2014-11-22

How to protect your MyBB forum from spam.

This guide was written by VirusZero of http://endlessfight.net. Do not reproduce without permission.

If you have a MyBB forum then you likely have at some point had to deal with spam. Most admins do inevitably have to cross this bridge. So, with that in mind, this guide will attempt to show you some of the most common ways to handle spam and what I feel are the most effective ways to manage spam and keep your forum clean.

Before I start, please keep in mind that most of this was written for MyBB 1.6 forums. Several of the plugins listed have not been officially converted to MyBB 1.8 and, as such, may not function as expected (or at all) on MyBB 1.8. If you are running a MyBB 1.8 forum and use these plugins, they may still work for you (if you add "18*" to "compatibility" in the pluginname_info array). But you should always take a back up before ever attempting to install one of these plugins. (Just to be on the safe side.)

Spamalyzer

The Spamalyzer plugin (version .93 ) by ZiNgA BuRgA is one of the most effective methods to combat spam on a forum with the least amount of negative impact on users. This plugin stops spam by combing through each post to look for certain behaviours used extensively by spammers and then denying posts with those behaviours from ever appearing on site.

For those who have never installed a plugin before...

1- Download a copy of the plugin from ZiNgA BuRgA's site. (Right here.)

2- Use an extractor program (one that can handle 7zip) to open the file up.

3- Take the resulting 2 folders (admin and inc) and upload them to where your MyBB is installed.

If you've changed where your admin files are located then rename the admin folder to whatever you changed it to first.

For easy install, you can put them into a zip file then upload them to your MyBB install folder with your host's cPanel. Then you can click on the .zip file and click "extract" from cPanel (extract to your home folder so that the folders inside the .zip get merged with the existing folders of the same name.)

4- After uploading the files, go into your copy of MyBB's ACP.

5- Click "Plugins" from the left menu

6- Click "Install and Activate" beside the Spamalyzer plugin.

After this plugin is installed you will need to configure it for optimal use. To do this go to "Configuration" then and look for the setting group titled "Spamalyzer Settings".

Please keep in mind that the following settings are based on what I have used and what I have found to work well for me. This does not mean they are a perfect fit for everyone. They will, however, hopefully provide you with a starting point to make any tweaks and modifications to best fit your forum.

Once inside Spamalyzer's settings page...Under the header "Thresholds and Exclusions"

Look for the option titled "Groups to Moderate" and set that to groups "1,5" (these are your guests and validating members. Most spam that this will pick up will be by guests so there's no real reason to have this plugin running against members. Though if you do get spambots registering then feel free to add your member group ID, which should be 2, here.)

If you do want to leave registered members up for checking, you will probably want to set "Registration Age (hours) Threshold" to like 700 hours or so. This way members who have stuck around for a while are excluded from checks (since most spammers will be joining up to spam right away, not like 4 weeks later).

Then find "Ignored Hosts" and add:

Quote:jcink.com,jcink.net,jfbs.net,invisionfree.com,prob​oards.com,boards.net,freeforums.org,zetaboards.com​,icyboards.net,icyboards.com,yuku.com,forumotion.c​om

to the end of it in order to make it so that most free forums can advertise with you without issue. This will mean that even if a site (like say support.jcink.com) uses some of the words on the keywords list that it wouldn't count and the spam filter would just let everything go. Though this does nothing for other self-hosted sites (you can add them in if you wish, but it's likely more a hassle than is necessary).

For the options under "Spam Weighting Factors":

- "Weight per Simple link" set 0.3 (Simple links are like [*url]somelink[*/url] )

- "Maximum Simple link weight" set 3 (Simple links are rarely used, even by spammers... but there's no sense having this too high... just in case a legitimate user posts a simple link.)

- "Weight Per Complex Link" set to 0.5 (complex links are like [*url=link]words[*/url])

- "Maximum Complex Link Weight" set to 4 (You'll want a limit on this because guests will be posting links to their sites and if they have a lot this setting, if left too high, could unfairly flag them as spammers.)

- "Same Host Link Bias" set to 0.15 (This punishes spammers for linking to the same place over and over. We want this set fairly low because guests will be linking to their sites a few times and we don't want them punished for it.)

- "Duplicate Keyword Bias" to 0.3

- "Badword Weight Factor" to 2.5 (this means if a spammer uses the same keywords over and over... they get penalized more heavily for it.)

- "Weight Per Day for Bumping Old Thread" set to 0.15

- "Maximum Weight Applied for Bumping Old Thread" set to 3 (If they bump a thread that's over 20 days old they will still get penalized, but not outrageously. This way if a legit user bumps their thread it doesn't erase their bump.)

- "Special Forums" set this to whatever the Forum ID number (where it says "showforum.php?fid=#") for your advertising forum is. (I also recommend that if you have a guest friendly question section that you add that section's FID also just in case a spammer tries hitting there too.)

- "Weight Factor of Special Forums" set to 1.5. (This increases the weighting for those sections, defined above, making spam like actions worth 1.5x more. So if they would have gotten a 3 spam points previously, it'd be worth 4.5 after this. You probably shouldn't set this higher than 1.5 simply because it can end up punishing legitimate users too harshly and detecting them as spammers.)

For "Spam Weighting Factors (user)"...

If you don't have the user groups enabled (only guests) then this won't make much difference. Though you can probably leave these at defaults since they're acceptable enough.

For the values in Stop Forum Spam section...

- "SFS Username Frequency Weight" to 0.2

- "SFS Email Frequency Weight" to 0.8

- "SFS IP Frequency Weight" to 0.8

- "SFS Weighting Limit" to 15

These are for your server checking into Stop Forum Spam's database to see if a poster is listed. Though since email likely won't be used by guests it has little value here. But username and IP have a lot of value here since spammers tend to recycle the same usernames and ips a lot.

For Akismet, just leave the Akismet API blank because it's not overly useful (Stop Forum Spam does a better job here anyway).

For Google Lookups, this section is somewhat difficult to really judge how effective it is. I've had it set but some Chinese spam still got in even though it should have just deleted it. But anything in Italian or French has gotten deleted.

- "Foreign Language Weighting" to 10

- "Native Language" to "en" (or whatever language your forum is...)

- "Google Search Results Weighting" to 0.2

- "Maximum Google Search Weighting" to 3

- "Minimum Google Search Message Length" to 50

For Spam detection heading...

- "Report Post Weighting Threshold" to 7

- "Unapprove Post weighting threshold" to 10

- "Block post weighting threshold" to 15

These settings determine after how many points a post gets before it is reported to staff, unapproved and reported or just erased entirely without notifying staff. This allows a guest to have some spam-like behaviours without actually punishing them right off. (But still notifies staff to have a look, just in case something is amiss.) Though getting a score of 15 is actually quite difficult unless a user is deliberately trying. (Since the limits on links and means at best they could get 6 points... which isn't enough for a report. And the keywords selected are ones that are very unlikely for a legitimate user to ever actually use enough to be seriously penalized for. )

Under the Misc options...

You can leave the "Keyword Minimum length" and "Ignored Keywords" without too much issue. (Though if you really wanted you could add any roleplay related terms you can think of to it. But generally it isn't necessary since they won't be detected by the bad keywords filter anyway or any of the other settings.)

In the text box for "Bad Keywords" clear it then paste in:

Quote:seo,free,rich,money,cash,revenue,loan,loans,payday​,gold,forex,replica,cheap,cheapest,sale,affordable​,purchase,wholesale,price,prices,estate,poker,blac​kjack,holdem,casino,gambling,lottery,dumps,logins,​rolex,sunglasses,jewelry,rings,handbag,handbags,sh​oe,shoes,heels,boots,clothing,designer,lululemon,r​alph lauren,louis vuitton,tiffany,michael kors,christian louboutin,airjordan,new balance,jean paul gaultier,gucci,polo,designer,shaper,shapewear,spor​tswear,store,outlet,air jordan,air max,nike,porn,porno,amateur,cam,sex,sexy,vagina,va​ginal,anal,penis,cock,horny,tranny,shemale,ladyboy​,cigarettes,smoking,marijuana,prescription,capsule​s,tablets,pharmacies,pharmacy,pharmaceutical,drug,​drugs,pill,pills,drugstore,ibuprofen,acetaminophen​,vicodin,morphine,lipitor,carisoprodol,xanax,wellb​utrin,albuterol,viagra,strattera,prozac,phentermin​e,paxil,oxycontin,oxycodone,hydrocodone,duloxetine​,cialis,celexa,abilify,adderall,tramadol,hydrochlo​ride,glycolate,peroxide,Lithium,Sulfate,Glucose,ob​esity,weight,weight loss,weightloss,exercise,exersizes,cardiovascular,​marathon,insulin,Diabetes,sclerosis,Insomnia,cance​r,heartburn,kitchen,hotel,test,erectile dysfunction,enema,acai,Quiznos,Outback Steakhouse,

You can leave "Reporter User ID" to 1 to use the root admin's account to show as reporting if you want. Though you can also use another account (like a shared staff account or something) too just for visual difference. This one is purely up to you.

You can set "Don't Duplicate Report" to "yes" purely to prevent a lot of duplicate reporting (just in case members can see a post that makes it through somehow and they report it...)

Important safety tip -

Even though Spamalyzer will prevent spam posts from showing up on site, it will still keep a record of the spam posts it's caught (detailing why it classed them as spam). These logs can be viewed in the ACP by "Tools & Maintenance" (top menu) then clicking "Spamalyzer log".

You can then click the spam weighting number beside an individual post to see why it got that rating.

Periodically you may want to prune these logs (to keep your database size down) by clicking the "Prune Spamalyzer Log" tab (in the Log section) and then entering a number to determine how many days worth of logs to keep. (I recommend pruning down to 15 days at first when using this system until you get used to it, just to occasionally check for any accidental mislabels of legitimate posts. But after a few months of using it then you can probably prune all, or all but 2-3 days, once you're satisfied with the system and it's tweaks.)

Register Time

Register time (v 1.2.1) is a plugin designed primarily to stop spambots from registering on your forum. It won't do anything to stop guest/unregistered spammers from getting into your guest ad section. I'm including it here though because some spammers will attempt to register accounts first and this can help stop them (which, if they can't register, means they can't drop spam in your other sections).

- Upload register_time.php to your inc->plugins folder.

- After uploading the files, go into your copy of MyBB's ACP.

- Click "Plugins" from the left menu

- Click "Install and Activate" beside the Register time plugin.

- Go to "Configuration" (from the top menu).

- Click "Register Time Settings".

- Now set "register time" to 30 or so seconds.

- Click "Save settings".

Note - This is, apparently, a core feature in MyBB 1.8 (according to here). So MyBB 1.8 users don't need to install this (it's already there). However you may have to look through the options to find out where/how to configure it.

Stop Forum Spam

Stop Forum Spam is another plugin that won't stop a spammer from filling your guest ad section... But it will keep spambots from registering (and thus delivering spam that way).

- Upload the inc folder (and contents, with file structure preserved) from the Stop Forum Spam to your inc folder.

- After uploading the files, go into your copy of MyBB's ACP.

- Click "Plugins" from the left menu

- Click "Install and Activate" beside the Stop Forum Spam plugin.

- Go to "Configuration" (from the top menu).

- Click "Stop Forum Spam check".

- Ensure that a checkbox is beside "Check Username?", "Check email address?" and "Check IP?".

- Set "confidence level" to whatever you feel comfortable. (Lower numbers here mean more are rejected... 40-50% is probably a good level to use though. If you want higher protection then use 20%.)

- Set "Log Denials" to "yes".

- Set "Failsafe" to "yes".

- Click the "Save Settings" button.

.htaccess

For self hosted forums, admins often have the option to use a .htaccess file (which lets the server know who is allowed to access a particular folder and who isn't). We can use this to our advantage to block entire ranges of IPs from known problem users with minimal effort. (And if they tried to visit any part of the forum at all they only get an error stating they can't view that page. So this means bots can't use urls to direct access your ad section to fill it.)

Now because one of the largest producers of spam is China and the actual chances of getting any legitimate traffic from China is low (due to their heavily monitored internet, which would necessitate them to use VPNs or proxies to access out anyway) this makes them relatively safe to block without severe consequence. (The largest producer of spam is actually the US... But we don't want to block them because it affects too many legitimate visitors.)

So how do we actually block using .htaccess?

1- You need to open your cPanel (or whatever equivalent to cPanel you have) and log in.

2- Once inside, look for "File Manager" icon and click it.

3- It should open up a menu asking you where you want to open up, and below that it should have a check box for "show hidden files" (or something along those lines)... make sure that box is checked.

4- Open your file manager and navigate to where your MyBB install is located.

5A- If you don't see a .htaccess file already there, Click the "New File" button at the top and name it ".htaccess" (without the quotes). Then open this file.

5B- If you see a .htaccess file there already then just open it up.

6- Now go to http://www.ip2location.com/blockvisitorsbycountry.aspx and select:

- IPv4

- China

- Apache .htaccess deny

- Then click download and save the resulting text file somewhere.

7- Open that text file and copy it's contents.

8- Paste the contents of that text file into your .htaccess file.

9- Click "Save" (or Submit).

Warning - editing .htaccess can block large numbers of people in a hurry. So be very careful about which IPs you add. And editing this file should always be done carefully and cautiously. (And it's a good idea to keep the cPanel open, then test the site, just in case something goes wrong so you can easily/quickly revert any changes.)

Moderated Boards

Having forums where all posts must be approved by moderators before they can appear is fairly effective. However it has a few major (and glaring) flaws...

1- large volumes of spam can overwhelm moderators. (Larger forums can easily get over a thousand spam posts in a day.)

2- this depends on moderators to actually approve posts. (And if no one either checks in for a few days or they have to go offline for some time can easily lead to issue 1.)

Guest advertisers also can contribute to the first issue because if they don't see their post show up right away (when they hit submit) they may post again.

Because of these major flaws, I do not recommend using moderated boards as a solo anti-spam solution. I feel that there are other, far more effective, solutions. Many of which are automatic and don't require constant staff attention. Though having it as a secondary option can be useful in cases. (Like if you have a guest ad account that's being abused...)

To set this up:

- Log into your ACP.

- Click "Forum & Posts" (From the top links section)

- Scroll down to your ad forum (or whichever forum you want to moderate) and click it's name.

- Now in click "Edit Forum Settings" (it'll be in the first row of links under "home >> Forum Management")

- Scroll down and locate "Moderation Options", now check the "Yes, moderate new threads" and "Yes, moderate new posts" options.

- Then scroll down and click "Save Forum".

Password Protected Boards

Password protected boards are generally disliked by most advertisers. (Since it takes them an extra second to enter that password before they can post.) But they are quite effective at stopping a good percentage of spammers from ever managing to post on your site.

On MyBB, you can create a password protected board by:

- Log into your ACP.

- Click "Forum & Posts" (From the top links section)

- Scroll down to your ad forum (or whichever forum you want to add a password to) and click it's name.

- Now in click "Edit Forum Settings" (it'll be in the first row of links under "home >> Forum Management")

- Scroll down and locate the "Forum Password" option. Enter the password you want inside the text box.

- OPTIONAL - Scroll up to the forum description and enter the password here (so guests can easily locate the password.)

- Finally scroll down to the bottom and click "Save Forum" button.

You may also want to add notes in the forum rules (like if you have a link back and first link section) about the password. To do this:

- Log into your ACP.

- Click "Forum & Posts" (From the top links section)

- Scroll down to your forum that you want to add the notes to.

- Scroll down to "Forum rules" and make sure the drop down is set to at least "Display rules for this forum in thread listing".

- Then give them a title (if not already done).

- Then just add a note about the password (and what it is) in the "rules" text box.

- Finally scroll down and click the "Save Forum" button.

Guest Accounts

Guest accounts for advertising are almost universally hated by advertisers (because it slows them down even further). But they are effective for keeping spam out. Though guest accounts should generally be reserved for cases where other methods to allow advertising have failed (simply because they are somewhat cumbersome and generally loathed).

Before you actually create a guest account, you may want to create a new usergroup for guest ad account. (This way you aren't giving guests complete access to post wherever they want...)

- Log into your ACP.

- Click "Users & Groups" (From the top links section).

- Click "Groups" (from the menu on the left).

- Click the "Add New Usergroup" tab from the top.

- Enter a name for this usergroup.

- Then under "Copy Permissions" select your banned user group. (Because banned user group should have no posting rights across your forum...)

- Any other options here can be configured if you want. Otherwise click the "Save User Group" button.

- Now click "Forum & Posts" (From the top links section).

- Scroll down to your ad forum and click it's name. (You may have to repeat from here down if you have a first-link and back links section also...)

- Now click "Permissions" (from the second set of tabs).

- Then scroll down to find the ad group you just created and click "Set custom permissions".

- Now give them the ability to post ("Can view forum", "can view threads within forum","Can post threads", "Can post replies").

- Then click "Save" to apply their permissions.

To create a guest advertisement account:

- Log into your ACP.

- Click "Users & Groups" (From the top links section)

- Click "Create new user"

- Enter the username, password, email address,

- Then set primary group to the ad group you just created.

- Then click the "Save User" button.

Closing the Ad section

This is the last, and most drastic, option available to admins. However it is a choice worth considering in certain cases. (Like if your forum is getting overrun with spam despite employing other options.)

Guest advertisers will HATE this (especially if you've recently posted any ads yourself). However this can be a necessary course of action. (Though please, if you employ this... stop posting ads while your ad section is closed. It's incredibly rude to do so.)

To do this...

- Log into your ACP.

- Click "Forum & Posts" (From the top links section)

- Scroll down to your forum that you want to close down and click it's name.

- Scroll down to "Access Options" and then uncheck "Forum is Open?".

- OPTIONAL - You may also want to add a short note (in your forum description detailing your ad section is closed temporarily due to extreme volumes of spam).

- Then click the "Save Forum" button.

If you have multiple ad forums (like a first link and link back section) then you may want to close them down, using the above method, also.

Those are some of the most common methods of combating spam. They are not the only options though. (There may be other plugins which will provide spam protection.) And as time goes on, newer and more powerful options may present themselves. Especially once MyBB 1.8 catches on and starts gaining more powerful tools of it's own. And I can't guarantee that this guide will be 100% relevant/accurate once newer plugins are released.

But hopefully this guide has give you an overview of the options, how to configure them (and tweak them) to protect your sites. Thank you for reading and if you have questions, comments or concerns regarding this guide... Please feel free to ask here or PM me.

Show more