What Ways Can Sites Handle Spambot Attacks? 75
Amazing Quantum Man asks: "I'm a member of a site devoted to nitpicking TV shows and movies. It has always had an open posting policy — no registration required, and you could use any name you wanted. This policy was instituted way back in 1998, and led to some quite fun, freewheeling threads on various boards. Recently, we have come under spambot attack, with spambots posting links to gambling and porn sites on every single discussion board on the site. The admins have been trying to block IPs, but it's useless against a botnet. As a defense, it looks like the site is going to require registration, and disable anonymous posting. Many regulars, while they understand the need, are concerned that the freewheeling character of the site will be lost. Let me continue by saying that I'm not a site admin, merely a member there. Also, if it helps, the site in question is running Discus. Has anyone here been in a similar situation? How did you handle it, and what did it do to the 'culture' of your site?"
Nothing is perfect (Score:1)
Re: (Score:2)
A forum I administer has a CAPCHA which asks "what is six plus one" in plain text. Since the spammers do not have the time to manually solve the CAPCHA for a small site such as mine then the bots fail to get through. So if you inserted a small customized CAPTCHA on your site then it might do the trick.
Re: (Score:2)
When registering, you can fill out your *entire* profile (It was a phpBB forum - poor design to begin with but I was in no position to change that) - so the spam bots would fill in he homepage URL and e-mail fields. Even if their accounts were never activated/verified, their profile would still be viewable and be enough of an advert.
So I modified the registration code a bit and added a message telling anyone who registered to leave the homepage fiel
Re: (Score:2)
Re: (Score:1)
=Smidge=
Re: (Score:2)
Re: (Score:1)
That, or the spammer manually targetted the forum.
Either way, by making the post data NON-standard, the bot was effectively defeated.
=Smidge=
Re: (Score:2)
Re:Nothing is perfect (Score:4, Informative)
First, when I identified what the spambots read, then I figured out how to fool them.
They read the form data; what the form posts to and what the form names are.
They populate the form names and posts to the action.
I removed all javascript validation. It's useless. Do 100% server side validation, verify email address are valid, links are valid, dates are valid, word count for submission, check for duplicate data for multiple form elements, etc...
I added session ID checks and this cut down on 75% of spamming where the sessionID is in a hidden field and if the request doesn't match the sessionID, it doesn't post.
I then separated the form from the page by using iframes.
On the initial load of the form, the proper HTTP REFERER is comitted in a session. If the form doesn't have the allowed referer, the form doesn't load and that form is blocked for the session with the IP address noted.
99% of the IP addresses are from China, Latin America, Russia, The Netherlands, and Africa.
Of the 25% of spam still coming through, I had to figure out the next step to stop it without compromising user functionaliy as in CAPTCHAS. There is no way I was going to use those nor use a `click the kitten` method either.
I rewrote the form code to change the form elements names for every load.
It was pretty much a hack but it worked.
I had a random 6 character word generated every load.
I dismantled that word every 2 characters and put 2 characters in every other character for the form element names that had been base64 encoded.
I had an empty hidden element that had to remain empty as well.
Bots tend to take every element and give it a value.
That seemed to get rid of the other 20%. After a while, the spam would continue at nowhere near the level it once was but we noticed that the timing was 5 minutes between replies instead of seconds meaning that the elements had to be filled out semi mechanically instead of automatically.
After copying that format for a number of forms, the spams that were coming through were from the same pool of networks.
After data crunching and some time, I realized that the obfuscating of element names really didn't deter much as much as sessionID and allowed refering pages did.
I started to actually have a single form for all like forms and use that one form for multiple sites so that updates can happen across all sites at the same time instead of updating 80 or so forms across sites.
I also am in the practice of banning IP address blocks for form access. If they really have something to say to us, they can contact us via email.
Email you say is probably the bane of existence for us that receive spam.
There are tons of javascript mail obfuscators and as long as you have a single email for mail contact, obfuscate it and only use that for mailto links.
I can seriouly attest that for the past 13 months, I've never received a penis enlargement mail at that address or any other stock tip.
My forms are hosted at a single location and have strict referer checking. Any attempt to `figure it out` by looking at the iframe source is banned.
If I get a form with non-relevant data, that IP is banned and all my sites and forms benefit.
I've gone from 300-400 form requests a day to the legitimate 10 valid responses a day
Re: (Score:1)
Thanks --
Stephan
Re: (Score:1)
What is this site about? B _ _ _ _ _ _ (fill in the missing letters)
The spam bots have already beaten phpbb captchas, plus they sometimes even use a real email-address so email validation is no use either!
Fixing CAPTCHA (Score:2)
I run a small old-school weblog on my own content management system. Middling PageRank (6 or so), a couple of hundred readers. I just had the spambots discover my Wiki, but in the process of cleaning up that mess I was shocked and amazed by the emergent behavior I'm seeing in spambots. Every form on my site that could get random info plugged into it,
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
It's also easily breakable [zoy.org] - there are scripts out there that can decode the common CAPTCHAs with >90% success.
This doesn't even include social engineering CAPTCHA breakers which are also known to exist e.g. spammer sets up a (say) fake porn site, hotlinks the CAPTCHA image of the site they want to spam. When someone comes along to fake porn site, it tells the user to en
Re: (Score:2)
My ideal forum: Anonymous, semi-anonymous, or "open" posts like the summary describes are run through some bayes or otherwise learning filter. If it's clean, it gets posted, if not, then to the trash. Through some mechanism not requiring a unique website login (e.g. a browser extension that made PGP signatures as easy as a click; why doesn't this exist?), a "verified" post could be made by the semi-anonymous PGP ID. Once enough trust is gained by refraining from making posts flagged as spam, or simply b
Re: (Score:2)
It never ceases to amaze me how in over 4 years of reading Slashdot, I've never seen a spam message. Well, excluding Slashvertisements and Beatles-Beatles type stuff. This is one of the tops sites on the internet, with full anonymous posting supported. By all rights, this site should be inundated with all kinds of spambot messages.
Perhaps the spammers fear the retaliation of the collective Slashmind?
Turing Test (Score:2)
- Verified email accounts - this is what I tend to use. User signs up, email with password gets sent. Some people don't like giving out their email for fear of SPAM and such.''
You could give your users choice. Either enter your email address (which will be used to send you a verification code), or solve this riddle. The riddle could be a captcha, but I prefer al
Idea (Score:1)
Just log in and later post with whatever nick you want. Just don't trace it or anything. You can even prepare some kind of statistics for users (how many post they posted). And of course implement some captcha.
Re: (Score:2)
Register if you want, if you don't then deal with the captcha. And still let them use any nick as they see fit for ach post (possibly autofill the nick field with a name they pick, but alow changes).
Re: (Score:1)
But should the process of registering necessarily require paying a sighted person to deal with the captcha for you?
Re: (Score:2)
Re: (Score:1)
But do most sites that have a visual captcha also have an audio captcha installed? Slashdot does not.
No Registration Required (Score:2)
Re: (Score:2)
1) ForumBan was created and subscribed to: http://www.sugapablo.com/forumban/index.php [sugapablo.com]
2) Math was added to all pages to post. Simple arithmetic.
These two things cut spam bu 90+%.
Re: (Score:2)
Re: (Score:2)
It could be a lot more helpful to people if we share these ban lists.
Re: (Score:2)
Why lock down membership? (Score:2)
There's no reason why that should change. Just add CAPTCHAs of some sort or another to the posting system. No more bots posting crap (although the CAPTCHA system might need to be changed every now and then depending on the strength of those chosen).
Re: (Score:2)
Detect the incoming OS type (Score:2)
Re: (Score:2)
Akismet (Score:1)
Akismet [miphp.net] is a very good antispam. It blocks 99% of spam on my forum.
CAPTCHA doesn't work, many spambots can solve CAPTCHAs.
Captchas (Score:2)
I would suggest maybe putting in Captchas [wikipedia.org] for every spot you might submit a post, etc. This way, bots cannot or have more difficulty making posts. Here are more links I had on these, but I haven't looked at them in a while...
Re: (Score:2)
Also, there's some note somewhere about Captchas containing questions instead of codes. So, your capture might have 2 + 2 = and the answer to validate would be 4. This way, it's a double edge effect. The computer would have to recognize the images and the 'question' so to speak. But your users would also have to be smart enough. =P
Of course, you can extend this to be multi-level. Place multiple Captcha images for the Q/A. Such as...
[ image 1 - code 1]
...
[ image 2 - code 2]
[ image 3 - code 3]
And t
links (Score:1)
Re: (Score:1)
It blocks about 95% of spam, but some spam messages don't have any links or the links are obfuscated (h* *p :/ / www . example . com).
Re: (Score:1)
Re: (Score:2)
But as the story poster, I have to say that part of the problem is the site software. It's running Discus, which doesn't have a "log in once" thing. I don't even know if it's possible to add captchas, though that would probably be the best solution. I also like the "Banana" solution below.
The best solution, which would retain the site flavor would be require registration, but allow pseudonymous posting.
For exam
Simpler than Captchas (Score:1)
Re: (Score:2)
Re: (Score:1)
Lame ideas from a tiny site (Score:2)
That cut out a lot of the spam. The rest has been gone since I added another, required field "What is my first name?" It is like a captcha but much easier. No one wi
Re: (Score:2)
Since the spammers can't seem to figure out how to send a proper http_referer, it works rather well. They seem to always use the http://host.domain.tld/ [domain.tld].
Of course, I'm not doing this on forum posting, but it is a form that can be used to send me an email. Th
Re: (Score:2)
Whilst I agree that checking for referers is a good thing (90% of the spam I've seen doesn't have them - they find the comment page, work out the form structure then hammer it using some app.), automatically DENY'ing users without refererers may
Re: (Score:2)
How does that affect the referer header of the submitted page? Are you suggesting that your web browser will allow you to click "submit", but not actually submit the page (maybe presenting you to a placeholder, so you can bookmark it?), and then somehow submit it later with all of the text you entered?
If you bookmark a form, then come back to it, enter text, and submit, then the referer header will be correct.
Re: (Score:2)
Use mod-security and Bad-Behaviour (Score:2)
These two work perfect for me.
The never-ending battle (Score:2)
I've been using keyword blacklists. They have proven to be very effective. If you don't allow people to input names of common drugs or strings like ".php?" or ".asp?" you can knock out a lot of the affiliate/redirect spam.
The biggest problems have been with the popular messageboar
Re: (Score:1)
Re: (Score:2)
CAPTCHA (Score:2)
In the end in both cases, we've just had to use a CAPTCHA system. Spammers tend to use multiple IP addresses (and I do mean in the hundreds, a lot of them proxies or botnet-controlled boxes) so banning simply doesn't work.
I've tried doing things like only requiring a CA
Re: (Score:2)
Re: (Score:2)
http://www.ngssoftware.com/papers/StoppingAutomate dAttackTools.pdf [ngssoftware.com]
Specifically I have been testing out the Token Appending method, it looks like it might be a good method to try.
I've set it so that the token is a SHA1 hash of todays date, client browser string and a text string of my choosing, so basically this token with change daily for recurring visitors and be fairly unique to each visitor (you can just throw more unique qualifiers at it if needed).
I
Approve once, post always (Score:2)
Sure it still involves trolling though moderated spam to find the genuine posts, but if you don't have massive traffic it works fine.
Re: (Score:1)
Re: (Score:2)
Need an HTTP greylist similar to OpenBSD's spamd (Score:1)
Point is twofold: slow the bots down (or stop the dumb ones altogether) and block obvious botnets completely.
SMTP has the handy retry message. For HTTP, we would need to store the original POST request, and return a response with a 10-20 second meta-refresh to a confirmation url. Anonymous posters won't mind the wait, and the time window gi
how about- (Score:2)
This is an easy one... (Score:2)
One way I block spam... (Score:2)
Sean
Re: (Score:2)
Spambots (Score:1)
I also recycle known spam through the search software, so it automagically updates itself. Seems to work well, and the
best part is that as your anti-spam technology improves, the people behind the spam robots tend to give up on your site.
Spammers are dirty creatures (Score:2)
Then, about two years ago (I think), the message board spammers began to get exponentially worse. Poker spammers were most of it, but I also saw a number of porn site spammers and some guerilla marketing campaigns that were awful. The evening t
Ours works just fine. (Score:2)
After getting hit with several posts by auto-spammers, the maintainer instituted new rules.
You can register, which requires nothing more than a valid email address, handle and password (AFAIK, I registered when he was first testing logins). But we also h