CAPTCHA for PHPBB3 login page ?

I tried to find one ID but it doesn’t seem to be listed in the log anywhere. and the “user” posted today. The user registered 3 years ago so not recent…

From what I can tell, this user/bot is directly accessing the php scripts on the forum. So I suspect browser manipulation via scripts.

The posts look genuine, and they were only even found out because of a vision forum user it will also notice the same activity on 20 other different forums.. It is definitely some kind of auto responder bot of some sort. We have never seen anything like this before.

Is why I thought having captcha from something like cloudflare built into the forum login page would be a first defence to stop such automation tools logging in the first place.

I do use a cloudflare Turnstile to protect a basic HTML page, but no idea how to implement that into the forum. It may need a custom extension as nothing seems to exist.

Hello,

Its exxosforum.co.uk .

Website Anti-Spam protection Created Aug, 12 2024. Phpbb31 5.80.

The user probably registered before I started using cleantalk.. But registering is already pretty complicated.

Theres nothing to stop a user registering, posting a several posts over months to “gain a reputation” as a valid users.. Then the AI bots take over..

For example.. Just read this thread..

https://www.exxosforum.co.uk/forum/viewtopic.php?f=114&t=7320

We were pushed to decide if the kickstarter was even a scam or not at this point.. It looks genuine.. But if genuine users are registering on signup protection isn’t going to help all that much.. Automation takes over later, which is clearly evident in that thread and also across 20 other forums which have been reported to me as well.

This also creates a sideline problem, where actual users can register on multiple forums, gain a reputation over weeks months or years. Do many many posts.. Go unnoticed.. (Which is basically what has happened at this point already with 40+ posts over 3 years) and as a lot of forums allow editing unlimited time, bots could easily go back and edit all the posts with any sort of political or other scams.

Is why I think the only possible way to prevent bots logging in automatically, is to have CAPTCHA on the forum login page where bots simply can’t get past (or at least struggle to) . But this even may not be enough because actual users could still login manually and then have scripts to spam or edit posts on mas after they have logged in anyway..

Of course I would assume the clean talk extension would probably pick up on a lot of actual spam in the first place.. But for the specific problem I am stating, it is very difficult to do protection for it because such a unique problem.

In my brief research, it does look like that kickstarter is genuine but it could easily be not.. And that brings now the risk of next level scams across the Internet, in particular with AI in the mix which is now clearly evident.

• This reply was modified 3 months, 1 week ago by exxos21. Reason: typo

According to the settings it only checks newly registered users.. not long term registered users.

I think I did do a patch to the extension a while ago to monitor every post but I think I decided against it in the end because it was just slowing down posting on the forum which became annoying to the users.

My memory is a little fuzzy on it all, but in the end I think just monitoring new users was the solution. As if they got past moderation and cleantalk, then we assumed they are genuine users.. but that’s not the case anymore..

I can understand that having each post monitored would be more secure but again it’s the lag which can just end up irritating users.

I’m not really sure how such posts would be detected anyway because they are using AI to emulate users. Some bots have even copied and pasted genuine posts into new threads to get around the first point moderation.

The only thing I see is that they tend to format the posts a lot more than genuine users do and use bold text more often genuine people rarely do that. But of course I cannot just ban people for using bold text ! lol

I think there might have been a lot of falsely rejected posts, I mean I get them occasionally on new users already and I do report them as not spam. But it’s not really something I have time to actively maintain. So we basically have to assume after the first three posts are manually approved by moderators that they are genuine users in order not to end up with a slower forum experience and more false positives.

it’s a “catch-22” type problem, damned if do and damned if don’t..

Is why I thought that having captcha on the login page would be possible.. at least if theres no detectable human interaction then we could assume it is a bot logging in.

The possible problem is passwords which are saved in browsers could trigger such a detection but generally it is why the “I’m not a bot” tick box comes ups which is quick and simple for users to complete.