PhpBB 3 spam protection without captcha

I think many forum owners on phpBB 3 already know that the standard captcha that comes with the forum does not save much.

In general, having come once to your forum, I saw that in a matter of hours several hundred spam messages were added, despite the fact that the captcha was turned on, and you can post only the registered ones. At first I tried to just choose another captcha, but it also did not help. Then I thought about a different approach.

Protection based on analysis of user actions

In general, the first thing to do was to add scripters to the forum, which wrote all the GET and POST requests to the log file so that they could be analyzed.

Immediately I will clarify that the forum is Russian-speaking (Russian is enabled by default), but there is also English.
')
And so a typical request for registration from the bot looks like this (the method, url, referrer are displayed, and then the info from the POST request, I removed the email):

GET /forum/index.php /forum/index.php GET /forum/ucp.php?mode=register /forum/ucp.php?mode=register POST /forum/ucp.php?mode=register /forum/ucp.php?mode=register 'agreed' => '    ', 'change_lang' => '', 'creation_time' => '1320421149', 'form_token' => '16d4c035a7de1680c4e19fe0addd242d7edf1822', POST /forum/ucp.php?mode=register /forum/ucp.php?mode=register 'username' => 'Shemtrearve', 'email' => 'deassepleadia@....com', 'email_confirm' => 'deassepleadia@....com', 'new_password' => 'q49uh3oYcN', 'password_confirm' => 'q49uh3oYcN', 'lang' => 'en', 'tz' => '-12', 'agreed' => 'true', 'change_lang' => '0', 'submit' => '', 'creation_time' => '1320421154', 'form_token' => '97471b3af621c1a60f825e50d2b61b3346b48025', GET /forum/ucp.php?mode=login /forum/ucp.php?mode=login 

I also removed the sid from the URL, the bots often add them, although they are disabled in my forum. All requests are made at intervals of 4-5 seconds.

Now we are looking for weirdness in the query:

1. Naturally, it is immediately obvious that the bot enters the page from the same page (referrer coincides with the page).
2. In the second POST request, we draw attention to the fact that the bot chose English, while in the previous request it did not change the language, and read the forum rules in Russian, and then chose English.
3. Next, we will indicate that a time zone of -12 has been chosen, although this zone is purely conditional and no one lives there. And the thing is that phpBB this date stands JavaScript, and the bots, it remains by default.
4. Further, change_lang = 0, while there can be no such value in phpBB, there should be a language code.
5. And finally submit in Russian, with the selected English. There are still stupid bots that do not understand the Cyrillic alphabet, and question marks are inserted into this field.

In general, the conclusion is quite simple, but based on points 2-5, we make a small script that will prevent the registration of bots.

The code looks like this

 if (isset($_POST['password_confirm']) && isset($_POST['tz'])){ //     if( $_POST['tz'] == -12 || //    ($_POST['lang'] == 'en' && $_POST['change_lang'] != 'en') || //   ,  change_lang     ($_POST['lang'] == 'en' && $_POST['submit'] == '') //   ,   -  ){ header("HTTP/1.1 404 Not Found"); exit; } } 

The easiest way is to add this code at the end of config.php, in order not to poke around for a long time, not to tear it down when updating the forum, and immediately send bots to the forest. You can simplify the condition at will, just for clarity painted. Thanks to this simple code, I eliminated almost all spammers, even though I turned off the captcha.

It is clear that over time, the bots will learn to bypass it, but then we will also come up with something new.

UPD. I corrected the code of the example, otherwise there were a couple of typos.