Sunday, July 19, 2009

Defeating Spam Bots with country selection

Something that all membership based web sites have to face is the registration of users by spam bots in order to spam the site. One of the reasons that you frequently require site registration is to prevent spam bots from spamming your site. So the first line of defense is to force registration on the site which eliminates a handful of bots. However, as we all know, spam bots are getting pretty good at auto-registering on sites before spamming the site.

One solution is CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) which is usually in the form of an obscured word that is difficult for an algorithm to see but easier for a human to read. There are other types of CAPTCHA's such as math tests and images of animals in which you have to click on the odd animal out.

One form of CAPTCHA that I have not seen (yet) that might be effective is that of making the registering user select the country that they are registering from. Using the user's IP address you can find the country (most of the time) from an online service or for a table in your database if you've downloaded (bought) this information. (I know that Melissa data provides this.) You then present the user with a radio button list of (say) 10 countries and ask them to select their country. You'd also probably have to throw in a "Not Listed" option for when you haven't been able to find the country. I would suggest throwing in the "Not Listed" option every time because if you only throw that in when you can't find the country then spam bots will be quickly tuned to look for this.

Now the reason that this may work is because spam bots are frequently running on Zombie machines from many different countries. This is why banning an IP doesn't prevent a bot from re-registering on your site from another Zombie machine at another IP address. So for the Zombie bots to be able to detect what country they are coming from they'd need to have an IP address lookup table which they are unlikely to have.

Another enhancement to the presentation of country names that would still be easy for a real user to navigate and difficult for a spam bot would be to present the country name as an obscured image (like words are currently obscured in standard CAPTCHA's), or present the country's flag, or an outline (map) of the border of the country, or the country's national colors, or one of the country's national animals such as its bird. You would need to make sure that you coded for ambiguity in some of the previous examples if two countries shared the same characteristic.

No comments:

Post a Comment