New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to prevent registration spammers on register form?
I have a perl based custom web CMS script and it has registration form with google recaptcha. But it seems even google capctha doesnt work against registration spammers.
These registration spammers registers with automated , fake email addresses with fake usernames 10 user a day. The programmer who wrote this script doesnt help.
What are the best ways to prevent from them?
Comments
Good way to shave a bunch off the top is to block rambler.ru addresses. I'm not seeing recent log evidence that the mail service has any current use case other than registration spam.
With the large uptick recently it's either apparent that recaptcha has been fully circumvented or that there is a new, very large registration farm using humans instead of bots. It might be worth logging how many recaptcha turns away to see if it holds any value at all beyond adding latency to the final result.
Reviewing IPs may yield solid data, data I don't have as my role in this trend is only to process the emails. Perhaps there are subnets which are of no value to your website but may demolish the registration spam if blocked.
None as perfect as a working captcha but if we can't rely on recaptcha right now I'm just not certain there will be a viable alternative in the short term.
Had similar issues before.
Google captcha is working so far since I have enabled it.
I agree with @jar . Start removing IPs based on geography and get rid of any coming from known spammer countries.
HI, have a look at project honeypot. It's free but a little work is needed to help make the project even better. All you do is set up a dns record to donate an email subdomain to them. You then benefit from all the other honeypots that already exist.
It has stopped thousands of spam registrations for me in the past.
As they say on their site,
It blocked spam that nothing else I found would block. A good initiative, worth supporting!
A good place to start would be to check if Recaptcha is configured correctly on your website, that is if it can simply be bypassed passing an invalid or empty
g-recaptcha-response
. Also, look at blocking disposable email addresses from the various lists that exist on Github.Fighting with registration spam is ongoing process. Apart of what @stevewatson301 said, you may change your registration layout, required fields etc. May be make it multi-step process and so on. Best one is this , if you can implement in your registration, it will save upto 90% of spam registration.
The issue you'll face is that in some cases, a lot of spammers are humans now, which can of course bypass most protection. People hire humans in countries where labour is cheap and get them to do the spamming.
One thing I've found very successful to block automated spam in the past is adding a fake form field and hiding it with CSS. Don't do
display: none
; just move it off the page like withposition: absolute; top: -999px; left: -999px;
and addaria-hidden="true"
to hide it from screen readers. Bots will usually still 'see' it this way. If the field is filled in, reject the form submission.Perl???
That's just a lazy step and doesn't help with motivated spammers. It's annoying when I see people giving 403 based on IP geolocation.
Verify reCAPTCHA is actually working as Steve mentioned above and fiddle with its sensitivity in Google's console.
One other thing you could do is to track submissions per IP and throttle the submissions (5 per hour etc.) but it is more work and has the downside of possibly throttling visitors behind NAT.
I can confirm, this is most innovative , simple and effective solution. Have used slight variation of this technique. If you get it implemented, it will save you from lots of trouble.
On the other hand, IP based filtering is inefficient.
Lastly, changing your registration URL every now and then also helps.
We switched from reCaptcha to hCaptcha and turned everything up to the MAX, stopped 99% of bots registering
This. Also making the real username & password inputs have the name value something not "username" "password"
It's a problem that requires multiple solutions and ongoing evaluation of those solutions (false positives, missed negatives).
In addition to what's mentioned, i.e. reCaptcha, hCaptcha, StopForumSpam.com, hidden input, here are some other methods I've used/seen:
Most of those obviously aren't going to fit most use cases. In fact, I wouldn't recommend most of them to most people. But there are cases where it makes sense. You know your audience and business/website best.
@Daniel15 - Thanks for the tip above.
--
Most folks probably do not know that ..
And if you use it for more than a hour everyday, you will go straight to Heaven.
In honor of Larry A. Wall.
I can recommend https://cleantalk.org. It works really great.
It can be used for known CMS systems like WordPress or use their Anti-Spam API library for your own CMS.