Package: phpbb2 Version: 2.0.21-4 Severity: wishlist
I run a 400 user PHPBB2 board and have constant battles with spam bots registering accounts automatically. Phpbb2 requires more effective armour against bots registering accounts on phpbb2 boards to spam advertise their URL on the phpbb2 memberlist.
As noted in [1] the phpbb2 "captcha" is an ineffective method to deal with fake registrations. Phpbb2 needs a confirmation image that is more difficult to apply automated character recognition to.
Phpbb2 should not show a member's web page URL on the memberlist until their registration is confirmed (if the board owner has enabled confirmation), or as suggested in [2] it should attempt to "confuse" automated registration bots.
If configured for email confirmation, phpbb2 sends email to the email address the user specifies in their registration information for confirmation. Phpbb2 should provide a bounced email handler (such as the way the mailman mailing list manager handles bounced addresses) that disables or otherwise flags new accounts with invalid registration email addresses.
[1] - http://sam.zoy.org/pwntcha/ [2] - http://boonedocks.net/mike/archives/49-PHPBB-Member-List-Link-Spam.html Regards, Gavin Rogers -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
