Fighting Forum Spambots
If ready-made solutions (e.g. WordPress), where there is a risk that forum spambots could participate in filling out forms (discussion, registration, etc.), have provisions for this built in - then in solutions built from scratch, this kind of protection must be thought through by the developer.
If ready-made solutions (e.g. WordPress), where there is a risk that forum spambots could participate in filling out forms (discussion, registration, etc.), have provisions for this built in - then in solutions built from scratch, this kind of protection must be thought through by the developer.
A forum spambot, similarly to an email spambot, sends unsolicited commercial messages in a direct or indirect way. The result, if it is a discussion form, is a large number of varied messages with links to other pages or content unrelated to the topic.
Essentially, a forum spambot is a small program that has somehow determined that there is a fillable form on the page and starts exploiting it by inserting various types of text. To make the situation non-trivial, such sending can happen (and usually does) through infected computers. The result is perfectly legitimate IP addresses sending completely crazy messages that are not really suitable for banning.
Some myths
- Someone is deliberately (and manually) pasting various rubbish.
- The spambot has deliberately chosen your page specifically.
- Spambots possess logic - i.e. spambots understand how and what to fill in the form.
- You can unsubscribe from spambots by opening one of the links provided.
Some truths
- Few spambots execute JavaScript, Java, ActiveX or Flash.
- Spambots usually don't "speak" Latvian, but they may speak Russian :(
- Some spambots can recognise image codes (CAPTCHA).
- The spambot's actual IP address is usually not determinable.
- In most cases, spambots fill in all form fields.
Fighting spambots (forums, comments)
1. Only one message can be added per session (or from one IP).
2. Image code (CAPTCHA).
3. Textual validation - ask a question that the user must answer.
4. Graphic validation - show an image and require selecting one of the options depicted.
5. Third-party tools. For example - Akismet (http://akismet.com/). Here I want to draw attention to the fact that DNSBL will not work. Because if the victim's computer is infected, it will most likely be on a blacklist, meaning email sending will be blocked (which is logical) - but why would such a user be prevented from filling out a form?
6. Prior registration. Given that this is also a form, there is also a risk of active spambot participation here.
7. Using unified registration (e.g. openID).
8. Keyword checking (url, sex, porn, viagra, etc.).
9. Using JavaScript to intercept the submit button click - it asks "are you a bot?"; if the answer is positive, a value is written into a hidden field. If the value is not provided or is incorrect, the form is not processed.
Fighting spambots (registration)
1. Multi-step registration.
2. Image code (CAPTCHA).
3. Restriction by country (e.g. LV only).
4. Graphic validation.
5. Textual validation.
6. DNSBL and email validation.
7. Registration confirmation (sending an email with an activation link).
comments