Hey, I built a phpBB forum for a friend of mine, and it's actually prospering quite well! But a couple weeks ago, he started getting messages in the admin email box basically that were forwarded to him because they couldn't reach their original destination. Some bot or something has been going in and setting up accounts, with some levitra or viagra website or something with fake email addresses. The only reason we found out is because he was getting undeliverable messages back from those addresses.
We have the image verification on to prevent bots. So how could they be doing this? Is an actual person going and making these names?
We didn't have email verification turned on, which just meant that he had to go and delete a bunch of bogus accounts. So we turned on email verification.
But that won't stop them from creating the accounts, they will just not get finalized. How long does phpBB wait for the email confirmation before deleting the accounts? Any way to stop these attacks?