Spammers  finally reached PHPBB version 3 “Olympus” default CAPTCHA automated OCR task in their development schedule and recently started registering bot users passing the provided CAPTCHA confirmation code.

Luckily to them, PHPBB3 default CAPTCHA code is ridiculously easy to OCR, os basically this was rather expected. It does not however mean that there is no way to effectively stop automated registrations without spending too much time on forum engine update.

Automated registration spider sends HTTP POST with the code it OCR’red from the image and we can leave the same code querstion in place and just ask the interactive user to type some extra information into input field. For example, it is possible to instruct him/her to type an extra asterisk before the code, so that the following is expected to be typed in: *25K9RGS. This makes the only thing important: to put a proper not for the user so that he/she is aware that he needs this character to be also entered. PHP code update is relatively simple:

includes\ucp\ucp_register.php, near line 235:

<?php
////////////////////////////////
// NOTE: Checking extra asterisk in front of CAPCTCHA code to prevent from automated CAPTCHA readers
$confirm_code = $data['confirm_code'];
$confirm_code = (substr($confirm_code, 0, 1) == "*") ? substr($confirm_code, 1) : "";
if (strcasecmp($row['code'], $confirm_code) === 0)
// original:
//if (strcasecmp($row['code'], $data['confirm_code']) === 0)
////////////////////////////////
?>

then default style (e.g. subsilver2) HTML tempalte needs to have an extra character (9 instead of 8) space in the input field, styles\subsilver2\template\ucp_register.html, line 92:

<td class="row2"><input class="post" type="text" name="confirm_code" size="9" maxlength="9" /></td>

And finally the CONFIRM_CODE_EXPLAIN comment needs to be updated to instruct user to type the extra asterisk in language\en\common.php.