All geek questions in one place

How to deal with botnets and automatic materials

Story: I have a web application that has a huge incentive to participate. Thus, we are intensely focused on scriptwriters and bots. Based on the IP addresses, the materials come from (1000+ and grow, without any model), I am inclined to believe that the views are created by the botnet. Even worse, the person managing the automated materials actively convinces things that every time we make changes, they catch up with them for several hours.

Some of the measures we have already tried are:

  • Captcha, both third-party and homegrown, with varying degrees of readability.
  • anti-counterfeit token sent via the cookie field and a hidden field that is compared when sending
  • Hidden empty honeypot field that causes the message to fail if the field contains data
  • A hidden honeypot field that contains default data and is silent if a portion of javascript is not run to clear the field value
  • Restrict sending by IP address for a certain period of time
  • Blocking email domains that are known to be used by automated scripts
  • Block hosts based on simultaneous connections or connections per minute on the firewall
  • Block the most egregious IP addresses in the firewall
  • Using an external address verification service to verify incoming addresses

Even despite all these measures, the materials presented not only continued, but, apparently, increased in frequency of about 100,000+ per day.

Fictitious entries now use fully valid first and last names and, apparently, resort to using a list of directories to make sure that the addresses they use (which seem completely random and completely inconsistent, by the way) are really valid U.S. Postal Addresses. In addition, I recorded the input form values ​​in the debug log and confirmed that they really represent valid captcha codes, which indicates that they have enough OCR to decrypt the images (the code itself is never sent to the client, but only a GUID representing code stored elsewhere at the back end)

In fact, the only way that we can even specify entries is to spoof the email addresses and domains that they send. We tried to block the entry of the most active domains, but spammers simply create or find new domains from which they can generate one-time email addresses and continue to work.

I'm pretty exhausted at the moment, but I'm sure there must be something that I haven't tried. Does anyone have any bright ideas?

+6
source share
3 answers

The problem is that because of the "registration" on your site, the user immediately gets too many rights. The user is trusted "too fast."

Look at stackoverflow - you can register, and you get almost no rights at the beginning. The level of user rights increases after a while, because the trust in the user increases because of what the user does, and other users accept it.

I would focus on ensuring that users “trust” a kind of “resource capable of building” when other users need to confirm the “level of authority” of a particular user. Then automatic registration of users did not make sense - they can not do anything.

I don’t know what your site is about - this probably makes my offer unacceptable ... But I hope I made your thoughts forward :)

+3
source

Do you find a picture in which you have a photograph of a cup, for example, with C _ _ at the bottom? You need to spend a lot of time creating tons of images for its implementation, but he really tests their determination to spend all this time manually, identifying 1000 images. Of course, I don’t know how good your prizes are, it may be worth it.

+2
source

I'm not sure that you are still looking for the answer to your question, but do you think that you are checking the information that the user submits together? For example, if you need them to provide their name, physical address, phone number and email address, checking the telephone directory or address book to make sure that all the information entered is consistent. Thus, you can check the record with more than well-formed data, but the actual person.

Another thing you might consider is to send a text message to the user informing them that they won, instead of emailing them.

Not sure how appropriate this is for your case, but it might help.

+1
source

Source: https://habr.com/ru/post/893998/

More articles:


All Articles