M
M
MaxUp2012-06-05 08:16:46
CMS
MaxUp, 2012-06-05 08:16:46

What methods are there to protect against spam registrations?

I came to the conclusion that captcha as a protection against spam has long outlived itself. Pictures are becoming more and more difficult to read for ordinary people, but spam programs successfully pass this protection - somewhere programmatically, somewhere due to services like anti-gate.
Now I am working on protection that, on the one hand, would be transparent for ordinary users, and on the other hand, cut off spammers.
1. step 1 — checking email (link activation to email) after registration
2. step 2 — checking for spambases (stopforumspam.com, Akismet, TypePad AntiSpam) during email validation.
3. step 3 — checking by filters. The bottom line is that the user is evaluated by different factors, each of which has a certain weight:
a. email (postal, the presence of numbers)
b. the site address entered during registration (as statistics show - 99% of spambots fill in, against 10-15 percent of ordinary users)
d. domain mismatch in the site address and email
e. the presence of links in text
fields 24 hours
for numbers in the username
based on the filter results, various additional verification methods are possible - reCAPTCHA, verification by phone, a form for sending an email to the admin, etc. up to an automatic ban and sending to the spam database.
4. periodic repetition of steps 2 & 3 - by cron and when changing the user profile.
That's all for now.
Question - can anyone else suggest any methods? The main requirement is the most transparent method for ordinary users. Methods like “picture a picture” or “solve this problem” are not suitable.

Answer the question

In order to leave comments, you need to log in

9 answer(s)
M
Mikhail R, 2012-06-05
@russum

1 - annoying, it is not always possible to hit the soap
2 - already better, but can slip if the soap is generated on the fly
3 - left hidden fields that are not visible to the user, but "natural" for the bot - already good, but many bots can track.
I did this, everyone who wants to register, comments can be written on the fifth day, the fields during registration are not visible anywhere else, except for the profile and for registered users, after five days the comments from the user are checked for the presence of http (all other users receive a warning when trying to send a link). If an entry is found, then the user himself and all his comments are deleted, but not by IP, as it may just be infected. Cron works once an hour with such a check, it is reasonable if there are no more than 10 thousand users, then you need to think about something.
Back when search engine spam reports were working fine, once a month emails were generated with links from comments and search engine results as confirmation of spam, spammer sites eventually flew out of the index, now they don’t react as much as we would like ...

Z
ZloiZmei, 2012-06-05
@ZloiZmei

You can make some field in the form that does not need to be filled in and a standard name in the form like mail. Who filled it out is a robot. Hide it with styles.
I successfully demand to enter “3 letters of our university” on the university website. It seems that there were no people who did not pass yet, and robots that would pass :) Unless if you do not know the Russian language, there may be a problem, even if there is no Russian layout, no one bothers to copy the abbreviation from the same page.

V
VeMax, 2012-06-05
@VeMax

If the audience allows, can you register via SMS to your phone? Activate with code.

M
Michael, 2012-06-08
@1099511627776

d. numbers in the username
But this item confuses me sooooooooo much

E
egorinsk, 2012-06-05
@egorinsk

Methods that do not interfere with the user: analysis of the IP request, checking against blacklists (registrations from anonymous proxies and torus - we block, from countries like China or IP data centers - we skip, but mark as suspicious). It is especially worth paying attention to mobile IP and IP Operas from Norway - they just do not need to be banned.
Checking for JS and Flash support on the client (if not, it's most likely a bot).
Analysis of links between accounts (login to different accounts from the same IP with the same cookie, or at a similar time for example). Analysis of the number of registrations over time. Analysis of user behavior after registration.
Bots are also good to catch on filling trap fields.
You also need to understand that bots are different, there are those that stupidly go to all sites and send all the forms found on them (these are easily cut off), and there are the best representatives of dark hats specially designed for your site, it is more difficult with them.
The methods you suggested are either useless or interfere with the user, but are easily bypassed by spammers, or generally represent epic nonsense (about the numbers in the name).
In general, start with the question of what threatens your project with "left" registrations. Why are they made. Maybe you need to log in to the site where you can do without it? Comments can be left without registration.
If you make a blog management system and are afraid of spam links, make a reputation system: an unverified user cannot leave links, a verified one (actively commenting or approved by the blog author can). Check link domains against databases like akismet.
If the project is a social network and you are afraid of mass registration for spam, everything is much worse. Only linking to phones really helped the VKontakte level project, all other methods were easily bypassed by spammers. However, you can fight spam by introducing a reputation system, as well as limiting interaction between non-friend users.

E
EndUser, 2012-06-05
@EndUser

If the resource is thematic, then the contextual issue kills Chinese-Indian outsourcers to overcome captcha.
If not thematic, but general purpose, then ... We must think.
The rule proposed above should be written only for 2-3-N days, and a ban for the impatient - well, few people read the signs.
Although if it's a red banner, it might work. After all, you don’t really need impatient and intolerant users, do you?
If a store, then you can load a person for two bucks and return them back with the first purchase.

D
digdream, 2012-06-06
@digdream

not for the purpose of advertising, I will say that after I put a graphic captcha from Keycaptcha on my sites, I no longer saw a single bot, whereas before that there were ten left registrations a day.

M
MaxUp, 2012-06-08
@MaxUp

Another pattern for finding spammers is repeated passwords.

M
Michael, 2012-06-08
@1099511627776

a. email (mail, the presence of numbers)
Well, this one, too.
You can also record user verification by phone number. and 2 ways.
1 - please indicate the phone number and enter the code that will come via SMS (very wasteful)
2 - generate a code and ask him to send it by SMS for activation (you can get some money back)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question