6 replies to this topic

[benseclawney]

Hello,

I've come here looking for a bit of help or advice regarding a dilemma that I am currently having for my website.

I host an auto-responder that doesn't require a double opt-in. Anybody can come and create an account and they will start receiving our series of emails.

The problem is that I am being attacked by a persistent group of hackers/spammers that are installing bogus accounts and using proxies to do their work.

Although I've filtered all their IP addresses and eliminated the bogus email accounts, they still come at me every day! I've thought about using a CAPTCHA, but that will only slow them down, it won't stop them, so my question is;

Is there some way that I can stop this attack, other than using a double opt-in???

I thank you for your help and look forward to your input.

[Michael Martinez]

Even the double opt-in won't stop them all as there are low-budget account creation businesses running out of Asia that just sit around creating accounts all day long.

You have to block the IP addresses of the proxy services. Fortunately, some of them use multiple IP addresses within the same C-class blocks so you can block at that level.

You can also block by geographic region if you're not trying to service the entire world.

Another option would be to whitelist only known domains -- this cuts out a lot of little players but you can set up an option for people to request that their email domains be whitelisted. Unfortunately if you include Gmail, Hotmail, and Yahoo! you'll be spammed heavily -- but if you exclude them you'll block many legitimate users.

There is no simple solution to the problem.

[Jill]

Require a hidden field that the bots can't see.

Here's how:
http://robmalon.com/...event-bot-spam/

[Michael Martinez]

Actually, only the bots would see that field. I have seen variations on this technique in the past. They won't stop the human spammers and some robots may now be aware of the trick (simply because the botwriters often see these tips being passed around in forums and newsletters -- it's hard to stay ahead of the curve).

[cfreek]

I saw Stop Forum Spam site (stopforumspam.com) mentioned on this forum at one point, and integrated their API in my contact form scripts. It does not catch all spammers, but it has greatly reduced the amount of spam that makes it to my Inbox.

Anyone who trips the filter has the full message logged to a text file on the server, is given a fake thank you, thinks the form submitted, and moves on.

As I recall, the API has some great example scripts you can use - if not, I can provide the one I set up, if you're interested and need it.
There are also plug-ins for Wordpress and various other systems.

In addition, I also use a hidden field trick similar to what Jill mentioned, and a regular expression match against common phrases used in spam messages.

[benseclawney]

Thanks for the replys everybody, much appreciated.

We are releatively sure that these spammers are actually people and not bots, so I'm not sure the "hidden field" trick will work,
but I must say it's a very clever method to catch them red-handed

We've come to realize that it would be impossible to completely get rid of them, so our plan is to minimize the amount of unwanted spam, and make their work that much harder.

Thanks very much for the suggestions

[Michael Martinez]

There is also a Wordpress plugin that connects to the StopForumSpam, Project Honeypot, and BotScout anti-spam service that I have been testing. It seems to help cut down on spam or at least flag it.

It's imaginitively called the "Stop Spammer Registrations Plugin" by Keith Graham. There may be other plugins worth trying as well.