Monday, August 3, 2009

Defeating Spam Bot with email names

I recently changed the registration process on one of my sites' forums. I rewrote it from classic ASP to use ASP.NET MVC in C#. One of the side effects of this rewrite was a complete cessation in registration from spam bots.

At first I thought that this was just because I'd changed to location of the URL where registration took place and had deliberately not forwarded the old location. Most pages when I move them I forward from old to new location but could not think of any reason to do this with a registration page because it's not a page that anyone would ever bookmark and should always be discovered by a human clicking a link. Of course another site could point to it but that is unlikely.

When looking at the logs I discovered that spam registration bots were still finding the registration page but the reason that they were failing is because they search for all <input> tags with email as part of their name and fill in an email address. One of the tags that I have is called AllowEmails which is a drop down. This needs to be assigned a number value as I do a Convert.ToInt32 on the server. When the spam bots filled in this <input> tag's value as an email address instead of a numeric value it was causing an exception on the server and this I was logging with all the form values so I could see what was happening.

This has lead me to the idea that all <input> tags should have names with the word email in them. So FirstNameEmail and LastNameEmail for example. This would cause the spam bots to fill all the values on your form with their email address.

I have also employed the technique of leaving a hidden <input> tag on the page with its name set to email. I remember that this used to work but I see that spam bots are wise to this now and are ignoring the hidden input tags because they know that they are honey pots to trap them with.

Another idea that I've been considering is the naming of each <input> tag with a unique random value and then storing that collection in a Session variable on the server to map the randomly generated names to the real names. I haven't put any effort into that (yet) because I know that if someone took a careful look at this registration page they could just setup a spam bot to iterate through the inputs in order to find the right values to fill in. But then I could start sticking in random <inputs>, or shuffling them around on the screen. What fun I could have... But I won't do that until the bots have got past their current failure...

2 comments:

  1. Hi,
    I am facing the spam bot problem in one of our website developed in MVC. Could you please send me some idea/logic that is working in MVC to protect spam?

    ReplyDelete
  2. @Mazhar - Try Stop Forum Spam. I wrote about them here:
    guyellisrocks.com/.../stop-forum-spam

    ReplyDelete