    - Fixed a bug, which allowed spammers to bypass the checks by
      posting final formdata without any key in it, directly to the script.

    - Whether to show a CAPTCHA on signup and posting pages was not
      determined correctly, based on the module config. The CAPTCHA would
      always show on both pages if at least the posting CAPTCHA was enabled.

    - Generated spamhurdles information does now contain information about
      the type of form that it was generated for. This is used to prevent
      spammers from trying to grab a registration spamhurdles key and use
      that for processing a message form (if the registration does not
      use a captcha, the message posting wouldn't require one either in
      this case).

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce



Edited 3 time(s). Last edit at 08/30/2006 11:54AM by mmakaay.

I uploaded version 1.0.3 to the first message in the thread.

Changelog for the new version:

2006-08-30 v1.0.3

    - Setting the cookie for automatically deleting old cached
      data did trigger a PHP warning about headers that were already
      sent in Phorum 5.1. The code is changed to set the cookie
      through JavaScript in the page.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

This is very comprehensive solution with spam! Very nice!

[opensourceCMS.com]
[ongetc.com]
Chanh Ong

Thanks to sirgrim who tested out this module on his somewhat hacked up Phorum :), a few bugs were squeezed out. I recommend upgrading to this version for a smooth operation of the Spam Hurdles module. See the first posting in this thread for the update 1.0.4.

Changelog for this version:

2006-08-31 v1.0.4

    - Removed unused file from the package: lib/postdelay.js

    - Tuned the automatic cache data cleanup a bit more. The cleanup
      code was sometimes fired at wrong times, causing the cache
      data to be cleaned up, while the user could still be using it,
      resulting in an error message for the user.
      This problem was seen on Phorum 5.1 with the Phorum 5.1 Editor
      Tools module (the simple smiley panel one) enabled.

    - On the register page, the captcha code was re-generated on
      every click. Now the code stays the same during the
      registration process.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Netwalker just found a bug. If you edit a posting, then you will get a spam blocking error. If you're suffering from that bug right now, then disable "Block message forms that are submitted multiple times" in the module's settings. I'll fix this problem a.s.a.p.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

I fixed the problem that I reported in the previous post. I uploaded the new version 1.0.5 to the first message in the thread.

Changelog for the new version:

2006-08-31 v1.0.5

    - Disabled all Spam Hurdles for editing posts. Before fixing
      this, the duplicate message posting check was run and caused
      a spam error when editing a message. Thanks to Netwalker
      for discovering and reporting the problem.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce

Translated the language file for German-Du. Hope it helps.

Net.

Maurice: Thanks for the language file. I removed it from this post, because it's now included in the distribution.



Edited 1 time(s). Last edit at 09/04/2006 04:46AM by mmakaay.

Thanks! I changed a couple of things:

* I added "(auf English)" to the "CaptchaSpoken" and "MaptchaSpoken" keys, to make clear to the user that the spoken text will be English and not German.

* I don't think "nocheinmal" is an official German word. So I changed all occurances to "noch einmal".

I added the language file to version 1.0.6 of the module, which is uploaded to the first message in this thread. Changelog for this version:

2006-09-04 v1.0.6

    - Added a German (du) language file to the distribution.
      Thanks to Netwalker.

---

Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce



Edited 1 time(s). Last edit at 09/04/2006 04:45AM by mmakaay.