Flutterby™! : spammers strike

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

spammers strike

2006-11-02 02:40:04.883339+00 by Dan Lyke 8 comments

Wow. The link spammers discovered the Flutterby wiki a few days ago. I've deleted a boatload of stuff and disabled posting to it.

A new rule on any web services stuff: Any new content has to be scanned by humans, often. Yuck.

[ related topics: Web development ]

comments in ascending chronological order (reverse):

#Comment Re: made: 2006-11-02 04:08:04.357785+00 by: meuon

I've put a few bogus forms online, just to collect the dreck.

It's -bad- out there. And as the 3rd world has gotten connected, it's as cheap to pay humans to go through user validation procedures and post dreck, as it is to attempt to automate it.

I'm writing a new "everything" CMS, Blocg. Shopping Cart, Calendar, etc.. and half the frigging logic is to stop the B.S. inputs. My Cybrmall merchants are seeing 10 times as many bogus robots and humans create bogus orders for 'free ringtones' or 'Invest in XXXX' as the name and address, as real orders.

One stupid thing I've learned it to use unintuitive variable names in form inputs. ie: name='firstname' becomes name='6969fn' - It's a real pain, but seems to make the robot posters less likely to post.

#Comment Re: made: 2006-11-02 08:05:24.206305+00 by: Brian

how much effort do the bot-coders put into their scripts? If you had the comment form inputs protected with a simple ".. and type 'please' into this box before hitting 'comment'", would they actually bother to adapt to that?

#Comment Re: made: 2006-11-02 13:11:02.667336+00 by: meuon

If your scripts became 'famous' like Matt's formail.pl they'll create -anything- especially if they can trick it to send e-mail. My gl-formmail.php is being used in a few dozen places, and attracts a lots of mime content insertion attempts and other oddball techniques where I am not sure -what- they were trying to do, I have logged and seen a lot of humans attempt to handcraft a script for it... as well as automated: try these 12 methods to 12 collection/feedback e-mail addresses, if we don't get an e-mail back.. go find another form to abuse.

The other form attacks seem more directed into putting a link to some bogus website promoting 'free ringtones' or 'stock tips' or other dreck. Several people want comments in their blog (ala Flutterby and everyone else) and so 'widget' my new base web system will have comments, and the ability for people to create a login/password and add a comment. I think I'm going to regret this feature.

#Comment Re: made: 2006-11-02 14:23:11.345347+00 by: Dan Lyke

I think that the scripts are actually starting to get very smart. We've now got some 4k+ user accounts here, and as I look down them chronologically a good number were made by random insertion into fields, we've got a lot of mime types and starts of spam headers, and then they start to evolve into "get your ringtones", and then they become almost human looking names.

Since some of that would have to have been done specifically for Flutterby, at least there at the end, I'm guessing that any fixed response such as "please" would get discovered fairly quickly. And I hate CAPTCHA, although I could probably accept a "which ones are kittens?" variant.

I'm thinking that my next system will have two variants: OpenID with some sort of validation that you're human, and one that emails you a link that logs you in. New users will have to jump through some basic hoops ("which ones are kittens?"), and I foresee some sort of reputation sharing, so that other sites with such users can use something like FOAF or whatever to say "yes, we've checked that this user is willing to participate in the community".

#Comment Re: made: 2006-11-02 20:44:57.726712+00 by: Dan Lyke

In fact I noticed some wackiness with longstanding processes after the switchover, and the bots are doing things like stuffing long post strings into the search box here in the hopes that it'll show up somewhere eventually.

#Comment Re: made: 2006-11-03 01:15:14.464867+00 by: DaveP

I added a (hidden) field to the submission form on my site so you actually had to load the form in order to submit (it hashed a magic cookie with the submitting IP address) the form.

It didn't even slow 'em down, even though the only way something from that form makes it onto my website is when I hand-move it from the submission queue into a posting. I was still getting over 100 spams a day (I was seeing maybe double that before changing the form).

I finally just stuck a password field on the form. They still hit the form and try to submit, but if the password isn't set correctly, the data just goes to /dev/null so at least I don't have to sort it out from the valid posts.

#Comment Re: made: 2006-11-09 16:34:38.127938+00 by: baylink

Meuon: Why aren't you just extending WebGUI? :-)

#Comment Re: made: 2006-11-10 01:53:47.100801+00 by: meuon [edit history]

Baylink, cause I can't make a living modifying other people's code to do the weirder things I get paid well to do that are beyond the generic web apps that i can share publically. I also code PHP that looks unlike anyone else's stuff. Proof: GAS or the Pseudo-CMS version of it that runs things like: Chatc.org