Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

What Ways Can Sites Handle Spambot Attacks?

Cliff posted more than 7 years ago | from the barbarians-at-the-gates dept.


Amazing Quantum Man asks: "I'm a member of a site devoted to nitpicking TV shows and movies. It has always had an open posting policy — no registration required, and you could use any name you wanted. This policy was instituted way back in 1998, and led to some quite fun, freewheeling threads on various boards. Recently, we have come under spambot attack, with spambots posting links to gambling and porn sites on every single discussion board on the site. The admins have been trying to block IPs, but it's useless against a botnet. As a defense, it looks like the site is going to require registration, and disable anonymous posting. Many regulars, while they understand the need, are concerned that the freewheeling character of the site will be lost. Let me continue by saying that I'm not a site admin, merely a member there. Also, if it helps, the site in question is running Discus. Has anyone here been in a similar situation? How did you handle it, and what did it do to the 'culture' of your site?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


Nothing is perfect (1)

Nos. (179609) | more than 7 years ago | (#16705157)

  • Some sites use CAPTCHA... but I don't like it. I'll bet you I make a mistake in the CAPTCHA at least 30% of the time, which is just frustrating.
  • Verified email accounts - this is what I tend to use. User signs up, email with password gets sent. Some people don't like giving out their email for fear of SPAM and such.
  • Heavy user moderation - seems to work overall, look at /.

Re:Nothing is perfect (1)

thue (121682) | more than 7 years ago | (#16705327)

CAPTCHAs have to be relatively hard to solve if they are widely used. If a CAPCHA is not widely used then it can be quite simple, but still work.

A forum I administer has a CAPCHA which asks "what is six plus one" in plain text. Since the spammers do not have the time to manually solve the CAPCHA for a small site such as mine then the bots fail to get through. So if you inserted a small customized CAPTCHA on your site then it might do the trick.

Re:Nothing is perfect (1)

Smidge204 (605297) | more than 7 years ago | (#16705977)

I made a quick anti-bot hack for a forum along these lines.

When registering, you can fill out your *entire* profile (It was a phpBB forum - poor design to begin with but I was in no position to change that) - so the spam bots would fill in he homepage URL and e-mail fields. Even if their accounts were never activated/verified, their profile would still be viewable and be enough of an advert.

So I modified the registration code a bit and added a message telling anyone who registered to leave the homepage field EMPTY. If the homepage field was filled in during the registration process, the script would just fail with an empty reply. The note also recommended updating the profile after registering if the legit user wanted to add that info. This, plus simple e-mail verification, completely stopped the attacks.

It's been a little over a year since and the guy hasn't had another problem with spambots.

Re:Nothing is perfect (1)

liquidpele (663430) | more than 7 years ago | (#16707935)

You can also do something like have a robots.txt file that tells bots to say way from a certain file, such as post.php (stay with me here). Then have that file posted all over the html, but hidden from actual browsing users (in hidden divs, etc). The bots will find the url, follow it, and thus label themselves as BAD since nice bots and users will never visit that file. Also, have all IPs that grab robots.txt labeled as bots that cannot post content. This way they can't act like nice bots and still post. Having the hidden file just create a firewall rule to block that IP address for 24 hours works well too. This idea was written up by another slashdot user who's nic I forgot, so I can't give props though :(

Re:Nothing is perfect (1)

Smidge204 (605297) | more than 7 years ago | (#16708167)

Wrong type: These were registration/spam bots not crawling/harvesting bots - They would never even look for a robots.txt file let alone follow it. All it did was dump POST information to register.php (or whatever the file is) to register an account with bogus info.


Re:Nothing is perfect (1)

liquidpele (663430) | more than 7 years ago | (#16709769)

Granted they are different, but how would they know which file to post information to unless they parsed all the HTML on the site like a regular bot at least once? Granted that if you're using a common thing like phpbb or something, it could guess the filenames, but I was assuming a custom job.

Re:Nothing is perfect (1)

Smidge204 (605297) | more than 7 years ago | (#16711601)

Easy: It's phpBB. The file name and post data are public knowledge to anyone that bothers to look at the source. Once the index.php file is found the location of the register.php file is also known because of the standard file heirarchy.

That, or the spammer manually targetted the forum.

Either way, by making the post data NON-standard, the bot was effectively defeated.

Re:Nothing is perfect (1)

hesiod (111176) | more than 7 years ago | (#16722337)

I have a phpBB forum, and I changed the forms in the registration to be a bit different and still have been bitten by spammers every day, so it's not foolproof. Of course, I don't have any control data on that -- it was changed from the beginning, so I don't know if really it helps or not. I just know that it's far from perfect.

Re:Nothing is perfect (3, Informative)

Ucklak (755284) | more than 7 years ago | (#16712239)

I have about 100 sites (really) and I've evolved with different methods. This is what worked with me.

First, when I identified what the spambots read, then I figured out how to fool them.
They read the form data; what the form posts to and what the form names are.
They populate the form names and posts to the action.

I removed all javascript validation. It's useless. Do 100% server side validation, verify email address are valid, links are valid, dates are valid, word count for submission, check for duplicate data for multiple form elements, etc...

I added session ID checks and this cut down on 75% of spamming where the sessionID is in a hidden field and if the request doesn't match the sessionID, it doesn't post.

I then separated the form from the page by using iframes.
On the initial load of the form, the proper HTTP REFERER is comitted in a session. If the form doesn't have the allowed referer, the form doesn't load and that form is blocked for the session with the IP address noted.
99% of the IP addresses are from China, Latin America, Russia, The Netherlands, and Africa.

Of the 25% of spam still coming through, I had to figure out the next step to stop it without compromising user functionaliy as in CAPTCHAS. There is no way I was going to use those nor use a `click the kitten` method either.

I rewrote the form code to change the form elements names for every load.
It was pretty much a hack but it worked.
I had a random 6 character word generated every load.
I dismantled that word every 2 characters and put 2 characters in every other character for the form element names that had been base64 encoded.
I had an empty hidden element that had to remain empty as well.
Bots tend to take every element and give it a value.

That seemed to get rid of the other 20%. After a while, the spam would continue at nowhere near the level it once was but we noticed that the timing was 5 minutes between replies instead of seconds meaning that the elements had to be filled out semi mechanically instead of automatically.

After copying that format for a number of forms, the spams that were coming through were from the same pool of networks.

After data crunching and some time, I realized that the obfuscating of element names really didn't deter much as much as sessionID and allowed refering pages did.

I started to actually have a single form for all like forms and use that one form for multiple sites so that updates can happen across all sites at the same time instead of updating 80 or so forms across sites.
I also am in the practice of banning IP address blocks for form access. If they really have something to say to us, they can contact us via email.

Email you say is probably the bane of existence for us that receive spam.
There are tons of javascript mail obfuscators and as long as you have a single email for mail contact, obfuscate it and only use that for mailto links.

I can seriouly attest that for the past 13 months, I've never received a penis enlargement mail at that address or any other stock tip.

My forms are hosted at a single location and have strict referer checking. Any attempt to `figure it out` by looking at the iframe source is banned.

If I get a form with non-relevant data, that IP is banned and all my sites and forms benefit.

I've gone from 300-400 form requests a day to the legitimate 10 valid responses a day

Re:Nothing is perfect (1)

sugarmotor (621907) | more than 7 years ago | (#16774209)

Sorry, I don't follow your method. Could you try explaining the "Any attempt to `figure it out` by looking at the iframe source is banned." part? What's in the iframe and how is it involved in blocking?

Thanks --


Re:Nothing is perfect (1)

nakke (143673) | more than 7 years ago | (#16709329)

Something like this has helped on some of my sites as well, you can use something on-topic to the site, for example a site about bananas might have:

What is this site about? B _ _ _ _ _ _ (fill in the missing letters)

The spam bots have already beaten phpbb captchas, plus they sometimes even use a real email-address so email validation is no use either!

Re:Nothing is perfect (0)

Anonymous Coward | more than 7 years ago | (#16705363)

CAPTCHAs are pieces of garbage and people who employ them should be shot

Fixing CAPTCHA (1)

danlyke (149938) | more than 7 years ago | (#16705429)

I loathe CAPTCHA, although I may end up implementing it on my system. I could also be convinced that a "which of these N pictures are kittens?" test might work.

I run a small old-school weblog on my own content management system. Middling PageRank (6 or so), a couple of hundred readers. I just had the spambots discover my Wiki, but in the process of cleaning up that mess I was shocked and amazed by the emergent behavior I'm seeing in spambots. Every form on my site that could get random info plugged into it, including search fields and new user account information; I'm going to have to make new user accounts far less easy to get. All of a sudden I'd ballooned from under a thousand registered users to forty-five hundred.

I don't like verified email accounts, and I think those are going to get attacked fairly soon too, but some sort of way to more strongly tie an identifier to an actual human has to fit into the mix.

One of the things I'm excited about is the notion of cross-site identifiers, like OpenID [openid.net], and distributed reputation. Something that lets my site collaborate with other sites and say "I trust this URL". Users will still have to jump through the "are you a human" test, but will only have to do so once within the confines of a trust network.

Re:Fixing CAPTCHA (1)

Magic5Ball (188725) | more than 7 years ago | (#16712113)

Simple solution: Bin/hide any post with more than three URLs unless it's from a verified registered account. If you have a non-phpBB syntax for URLs, bin/mark anything with a link that doesn't follow the regular syntax. And also make generous use of rel="nofollow".

Re:Nothing is perfect (1)

M.Hare (1022269) | more than 7 years ago | (#16705851)

CAPTCHA sucks, plain and simple. I can't count the number of attempts it took just to get a /. account.

Re:Nothing is perfect (1)

GrumpySimon (707671) | more than 7 years ago | (#16708593)

it's also extraordinarily difficult to use for low-vision people [w3.org]. Making your website inaccessible to people is not usually a good idea.

It's also easily breakable [zoy.org] - there are scripts out there that can decode the common CAPTCHAs with >90% success.

This doesn't even include social engineering CAPTCHA breakers which are also known to exist e.g. spammer sets up a (say) fake porn site, hotlinks the CAPTCHA image of the site they want to spam. When someone comes along to fake porn site, it tells the user to enter the CAPTCHA. Once the user does this, they're shown some boobies, whilst the site fires off a spam to the site the CAPTCHA came from.

Don't get me wrong - CAPTCHAs are a useful tool, but not necessarily the best solution.

Re:Nothing is perfect (1)

fossa (212602) | more than 7 years ago | (#16707183)

My ideal forum: Anonymous, semi-anonymous, or "open" posts like the summary describes are run through some bayes or otherwise learning filter. If it's clean, it gets posted, if not, then to the trash. Through some mechanism not requiring a unique website login (e.g. a browser extension that made PGP signatures as easy as a click; why doesn't this exist?), a "verified" post could be made by the semi-anonymous PGP ID. Once enough trust is gained by refraining from making posts flagged as spam, or simply being designated a moderator, the verified ID could then mark posts as spam or not to train the spam filter on mistakes.

Also in my ideal forum: no [images in] sigs, no avatars, no wasted space by gigantic post headers (Ubuntu formus, I'm looking at you!). Provide a user page for all sorts of junk if you must, be keep it out of the discussion or at least off to one side.

Re:Nothing is perfect (0)

Anonymous Coward | more than 7 years ago | (#16707943)

There are many more things one could or should do.

-Some places like doom9 forums require users to be registered for a week before they can even post. A PITA for users, but at least they'll search for their answer first (lots less n00b posts by ppl who didn't bother trying to search or RTFM).
-I've seen comments by ppl before saying most spambots had url's in their profile's personnal home page or such. You can do some profiling like that to try to block 'em.
-I've come across several very interesting articles like a HttpModule for spam blocking (for ASP.NET apps/sites), perhaps the same approach can be used on other platforms and using other languages
-some sites (low-traffic ones mainly) opt for moderator approval before a post appears (you could enforce this just on new users too)
-you can write some custom code that tests against common spam words (casinos, gambling, etc) or even urls (www or http in post), and either refuses those words altogether, or if such words are included in the first 5 posts of a new user, automatically delete their posts and user profile (brutal but effective method), etc. There are so many things like that one could do...
-Blocking IPs or even subnets (I've even some block entire countries) of the main offenders if not impractical.
-You can check for users coming off open proxies and such during the registration phase

And that's just the beginning

Re:Nothing is perfect (1)

ObsessiveMathsFreak (773371) | more than 7 years ago | (#16708211)

Heavy user moderation - seems to work overall, look at /.
It never ceases to amaze me how in over 4 years of reading Slashdot, I've never seen a spam message. Well, excluding Slashvertisements and Beatles-Beatles type stuff. This is one of the tops sites on the internet, with full anonymous posting supported. By all rights, this site should be inundated with all kinds of spambot messages.

Perhaps the spammers fear the retaliation of the collective Slashmind?

Turing Test (1)

RAMMS+EIN (578166) | more than 7 years ago | (#16714193)

``- Some sites use CAPTCHA... but I don't like it. I'll bet you I make a mistake in the CAPTCHA at least 30% of the time, which is just frustrating.

- Verified email accounts - this is what I tend to use. User signs up, email with password gets sent. Some people don't like giving out their email for fear of SPAM and such.''

You could give your users choice. Either enter your email address (which will be used to send you a verification code), or solve this riddle. The riddle could be a captcha, but I prefer all-text things. Anything that's easy for humans, but difficult (as yet) for programs will work. "In the next field, enter every first letter of this sentence."

Re:Nothing is perfect (0)

Anonymous Coward | more than 7 years ago | (#16714719)

Had you considered implementing some system to change the tab order of boxes on the page? this i found worked nicely, then a handful of checks like a max and min length for nick and that will stumble most bots using your web front end.

Idea (1)

jackharrer (972403) | more than 7 years ago | (#16705161)

What do you think about need for registration and still keeping old open way of posting?
Just log in and later post with whatever nick you want. Just don't trace it or anything. You can even prepare some kind of statistics for users (how many post they posted). And of course implement some captcha.

Re:Idea (1)

Thansal (999464) | more than 7 years ago | (#16705341)

nice idea, personaly I would combine it with the way /. works.

Register if you want, if you don't then deal with the captcha. And still let them use any nick as they see fit for ach post (possibly autofill the nick field with a name they pick, but alow changes).

Re:Idea (1)

tepples (727027) | more than 7 years ago | (#16709027)

Register if you want, if you don't then deal with the captcha.

But should the process of registering necessarily require paying a sighted person to deal with the captcha for you?

No Registration Required (1)

Anti_Climax (447121) | more than 7 years ago | (#16705207)

See if you can set up a CAPTCHA that must be completed before the post can be put up. Multiple missed attempts could even ban an IP. Just be sure you have some alternate means for people that have issues with their vision.

Re:No Registration Required (1)

sugapablo (600023) | more than 7 years ago | (#16706625)

http://subuse.net/ [subuse.net] does not require any registration and therefore was the victim of botnet attacks, until a two pronged approach was taken:

1) ForumBan was created and subscribed to: http://www.sugapablo.com/forumban/index.php [sugapablo.com]
2) Math was added to all pages to post. Simple arithmetic.

These two things cut spam bu 90+%.

Re:No Registration Required (1)

Ucklak (755284) | more than 7 years ago | (#16712275)

My personal ban list is quite a lot longer than that one.

Re:No Registration Required (1)

sugapablo (600023) | more than 7 years ago | (#16714933)

Well share it, post it to ForumBan (or if it's long, just email it to me and I'll append it).

It could be a lot more helpful to people if we share these ban lists.

Why lock down membership? (1)

Peter Cooper (660482) | more than 7 years ago | (#16705249)

It has always had an open posting policy -- no registration required, and you could use any name you wanted.

There's no reason why that should change. Just add CAPTCHAs of some sort or another to the posting system. No more bots posting crap (although the CAPTCHA system might need to be changed every now and then depending on the strength of those chosen).

Re:Why lock down membership? (1)

mabu (178417) | more than 7 years ago | (#16706361)

Captchas do not work as well anymore. There are legions of Indians and other people who are now paid slave wages to cross-post crap all over the Internet.

Re:Why lock down membership? (0)

Anonymous Coward | more than 7 years ago | (#16713491)

There's no reason why that should change. Just add CAPTCHAs of some sort or another to the posting system. No more bots posting crap (although the CAPTCHA system might need to be changed every now and then depending on the strength of those chosen).

Or, fuck that, the site doesn't belong to the spammers who are attacking it. Neither legislation nor praying that their children would contract colorectal cancer has done the first damned thing to address this should-be-trivial problem.

There is, I am afraid, but one solution:

  • Find the spammers, their wives, their children, and their pets. Beat them all to death as slowly as is possible with 24" pipe wrench or a rusty camshaft.

When the futility of all other solutions becomes evident to the uncircumcised masses, I have faith that the quantity of spam will drop very sharply and very quickly.

Detect the incoming OS type (1)

skroz (7870) | more than 7 years ago | (#16705277)

Amavisd-new has had p0f support for detecting the OS of the sending mail server for quite some time. It detects the OS type of the incoming mail connection and adds a header indicating the results. You can then use SpamAssassin to detect the OS an add an appropriate point total. Since few "real" organizations use desktop OSs for mail relays, you can usually assume a high probability of spamminess from such.

Re:Detect the incoming OS type (0)

Anonymous Coward | more than 7 years ago | (#16705839)

RTFS! This has nothing to do with spam, which you might have known had you even attempted to read the damn "Ask Slashdot" summary.

Akismet (1)

ColinPL (1001084) | more than 7 years ago | (#16705297)

Akismet [miphp.net] is a very good antispam. It blocks 99% of spam on my forum.

CAPTCHA doesn't work, many spambots can solve CAPTCHAs.

Captchas (1)

Fozzyuw (950608) | more than 7 years ago | (#16705317)

I would suggest maybe putting in Captchas [wikipedia.org] for every spot you might submit a post, etc. This way, bots cannot or have more difficulty making posts. Here are more links I had on these, but I haven't looked at them in a while...

Re:Captchas (1)

Fozzyuw (950608) | more than 7 years ago | (#16705565)

Also, there's some note somewhere about Captchas containing questions instead of codes. So, your capture might have 2 + 2 = and the answer to validate would be 4. This way, it's a double edge effect. The computer would have to recognize the images and the 'question' so to speak. But your users would also have to be smart enough. =P

Of course, you can extend this to be multi-level. Place multiple Captcha images for the Q/A. Such as...

[ image 1 - code 1]
[ image 2 - code 2]
[ image 3 - code 3]

And then have your instructions be something like "combine the codes and div starting from the back". Then you can alternate the 'rules' to entering the captcha or which captcha to use or how. This is to confuse the computer such that it no longer fits the previous algorithm. Then again, you're not moving into the realm of making it MORE difficult than it's worth.


links (1)

deepb (981634) | more than 7 years ago | (#16705331)

Don't let anonymous users post links to other websites.

Re:links (1)

ColinPL (1001084) | more than 7 years ago | (#16705413)

It blocks about 95% of spam, but some spam messages don't have any links or the links are obfuscated (h* *p :/ / www . example . com).

Re:links (1)

deepb (981634) | more than 7 years ago | (#16706059)

95% is pretty good, and I suspect that the remaining 5% would quickly taper off, because people can't "click" on obfuscated links, making them next to useless.

Re:links (1)

Amazing Quantum Man (458715) | more than 7 years ago | (#16706395)

On top of that, I suspect this is a googlebomb attempt, as well. So removing links would help.

But as the story poster, I have to say that part of the problem is the site software. It's running Discus, which doesn't have a "log in once" thing. I don't even know if it's possible to add captchas, though that would probably be the best solution. I also like the "Banana" solution below.

The best solution, which would retain the site flavor would be require registration, but allow pseudonymous posting.

For example, my Slashdot name actually comes from the target site. We had a long-running silly-superhero interactive fiction that came out of pseudonymous posting, and I started posting as "The Amazing Quantum Man". On other portions of the board, I use my "real" name. This sort of silliness is part of the culture, and forcing people to post under real names would kill that sort of thing.

Simpler than Captchas (1)

jihadi_schwartz (989888) | more than 7 years ago | (#16705577)

On my guestbook, I just say "posts must begin with the word Banana, which will be automatically stripped." It works. Some spambots are actually human so it doesn't stop them, but it's super-simple.

Re:Simpler than Captchas (1)

Fozzyuw (950608) | more than 7 years ago | (#16706575)

That's an interesting concept. How's the usability? Do people read that little note and remember to add 'banana'? Or do you send them a notice should they fail and they can easily add your code word to the beginning?

Re:Simpler than Captchas (1)

loimprevisto (910035) | more than 7 years ago | (#16708245)

A friend of mine who administerd a forum was having spam troubles and didn't want to require registration for posting- His solution was to mess with the default boxes/buttons on the submission forms. Adding a few more of them on the pages used by anonymous posters and changing their default states ('uncheck this box if you are not a bot') stopped the spam quickly.

Lame ideas from a tiny site (1)

LotsOfPhil (982823) | more than 7 years ago | (#16705625)

I used to get a ton of spam on my guestbook. I tried doing lots of little things in the code and it turns out the spam was being submitted without them filling out the HTML form. To force this to happen, I found a neat idea on some German website (it's down, so I mirrored it [princeton.edu]). The code will not accept a post if there is no number/checksum pair.
That cut out a lot of the spam. The rest has been gone since I added another, required field "What is my first name?" It is like a captcha but much easier. No one will complain that they get it wrong. For your site, maybe something like "Finish the name of this show 'I Love ...' "

Re:Lame ideas from a tiny site (1)

panda (10044) | more than 7 years ago | (#16707779)

I find that just checking the HTTP_REFERER header is sufficient. If it doesn't exactly match the expected URL for the form that the program is processing input from, then my server sends a 403 and slaps their IP address into .htaccess with a 'Deny from'.

Since the spammers can't seem to figure out how to send a proper http_referer, it works rather well. They seem to always use the http://host.domain.tld/ [domain.tld].

Of course, I'm not doing this on forum posting, but it is a form that can be used to send me an email. The idea could be applied to forum posting.

Re:Lame ideas from a tiny site (1)

GrumpySimon (707671) | more than 7 years ago | (#16709133)

You know that there are a number of products that automatically strip HTTP Referers, right? Nortons Antivirus is one - it thinks that this adds some privacy value for the user. Or what happens if I bookmark your comment page to come write an insightful comment later?

Whilst I agree that checking for referers is a good thing (90% of the spam I've seen doesn't have them - they find the comment page, work out the form structure then hammer it using some app.), automatically DENY'ing users without refererers may be a bit harsh :-)

Aside: one thing I have noticed is that my spam requests generally look for http://www.example.com/comment.php [example.com] (i.e. GET http://www.example.com/comment.php [example.com]) whilst regular users who've browsed there have a relative URL (i.e. GET /comment.php). I've been toying with the idea of filtering on that.

Re:Lame ideas from a tiny site (1)

schon (31600) | more than 7 years ago | (#16722751)

what happens if I bookmark your comment page to come write an insightful comment later?

How does that affect the referer header of the submitted page? Are you suggesting that your web browser will allow you to click "submit", but not actually submit the page (maybe presenting you to a placeholder, so you can bookmark it?), and then somehow submit it later with all of the text you entered?

If you bookmark a form, then come back to it, enter text, and submit, then the referer header will be correct.

Re:Lame ideas from a tiny site (1)

GrumpySimon (707671) | more than 7 years ago | (#16730171)

Oops, yes - of course. Not sure what I was thinking. However, my point that refererers are not reliable still stands.

The never-ending battle (1)

mabu (178417) | more than 7 years ago | (#16705949)

I've been battling this for years now. Ironically, the best way to stop spambot attacks is to homebrew your own CGI stuff. If you can't do that, rename all the scripts to non-standard names so that the common URLs are not found.

I've been using keyword blacklists. They have proven to be very effective. If you don't allow people to input names of common drugs or strings like ".php?" or ".asp?" you can knock out a lot of the affiliate/redirect spam.

The biggest problems have been with the popular messageboard apps. We've simply stopped putting up messageboards, or set them to require registration and manual approval to post. It's really disgusting how if you leave a forum unlocked, it'll take about a week before it's full of ads for online drugs and sex sites.

Re:The never-ending battle (1)

IL-CSIXTY4 (801087) | more than 7 years ago | (#16711957)

Unless, of course, your commenters really do want to talk about Viagra or Cialis... :)

Re:The never-ending battle (1)

mabu (178417) | more than 7 years ago | (#16725727)

Fortunately I do not run any forums dedicated to Humvee vehicles or the NRA, so it's not an issue.


user24 (854467) | more than 7 years ago | (#16705951)

I've had to deal with spam attacks on both my personal site and a forum I use. In both cases, we tried to ban IP addresses, then tried invisible methods of stopping spam (eg hidden required fields populated by javascript), and nothing worked.
In the end in both cases, we've just had to use a CAPTCHA system. Spammers tend to use multiple IP addresses (and I do mean in the hundreds, a lot of them proxies or botnet-controlled boxes) so banning simply doesn't work.
I've tried doing things like only requiring a CAPTCHA if the comment includes "http" or similar techniques. It doesn't work, I've had spam that simply consists of "Hi, great site" posted 30 times.
I don't know why, but spammers don't seem to care whether their spam even has the potential to turn into revenue for them or not..
CAPTCHA is the only viable method, IMHO.
For those worried about accessibility; offer a non-CAPTCHA'ed form and manually review it; most users will be able to post perfectly well and for the few that can't enter the CAPTCHA, they can still post to the site, but with a delay as you check it for spam.


user24 (854467) | more than 7 years ago | (#16705981)

On the forum, we set the CAPTCHA up so that once entered, you wouldn't have to re-enter it for 24 hours. This way it annoys users less.


Tripster (23407) | more than 7 years ago | (#16707857)

I have been tinkering with the methods in this PDF ..

http://www.ngssoftware.com/papers/StoppingAutomate dAttackTools.pdf [ngssoftware.com]

Specifically I have been testing out the Token Appending method, it looks like it might be a good method to try.

I've set it so that the token is a SHA1 hash of todays date, client browser string and a text string of my choosing, so basically this token with change daily for recurring visitors and be fairly unique to each visitor (you can just throw more unique qualifiers at it if needed).

It does rely on javascript in the client browser but most have that enabled anyway and it is an easier method for the end user than the Captcha method. Of course you could use both and really help keep the bots away.

Approve once, post always (1)

rueger (210566) | more than 7 years ago | (#16706035)

On Wordpress [wordpress.org] you have the option of requiring moderation only the first time an individual posts. Once you have approved one post by them they no longer are moderated.

Sure it still involves trolling though moderated spam to find the genuine posts, but if you don't have massive traffic it works fine.

Use an email verification (0)

Anonymous Coward | more than 7 years ago | (#16706131)

There's no need to make people register accounts, just have them enter an email address whenever they post. The first time any one email address is entered, a message is sent to that address and the post is delayed until they click a link in that email. You need never display the email address anywhere and don't even have to save it at all (a hash of it works just as well).

It also has the added benefit of being more friendly to visually-impaired people than CAPTCHAs would be.

Re:Use an email verification (1)

slartibart (669913) | more than 7 years ago | (#16706471)

Won't your database get full of posts that were never verified? I suppose you could auto-expire them.

Re:Use an email verification (1)

GrumpySimon (707671) | more than 7 years ago | (#16709171)

so? this will only become a problem once you get well into hundreds of millions of records on any non-trivial database. If you're just storing some key and an email address, then it's not much lifting for the database server at all.

Need an HTTP greylist similar to OpenBSD's spamd (1)

psydeshow (154300) | more than 7 years ago | (#16706827)

After seeing this presentation on OpenBSD's spamd [ualberta.ca], which profiles and greylists SMTP connections coming from botnets, I'm convinced of the need for HTTP POST greylisting.

Point is twofold: slow the bots down (or stop the dumb ones altogether) and block obvious botnets completely.

SMTP has the handy retry message. For HTTP, we would need to store the original POST request, and return a response with a 10-20 second meta-refresh to a confirmation url. Anonymous posters won't mind the wait, and the time window gives us time to watch for additional POSTs from the same ip, and blacklist them outright if they match a spammy profile.

This is an easy one... (1)

LuckyStarr (12445) | more than 7 years ago | (#16707775)

Check your users against DNSBLs [wikipedia.org]. Originally intended to block out malicious mailservers via their IP addresses, they are applicable on webservers as well. Via sorbs [sorbs.net] you can check for open HTTP and SOCKS proxies (interresting for you), open SMTP servers (not very interresting for you), webservers with unpached vulnerabilities, hijacked IP netblocks and malicious (in bed with spammers) network service providers. Other lists include the here recently mentioned Spamhaus [spamhaus.org.uk] list, and various DULs (dial up user lists). See the Wikipedia article for some of them.

I used DNSBLs at my former employer to block users coming through open proxys from registering domains. We saw that every phisher who bought a domain name came through an open HTTP proxy and used a stolen credit card. So using DNSBLs was the only viable option then.

One way I block spam... (1)

jafo (11982) | more than 7 years ago | (#16707827)

I have successfully blocked comment spam by rejecting messages with http:/// [http] in them. Most of the spam contains links, so this can be extremely effective. Maybe on the site in question, reject anonymous posts that have http links in them, and if you have a site you need to post, you have to get an account.


Spambots (1)

charlesTheLurker (33915) | more than 7 years ago | (#16708889)

I've had good success with grep(1), using a file filled with various words culled from spam.
I also recycle known spam through the search software, so it automagically updates itself. Seems to work well, and the
best part is that as your anti-spam technology improves, the people behind the spam robots tend to give up on your site.

Spammers are dirty creatures (1)

Badmovies (182275) | more than 7 years ago | (#16710035)

I dealt with this same issue on a message board. For years it did not require registration to post and with a small cadre of level-headed moderators we had a lot of fun. It was good for everybody, from regulars to one time guests who just wanted to ask a question.

Then, about two years ago (I think), the message board spammers began to get exponentially worse. Poker spammers were most of it, but I also saw a number of porn site spammers and some guerilla marketing campaigns that were awful. The evening that the one "documentary" on M. Night Shyamalan played on SciFi a huge number of posts and threads from "people who watched the film and wanted to talk about it" appeared. Obviously a bot network, because there were easily a hundred posts and the IP addresses were checking out as valid.

I tried everything to avoid registration. Banning IPs was useless, because they were bot networks. I made rules to discard posts that matched known spams - new, different ones came in. I discarded multiple posts or duplicate posts - the bots made posts that were different. I made rules to discard posts with certain URLs - no good, way too many URLs were rolling in. I changed the name of post function files in the Phorum message board - the bots adapted or were adapted. I made rules to prevent multiple posts within a certain period by the same host - the bots slowed down their posting. They posted with http code, they posted with bbs code, they posted plain text. In the end, after about two months of too much effort, I enforced registration. The problem has been solved ever since.

As a result of the registration I am certain my message board is not as robust as it once was. The simple fact is that registration drives away people who could become good members of the community. Another simple fact is that I have seen a number of boards turned into useless crap by spambots.

I dislike CAPTCHA, so registration was the lesser of two evils. However, if there is a mod so that Phorum can enforce CAPTCHA for guests, thus allowing them to post without registration, maybe I should check it out.

Ours works just fine. (1)

Roadkills-R-Us (122219) | more than 7 years ago | (#16710583)

I've been active for quite some time on a site dedicated to DIY tube guitar amps (ax84.com). We have a lounge area where anything goes, but the posting policy is quite loose, with all sorts of fun stuff occuring within [otherwise] on-topic threads as well.

After getting hit with several posts by auto-spammers, the maintainer instituted new rules.

You can register, which requires nothing more than a valid email address, handle and password (AFAIK, I registered when he was first testing logins). But we also have people who don't want to register for a variety of reasons-- from wanting to stay off the grid to just not caring. These people get a temporary login if they answer a question that is easy for humans, less easy for a bot. It could just as easily be a "pick the number from the image" thing or whatever.

At any rate this has been in place for a month or so, and I don't see any difference at all in the community. It's still a free-wheeling, fun place, but no spam. A win-win from where I sit. It's possible the non-registerers are unhappy, but since Chris included them in the discussions of how to handle things, and they are still there, I have to assume they're "happy enough". I am.

You fucking stupid moron... (1)

siyavash (677724) | more than 7 years ago | (#16711567)

You fucking stupid moron... just put a simple question "2+2=?" and they answer "4".. and poof, u got rid of the SPAM bots. Stupid fuck... !"#@£$...

Random numbers and hashcodes..... (0)

Anonymous Coward | more than 7 years ago | (#16719753)

I had a ton of these on my message board.

My solution:
1) Generate a random number with "todays" date interleaved into it and put this as a parm on the input form.
2) When they post the message, check the referrer string for a valid "datecode" from the referrer URL.
3) I still was getting some slipping through but only for 1 day since they will not go once the date has changed. So then I check if the message has 3 or more links, then don't allow it.

Now I only get 3 or 4 a week, probably entered by hand.

If it became a real big problem, what I would do is change the code above to instead of encoding the date into the random number, encode the actual server time within the random number and only allow a post that is within 5 minutes. That way if they entered a message manually, copied the URLs and then tried doing it over and over again it would only work for 5 minutes.

What?! - Anonymous posting works just fine! (0)

Anonymous Coward | more than 7 years ago | (#16722859)

Buy V1AGR/\ Now!

Naked sluts waiting to chomp your butt for Free!

CEEAlLLiS, only $19.95 a pack. Act now!!

Use HTTP BasicAuth (0)

Anonymous Coward | more than 7 years ago | (#16728113)

Use HTTP BasicAuth, and give a simple username/password (e.g. "forum"/"forum") in the instruction message that BasicAuth allows you to send to the user in the dialog box. It's nice and quick, well supported, and Spambots don't seem to be able to cope with this just yet; but it won't be long :-/
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account