A little over a year ago, I posted CAPTCHA-less Security in which I outline several methods of thwarting illegitimate users of websites using methods that don’t rely on CAPTCHA. As I mentioned then, CAPTCHA solutions are inaccessible and, ultimately, not as reliable as one might think. In practice, CAPTCHA systems do often work at thwarting bad guys as long as the effort necessary to circumvent the CAPTCHA is greater than the perceived reward by the bad guy. In that original post, I discuss methods such as honeypots, temporary tokens, referer verification, confirmation emails, and confirmation screens. Another method I touched on was validating the user’s information against internal and external services. I recently chose to eat my own dog food, as it were, by setting up one of those external services myself. I call it BotSmasher.
In terms of actual successful spam on my sites, the primary success factors have been:
- On this site, all users have to have at least one approved comment before any other comments get automatically approved.
- On sites developed with my own code, such as A11yBuzz, users must click a link in a confirmation email and then I must confirm them
I also use a combination of the other approaches I’ve listed as well, but the final answer, for a long time, had been requiring human confirmation.
But that didn’t actually stop the bad guys in their tracks:
As the image above shows, because the registration form on A11yBuzz had no other automated means of stopping bots, they kept coming by and submitting bad registrations. The image shows 1137 users whereas only about 130 of them were legitimate. Despite the fact that they successfully submitted the form, they weren’t successful at anything else because they never actually clicked the confirmation link. But it still irritated me that they were coming by to submit the form. Recently things with A11yBuzz got even more interesting as some particularly nasty characters decided they wanted to try SQL injection on all the comment pages. The end result was essentially a Denial-of-Service (DOS) on the site, causing frequent down time. Enough was enough, and thus BotSmasher was created.
Using BotSmasher, you can check the submitted name and email address as well as the IP address of the user – and any combinations of the three. Successful submission of your request will return a JSON string you can parse. You can then use that information to determine what action to take.
{
"response": {
"summary": {
"badguys": "true",
"requesttype": "check",
"code": "success",
"description": "Your request was successful - "
},
"request": {
"email": {
"submitted": "userblog718@gmail.com",
"flaggedbyyou": "false",
"found": "true",
"count": "0",
"lastseen": "2013-08-06 19:13:58"
},
"ip": {
"submitted": "188.92.73.170",
"flaggedbyyou": "false",
"found": "true",
"count": "1",
"lastseen": "2013-08-07 12:03:34"
},
"name": {
"submitted": "cicyamibibe",
"flaggedbyyou": "false",
"found": "true",
"count": "1",
"lastseen": "2013-08-07 12:03:34"
}
}
}
}
As the example above shows, you submitted a request to check an email, name, and IP and we determined that this was a bad guy. There’s also another thing we tell you: Whether or not this bad guy was flagged by you. This is because you can also manage your own blacklist by performing a submit action. When you submit a bad guy, it becomes part of your own personal black list. If multiple API users submit the same bad guy, then it goes into the general database of bad guys. If you decide you made a mistake, you can also clear the bad guy from your blacklist.
BotSmasher doesn’t just rely on its own users for submissions, but rather aggregates data from 5 different other sources. Throughout the day, the BotSmasher site grabs recent data from these sources and adds it to its own list of bad guys. Finally, when a user submits a “check” request, if BotSmasher doesn’t find a bad guy, it checks two other sources to make sure you’re covered.
The BotSmasher website, located at https://www.botsmasher.com/ has more information and API Documentation. I also have a public repo on Bitbucket for BotSmasher API Tutorials and Examples. Finally, if you run a WordPress site, Joe Dolson is currently testing a WordPress plugin for BotSmasher. Register for BotSmasher and confirm your registration. Then contact Joe Dolson to help test his plugin.
Update: Joe Dolson’s BotSmasher for WordPress
BotSmasher for WordPress filters web site registrations, comments, and includes a basic contact form that’s filtered through BotSmasher. You can easily submit spammers to the BotSmasher database if something is missed or clear previously flagged users if you decide they’re OK. BotSmasher for WordPress can easily be tapped into by any contact form plug-in to take advantage of BotSmasher’s spam filtering for your custom application. Download it at http://wordpress.org/plugins/botsmasher/