Note: this post was updated on February 10, 2019 to bring it up to date.
Note: this post was edited on February 3, 2018 to keep it up to date, due to its popularity.
Note: This post was edited on July 22, 2018 to discuss tools for removing spam posts.
Back in 2015 I promised a subsequent post on removing spam posts from phpBB forums. Before talking about how likely spam posts can be removed let’s first talk about how to prevent them in the first place.
Preventing spam posts
You may want to adopt one or more of these strategies:
- In 2018, the phpBB group approved the release of the Akismet anti-spam extension. This service uses the popular Akismet service, which is essentially a huge database of IPs and domains that have been reported to have sent out spam. Akismet is primarily used for comments on WordPress blogs, but was tailored by the extension developer to also work with phpBB. While the Akismet service can be free to use, it is not necessarily free. It is free for personal sites and blogs. If your forum is on your personal, noncommercial website, then presumably you can use it for free, although you are encouraged to donate anyhow. The extension though is free to install and use, as is true of all phpBB extensions. When properly enabled, the service will check new registrations and posts and will disallow them if they meet the spam threshold. Note that as of this writing it has no tool to go through existing registrations and posts to find and remove spam.
- Similar to Akismet is the Cleantalk service. It’s arguably more affordable than Akismet, at least if you don’t qualify for Akismet’s free tier. You pay $8USD a year to subscribe to the service. You will have to download the Cleantalk extension for phpBB. (At this time an extension for 3.1 and 3.2 is available. However I recommend getting the latest version from GitHub, as it has features that may not appear on phpbb.com for months.) Install it, then configure it to check all posts for spam before allowing the post to be posted. As a bonus, it can check for spam in the contact form if that is enabled. There is no CAPTCHA built into the contact form. This is probably the most effective solution currently available. Note: the newer versions of this plugin also have a neat feature called Spam Firewall that can be enabled. It basically keep spambots from hitting your forum in the first place, saving you bandwidth and server resources.
- Do not allow guests to post. Fortunately, phpBB comes configured this way by default. If you actually want guests to post:
- ACP > Users and groups > Group forum permissions
- Select the forums that you want guests to post in and submit the forum.
- Select the role for guests for each forum. Probably you want Limited access but may prefer to be more expansive with guests and give Standard access. Then click Apply all permissions.
- Use the phpBB stop forum spam extension. This will check the IP of the poster against a popular known spammer’s database, but only this one list. It’s not foolproof, but it’s probably a 95% solution. Note that this extension works only for guest posts, so a registered user’s IP won’t be checked to see if their post contains spam. One advantage over Akismet and Cleantalk is it never costs any money to use this database.
- Use moderators. Find active and trusted users to help moderate your forums. You can make them global moderators or give them permissions to moderate specific forums only. Moderators also need to learn phpBB’s moderation procedures. In most cases it takes a human to truly identify a spam post.
- Encourage users to report spam posts. You might want to create an announcement to draw people’s attention to this feature of phpBB. It’s easy not to see it. For every post in the top right corner of the post there is a small button with an exclamation point (!) on it. The user can identify the reason for reporting the post, which can be it is spam. This will flag it for moderators or the administrator to review.
- By default newly registered users to have their first three posts go through the moderation process before they can post. If you do not have moderators set up, then you as the administrator will have to review and approve these posts. Follow phpBB’s moderation procedures.
Use better registration procedures
If your board is clean of spam, upping your spambot countermeasures can help ensure that no spambots register. A spambot that succeeds in registering can create spam posts.
- With the release of phpBB 3.2, phpBB can be integrated with the second generation version of reCaptcha. You need to go to the reCaptcha site, select the version 2 reCaptcha with the checkbox Captcha and generate a set of private and public keys for your domain (if you don’t have them already). Then configure the plugin: ACP > General > Board configuration > Spambot countermeasures. Look under Available plugins for reCaptcha and press Configure. Once the keys are entered you have to enable the plugin.
- If you are using phpBB 3.1, the best out-of-box solution is to use the Q&A countermeasure. Make sure the question is not easily retrieved with an “I feel lucky” Google search.
Removing spam posts
The latest version of the Cleantalk extension has tools that can help identify and remove spam users by checking the IP they use with their database. If it matches, you have the option to remove their accounts and with it all their posts. It is possible but unlikely that it will give some false positives, in which case using this approach may delete a lot of legitimate posts. It requires subscribing to their service, which costs $8/year as this is written. For more information, see this blog post.
Here are some other much more laborious means of identifying and removing spam posts:
An administrator or a forum moderator can manually remove any post he or she judges to be spam. Click on the little X icon in the top right corner of the post. If there is not much spam on your forum, this is generally the quickest approach.
If you allow guest to posts, a list of forums, topics and posts that have guest posts is useful. Administrators or moderators could then review these posts and delete them as needed. If you have phpMyAdmin, you can use it to run the following SQL to identify guest posts. (Select the forum’s database and then select the SQL tab.) Make sure you change phpbb_ as the table prefix if your config.php shows you have a different table prefix. The post text may look a little weird, as it is typically stored as HTML (phpBB 3.2) or in BBCode (previous versions), but it can be read.
SELECT f.forum_name, t.topic_title, p.post_subject, p.post_text FROM phpbb_forums f, phpbb_topics t, phpbb_posts p, phpbb_users u WHERE t.topic_id = p.topic_id and f.forum_id = t.forum_id AND p.poster_id = u.user_id and user_id = 1 ORDER BY left_id ASC, t.topic_id DESC, post_id ASC
If older guest posts were valid but you notice a rash of spam guest posts after a certain time, you can see a list of posts on or after this time. In this example, January 1, 2016 is used.
SELECT f.forum_name, t.topic_title, p.post_subject, p.post_text FROM phpbb_forums f, phpbb_topics t, phpbb_posts p, phpbb_users u WHERE t.topic_id = p.topic_id and f.forum_id = t.forum_id AND p.poster_id = u.user_id and user_id = 1 AND p.post_time >= unix_timestamp('2016-01-01 00:00:00') ORDER BY left_id ASC, t.topic_id DESC, post_id ASC
The query will identify the forum, topic, post subject and post’s text. This query is ordered to present these posts in a way that is ordered the same way it usually is on the forum.
phpMyAdmin, which is generally available in your web host control panel, has an export capability. You could, for example, export this list as a comma separated values (CSV) value, import it into a spreadsheet like Excel and pass it out in a more human readable format to moderators for review. They will have to find these posts and delete them manually in phpBB.
Do not delete these using SQL, as you will mess up the topic post counts and possibly the number of topics in a forum count. Manually delete them on the view topic screen instead.