Spam Attack Update

In a previous post, I described a spam attack the syslog forum was under. The attack intensified pretty dramatically after that post. This time, though, it was a focused attack by a bot-net registering dozens of accounts per hour. I had read that the CAPTCHA system in SMF, even at the highest setting, had been programmatically defeated and registration bot scripts that can decipher the CAPTCHAs are readily available, so I installed the reCAPTCHA package, which has worked well on other sites. Interestingly, the rate of bot-originated spam registrations increased after switching to reCAPTCHA. It would seem that reCAPTCHA is also broken. I found an anti-bot registration puzzle package on the SMF mod site and gave it a shot this morning.

Since installing the puzzle package I have not had a single spam registration.  It’s only been a few hours since implementing it, but that has saved me from deleting about a hundred accounts.  As I watch the web logs, I can see the bots still diligently trying to create accounts, but are very fortunately not being successful.

I am concerned for a few reasons:

  • I am probably pissing off the owner of a bot-net, which could end up with my site being DDOS’d.  Hopefully, he will instead lose interest and pick on another site.
  • The anti-bot puzzle package uses colors as one of it’s tests.  This makes the site inaccessible for those who are blind or color blind.  Hopefully this is a manageable problem because a reloading the registration page will likely present them with a different question that can be answered by the visually impaired.
  • I suspect that this new obstacle is only going to be effective temporarily, until the scripts can be updated to handle the puzzles.  If a script can be made to decipher CAPTCHAs, one can certainly be made to break the relatively trivial anti-bot puzzles.

Other interesting observations:

The bot-net was not simply executing scripts.  The spam wave appeared to be controlled a scripted interface to normal browsers running on owned PC’s. All of the hosts reported either being IE 6 or IE 7, running on various versions of Windows and reporting different tool-bar plugins, leading me to believe that it was indeed actual browsers being scripted.  Another indication is that the bots were also viewing Adsense ads on the forum site, which incrementing the viewed ad count (sadly, that didn’t result in any extra income).   Most of the hosts were using generic ISP IP addresses from all over the world.