[support] Many false applications for accounts

MBR mbr at arlsoft.com
Sat Apr 5 17:10:14 UTC 2014 

Good thinking, Jamie.  I hope you can find something else unique besides 
the Firefox versions that Tor is built on.  While it's certainly true 
that the bad guys like the anonymity that Tor provides, there are also 
legitimate reasons why people might want anonymity.  And I don't think 
any of us would want to lock out of our websites all users who are 
browsing with the same version of Firefox that the bad guys are using.

Let us know if you find any other characteristics unique to the bogus 
registrants.

    Mark Rosenthal
    mbr at arlsoft.com

On 4/5/14 12:48 PM, Jamie Holly wrote:
> One thing I have done is a simple module to capture all the $_POST and 
> $_SERVER variables, along with the new $user object and log them on a 
> user registration submit. Just did it to a simple text file located in 
> a directory that isn't in the web root. That gives a lot of good 
> information to look through and determine certain signatures of 
> spammers. One of the big ones is the presence of Firefox 24, 17 or 8. 
> Those are Firefox versions that Tor is built on, and spammers seem to 
> love Tor.
>
> It seems tedious, but actually it's kind of fun, making you feel like 
> you're playing detective.
>
> Jamie Holly
> http://hollyit.net
> On 4/5/2014 12:30 PM, MBR wrote:
>> It's been reported that the bad guys have set up CAPTCHA-breaking 
>> networks that distribute the CAPTCHA to people in third-world 
>> countries who get paid a small amount for each CAPTCHA they solve. 
>> It's looking like CAPTCHA is no longer effective.
>>
>> I had to solve this problem for a site that was getting hit by about 
>> 15 bogus account-registrations per hour, even though CAPTCHA was 
>> enabled. The most effective approach I know of at present is to 
>> install a module that does reverse-CAPTCHA - i.e. instead of asking 
>> the human to prove he's human, it tricks the malware that's trying to 
>> pretend to be a human into demonstrating behavior that proves it's 
>> just a dumb piece of software. It does this by adding additional 
>> <input> tags to every <form> and making them invisible with CSS.  A 
>> human won't fill in these fields because they won't be displayed. But 
>> software that's just parsing HTML will find these fields and fill 
>> them in, thus allowing the code on your server to distinguish between 
>> responses from humans and responses from machines.
>>
>> Among the modules that implement this approach are Honeypot, Botcha, 
>> and Spamicide. I tried Botcha, but I ran into installation problems.  
>> I didn't try Spamicide because it had a critical bug report claiming 
>> that the installation erased the default/files directory.  Honeypot 
>> installed without problems and instantly cut the rate of bogus 
>> registrations dramatically.  It didn't cut it all the way to 0 as I'd 
>> hoped it would, but the rate dropped from about 15/hr. to about 3/day.
>>
>>     Mark Rosenthal
>>     mbr at arlsoft.com
>>
>> On 4/5/14 8:51 AM, Walt Daniels wrote:
>>> I get them to, but it is not mollom's fault. They are actually 
>>> registering and typing the captcha just like a legitimate user. In 
>>> our case they even have to use a legitimate email as they cannot do 
>>> anything more than an anonymous user until the verify their email. I 
>>> don't see any pattern I could apply to the user names that would 
>>> distinguish them from our valid users who have some pretty weird 
>>> usernames. You could find or right a module that enforced using 
>>> "real names", i.e. John Doe. But I even got some like that that turn 
>>> out to be spammers.
>>>
>>>
>>> On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey <lromey at gmail.com 
>>> <mailto:lromey at gmail.com>> wrote:
>>>
>>>     I am having the same issue. Have you contacted Mollom? That's on
>>>     my to-do list. I'm not sure of the value of the monthly fee if I
>>>     still have to continually monitor my site and delete spam
>>>     accounts manually.
>>>
>>>
>>>     On Sat, Apr 5, 2014 at 8:09 AM, James Rome <jamesrome at gmail.com
>>>     <mailto:jamesrome at gmail.com>> wrote:
>>>
>>>         I have Mollom installed, but yet a handful of account
>>>         applications
>>>         escape their captcha/analysis each day. The problem is that
>>>         the only
>>>         obviously wrong field is the username, which is not listed
>>>         as a field in
>>>         the Mollom configuration. I get names such as: qropspension_5362
>>>
>>>         Is there any other way to get rid of these would-be spammers?
>>>
>>>         --
>>>         James A. Rome
>>>
>>>         http://jamesrome.net
>>>
>>>         --
>>>         [ Drupal support list | http://lists.drupal.org/ ]
>>>
>>>
>>>
>>>     --
>>>     [ Drupal support list | http://lists.drupal.org/ ]
>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20140405/b5bbfb25/attachment.html

More information about the support mailing list