How can I stop human captcha solvers?

R

Romestar

Member
Aug 20, 2006
680
5
18
I recently noticed that I've been getting bombarded with spam signups on one of my sites (running custom software). They're filling out public user profiles with keywords (like in "About me") and a link and linking to those profiles with hundreds of really spammy links. It's not too much of a problem since I've always been blocking profiles with robots.txt, but I'm really curious how this can be stopped.

  • I switched from reCaptcha to Solve Media.
  • I removed the "website" field from the edit profile page and made it so that accounts would get deleted if "website" was sent via POST. (I'm assuming a bot is filling this part out.)
Spam accounts are still being created (the usernames give it away), but the profiles aren't getting filled out (not sure why). This has to humans solving the captchas right? Do you know how I can tweak my POST trick to get it to work?

Thanks.
 


Romestar said:
I recently noticed that I've been getting bombarded with spam signups on one of my sites (running custom software). They're filling out public user profiles with keywords (like in "About me") and a link and linking to those profiles with hundreds of really spammy links. It's not too much of a problem since I've always been blocking profiles with robots.txt, but I'm really curious how this can be stopped.

  • I switched from reCaptcha to Solve Media.
  • I removed the "website" field from the edit profile page and made it so that accounts would get deleted if "website" was sent via POST. (I'm assuming a bot is filling this part out.)
Spam accounts are still being created (the usernames give it away), but the profiles aren't getting filled out (not sure why). This has to humans solving the captchas right? Do you know how I can tweak my POST trick to get it to work?

Thanks.
Click to expand...


Change the registration path. Lol sorry.
 
If changing reg url doesn't work, use one of them bullshit dragging image captchas. They're gay as fuck but the chances are they are automating this and sending the captcha image to a third party to solve, so that would solve it.
 
There's no simple, black & white solution. Changing your registration URL is pointless. Might work for a few days, but the bots are going to find your new reg url. OCR is getting quite advanced these days, and most captchas out there have been broken now. Plus as said above, there is also services where humans enter the captchas as well.

There's a laundry list of things you can do to help, but none will completely prevent bots:


  • Add CSRF checks to your form.
  • Create a session upon visiting the reg form, with the value of HTTP_USER_AGENT plus a unique session ID appended to it. Check for this session variable upon submission, to ensure they actually viewed the reg form.
  • Require addl security questions / answers on your reg form. Then sporadically throw up elements requesting captcha and/or answer to security question depending on different metrics. For example, if someone registers from Australia, then logs in from Belguim a couple hours later, bug them with captchas, etc. Or if someone logs in, then submits the update profile form 0.034 seconds later, same thing.
  • Get a proxy checks, and deny proxies from registering.
  • Check and ensure the domain name provided on the e-mail address actually resolves somewhere.
  • Require e-mail activation of all accounts (ie. click on link within e-mail to access member area)
  • Get some username verification going (eg. the username zidja8742lasdjg can probably be denied registration).


And the list goes. Again, no clear cut solution, but there's a laundry list of little things like above you can do to help. None of them stop it completely, but the more layers you add in, the more difficult it becomes for bots, hence the less bots you have to deal with.
 
Instead of focusing on the front door, focus on minimizing the spammability of your platform altogether.

For example, forums usually prohibit users from posting links until they've made their Nth post.
 
You will never be able to stop it 100%. You can only just slow down the reg process and make it more costly for spammers.

Set extreme IP and time based rate limits. It will force them to use more proxies. more proxies = more $$$ they have to spend. Eventually, they will give up or move to another website.
 
You must log in or register to reply here.
Top Bottom
Back