[CentOS-devel] URGENT: Website and fora at risk due to automated spammer account creation

Thu Sep 15 00:05:35 UTC 2011
Nataraj <incoming-centos at rjl.com>

On 09/14/2011 08:44 AM, Phil Schaffner wrote:
> http://bugs.centos.org/view.php?id=5105
>
> Forum moderators have been battling spammers creating bogus accounts by 
> the thousands using automated "bots".  The only way moderators currently 
> have to attack the problem is by a laborious process of searching for 
> such accounts and selecting them for deletion.  This has been working, 
> although at the cost of considerable time to perform the operations; 
> however, such accounts are currently being created at a rate of 
> thousands per day making deletion of 50 at a time via the web interface 
> a practical impossibility.
>
> Our approach has been to delete all "Inactive" accounts more than 7 days 
> old (these are being created at a rate of about 1 per minute) and 
> "Active" accounts with no posts and either no logins, or with no logins 
> in the last 30 days.  The latter are the rapidly growing problem, and 
> more than 40,000 accounts with zero posts created between 7 and 30 days 
> ago currently exist.  Account creation at this rate will likely bring 
> the site down if the situation is not dealt with soon.
>
> Proposed approach:
>
> 1. Implement some automated way of deleting accounts as described above.
> 2. Implement captcha or some other mechanism in the account creation 
> process to foil the bots.
>
> Phil
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> http://lists.centos.org/mailman/listinfo/centos-devel
While I don't know exactly what these particular attacks look like, I'm
wondering if you could use iptables ability to block ip's that have
excessive incoming connection rates.  You might also look at fail2ban.

One other useful thing to look at, which would of course require you to
implement for the forums website is the postscreen technology in the
postfix smtp implementation.  postscreen receives the incoming smtp
connection and then has its own algorithms for determining if the
connection is legitimate and then hands of legitimate connections to the
actual smtp agent retransmitting the data that it has already received
on the connection.  I'm not sure how useful it would be here or if
something like that would introduce too many delays for a website, but
it is a potentially interesting and effective technology which could
have relevance here.

Nataraj