Developers September 15, 2020

What's your anti-spam playbook?

alchemist

Over the past hour and a half, someone has created hundreds of garbage accounts on my site. The reason it came to my attention was emails from SES reporting bounces on welcome emails sent out to them.

As Alchemist Camp is relatively small, my spam prevention efforts have been modest. I'm using a full-fledged web framework with security basics like CSRF tokens for forms. Additionally, I keep a ban list for certain email addresses, and also ban IP addresses associated with significant bad behavior.

I have some ideas, but I'd like to hear what others who have been through this do. What are the next steps you would take?

  1. 3

    I had the same problem when I launched my SaaS: automated signups from stolen emails originating from residential IP addresses (probably breached IoT devices).

    I hate Google's captcha, so I wanted to try something different first.

    I ended up using a Ruby gem called invisible captcha, which uses heuristics such as honeypot fields and time-sensitive submissions.

    Roughly speaking, if someone (1) fills an invisible form field (with a random name so that it won't be populated by password managers) OR (2) submits a form too quickly (let's say within 4 seconds of opening a page), they're probably a bot.

    So far it's been working great - not a single bogus signup after I implemented it. It won't fly if bots are using headless browsers, but most bots (and their operators) aren't sophisticated enough to pull that off.

    1. 2

      This is great! I suspect just adding timing checks to the existing form should cut out a good portion of the junk and it's trivial to implement.

      1. 2

        I think so.

        I don't keep logs for long enough to check it, but I remember a good portion of bots were caught by this timing check (they usually submit a form within 1 or 2 seconds of opening a page). This won't work if someone sends a POST request directly to the endpoint without opening a page first.

        Also, don't forget to return a 4xx or 5xx HTTP status code upon catching them. I noticed that bots use 2xx as a signal that whatever they're doing works.

  2. 3

    Edit: The onslaught seems to be over for now, due to the IP-based blocking I've set up.

    1. 2

      Can you please explain that? i'm also facing this issue right now.

      Are you using Laravel as well?

      1. 1

        I'm using Phoenix, which has some similar characteristics to Laravel but is a much newer and smaller ecosystem.

        I ran tail -f on my access logs and grepped for POST events and watched them come into the terminal. If you're using nginx as a reverse proxy, which is likely if you're on Laravel, the command would be tail -f /var/log/nginx/access.log | grep POST.

        Almost immediately I saw requests coming in from the same IP address that were POSTing to /users/new. I added a line to my server configuration to block them. If you're using nginx, this would be deny 123.34.567.89; (or whatever IP address) in your server block.

        Not long after, I saw another address (owned by the same ISP) doing the same thing, so I blocked it. After that, I set up some application logic to catch any address creating multiple accounts within a short period of time. I suppose my next step would be watching and blocking user-agents in a similar way.

    2. 1

      How did you set it up?

      I'm having the exact same problem.

      Do you manually clear out the bogus accounts?

      1. 1

        Details in the sibling thread. As for clearing out the accounts, I just removed all the accounts created during that time period that hadn't visited tutorials on the site.

  3. 2

    Over the past hour and a half, someone has created hundreds of garbage accounts on my site.

    Holy shit, that's happening to me right now.

    I have a confirmation email system going on, but damn these are very annoying.

    1. 1

      I wonder if someone is targeting IH users specifically...

    2. 1

      Happening with me as well right now. :(

  4. 2

    It's quite a common problem, so you will find a lot of resources online. Here are some small tips which shouldn't cost you too much:

    • Confirmation email so that the user can validate their email address
    • Honeypot field. A fake field that a normal user won't see but that a bot will fill.
    • Captcha (though it's a pain for the user sometimes)
    1. 1

      Thanks for the suggestions and they are indeed familiar!

      Since these are transactional welcome emails, they get sent on signup. I could lock-down account features until a user confirms them, but I'm not sure that fixes anything here. It would stop users who actually wanted to use the service using fake emails, but these signups look scripted. Even if I lock the accounts until they confirm, the initial account creation emails have still gone out.

      I'm really hoping captchas won't be necessary, but I if this happens often I might go that route.

      1. 2

        but these signups look scripted

        What technology do you use? Phoenix I would imagine? Do you have a CSRF token?

        I'm asking because while CSRF tokens won't completely protect you against spammers, it will make it harder for them to spam you. Your business being small, spammers will probably be too lazy to make a bot which picks up the token. Also, it makes things safer for your users.

        1. 2

          Yes, CSRF tokens and other framework basics are built-in.

          FWIW, I don't see any business benefit whatsoever for someone to create lots of accounts in this case. Their account pages aren't visible to outside users, so even if their username is PadayLoansNOW or similar, nobody else sees it.

      2. 1

        I agree with these. I would try 1 and 2 before captcha.
        Also, I can't remember where I saw this but some sites not only lock account features, they go a step further and won't even let you log in until you verified.

        So the signup process goes like this:

        1. Sign up for account
        2. Next page says "check your email to verify your account" but does not let you into the app.
        3. User has to go to email and click verify which then opens up the website and logs you in.

        Yes this a slight annoyance but I think for most people it's totally fine, and probably better than captcha.

        1. 2

          Next page says "check your email to verify your account"

          The issue is, at this point an email has already been sent. I don't have a problem (so far) with people using the site with an unverified email. The problem is hundreds of transactional welcome emails being sent to bogus addresses.

          1. 2

            I can see how that would be frustrating. transactional emails should be pretty cheap and hopefully not affect your business too much. Hopefully the honey pot works so you don’t need to use captcha. Good luck!

            1. 2

              Yes, they're very cheap. The main concern is how this might impact deliverability.

              1. 2

                Interesting ... I hadn’t thought about that. I think you’re in good hands with all the other suggestions on this post.

  5. 1

    We had the same problem at Personalli.com. What was worse is that after the fake signups, confirmation emails went to the email addresses and the real people behind these emails marked emails from us as spam! And as a result, our hosting provider wouldn't send emails from our domain! So it's an even bigger problem.

    We implemented the honey pot idea recently and the spam seem to have stopped for now. Its a very quick and efficient way.

    Good luck!

  6. 1

    "Answer this question: What does 3 + eight equal to?"
    or "5 + two"
    etc.
    during the registration process! or a captcha, would be much better!

  7. 1

    You could also add a captcha/recaptcha
    http://www.captcha.net/

Recommended Posts