PHPBB - protect member privacy

[PeterD]

I'm a paranoid control freak and have my service domain set up to email me whenever a 404 occurs. One of our most frequent 404s is a batch of attempts to get to the member list of forums - spammers suck!

Basically what happens is, a robot using a spoofed IP (today it is boeing.com ) makes a few attempts to get to "known" or "obvious" forum links such as mydomain.com/phpBB2/ or forum.mydoman.com, etc. If it succeeds (no 404) it then goes deeper, looking for (in the case of phpBB2) memberlist.php. This page usually contains a list of email addresses belonging to your forum members, which can be read and spread around our beloved spammer community.

Prevention: I'm pretty sure that turning off the ability for your members to show their email address isn't enough - they can arbitrarily turn it back on and then they'll show up in the memberlist perhaps not realising that it is a back door for spammers.

Instead, you can totally disable the memberlist page, which is the option we've gone for. The two steps are: 1) find the template file called overall_header.tpl in your /phpBB2/templates/subSilver/ folder. Find the piece of code (look for "{U_MEMBERLIST}") that builds the memberlist link and delete the href. 2) find the file called /phpBB2/memberlist.php and rename it to memberlist.php.bak or some similar name. Don't delete it - you might want to get it back some day

[Silverbug]

you could just rename the member list page, and in its place put a page with a list of email addresses from spam emails you receive i know this only creates more spam, but at least it turns it around back on the spammers.

[ixie02]

Any easy way to keep just certain members from appearing on the list?

[PeterD]

Quote:

Originally Posted by ixie02

Any easy way to keep just certain members from appearing on the list?

Two that I can think of, both require code changes to phpBB, and one requires a change to the phpBB user table.

If you're familiar with php and sql, you could modify the sql statement's "where clause" to specifically exclude the userid of the members (search inside memberlist.php for "SELECT username"), changing this

WHERE user_id <> " . ANONYMOUS . "
ORDER BY $order_by";

to this

WHERE user_id <> " . ANONYMOUS . "
AND user_id <> {enter a userid}
AND user_id <> {enter a userid}
ORDER BY $order_by";


With the above, you'd have to return to the memberlist.php and add a line to the where clause each time you wanted to hide someone.

The other way would be to add a column called, say, "hide_on_memberlist" (tinyint(1)) with a default value of 0, in the users table, via phpMyAdmin. Then set its value to 1 for the users you want to hide the email for. Finally go back to the sql above and modify the "where" clause to simply say

WHERE user_id <> " . ANONYMOUS . "
AND hide_on_memberlist <> 1
ORDER BY $order_by";


That should work, but you'd have to manually go back into phpMyAdmin and modify new users and set "hide_on_memberlist" to 1 if you wanted them hidden.

[ixie02]

Quote:

Originally Posted by PeterD

Two that I can think of, both require code changes to phpBB, and one requires a change to the phpBB user table.

If you're familiar with php and sql, you could modify the sql statement's "where clause" to specifically exclude the userid of the members (search inside memberlist.php for "SELECT username"), changing this

WHERE user_id <> " . ANONYMOUS . "
ORDER BY $order_by";

to this

WHERE user_id <> " . ANONYMOUS . "
AND user_id <> {enter a userid}
AND user_id <> {enter a userid}
ORDER BY $order_by";


With the above, you'd have to return to the memberlist.php and add a line to the where clause each time you wanted to hide someone.

The other way would be to add a column called, say, "hide_on_memberlist" (tinyint(1)) with a default value of 0, in the users table, via phpMyAdmin. Then set its value to 1 for the users you want to hide the email for. Finally go back to the sql above and modify the "where" clause to simply say

WHERE user_id <> " . ANONYMOUS . "
AND hide_on_memberlist <> 1
ORDER BY $order_by";


That should work, but you'd have to manually go back into phpMyAdmin and modify new users and set "hide_on_memberlist" to 1 if you wanted them hidden.

Sounds like a winner to me, thanks.