[CentOS-devel] URGENT: Website and fora at risk due to automated spammer account creation

Thu Sep 15 03:19:43 UTC 2011
Nataraj <incoming-centos at rjl.com>

On 09/14/2011 05:05 PM, Nataraj wrote:
> On 09/14/2011 08:44 AM, Phil Schaffner wrote:
>> http://bugs.centos.org/view.php?id=5105
>>
>> Forum moderators have been battling spammers creating bogus accounts by 
>> the thousands using automated "bots".  The only way moderators currently 
>> have to attack the problem is by a laborious process of searching for 
>> such accounts and selecting them for deletion.  This has been working, 
>> although at the cost of considerable time to perform the operations; 
>> however, such accounts are currently being created at a rate of 
>> thousands per day making deletion of 50 at a time via the web interface 
>> a practical impossibility.
>>
>> Our approach has been to delete all "Inactive" accounts more than 7 days 
>> old (these are being created at a rate of about 1 per minute) and 
>> "Active" accounts with no posts and either no logins, or with no logins 
>> in the last 30 days.  The latter are the rapidly growing problem, and 
>> more than 40,000 accounts with zero posts created between 7 and 30 days 
>> ago currently exist.  Account creation at this rate will likely bring 
>> the site down if the situation is not dealt with soon.
>>
>> Proposed approach:
>>
>> 1. Implement some automated way of deleting accounts as described above.
>> 2. Implement captcha or some other mechanism in the account creation 
>> process to foil the bots.
>>
>> Phil
>> _______________________________________________
>> CentOS-devel mailing list
>> CentOS-devel at centos.org
>> http://lists.centos.org/mailman/listinfo/centos-devel
> While I don't know exactly what these particular attacks look like, I'm
> wondering if you could use iptables ability to block ip's that have
> excessive incoming connection rates.  You might also look at fail2ban.
>
> One other useful thing to look at, which would of course require you to
> implement for the forums website is the postscreen technology in the
> postfix smtp implementation.  postscreen receives the incoming smtp
> connection and then has its own algorithms for determining if the
> connection is legitimate and then hands of legitimate connections to the
> actual smtp agent retransmitting the data that it has already received
> on the connection.  I'm not sure how useful it would be here or if
> something like that would introduce too many delays for a website, but
> it is a potentially interesting and effective technology which could
> have relevance here.
>
> Nataraj
>
> _______________________________________________
> CentOS-devel mailing list
> CentOS-devel at centos.org
> http://lists.centos.org/mailman/listinfo/centos-devel

One further idea that I just ran across is to require that posters have
a confirmed email address on file.  The first time they post, or if they
haven't posted for some time, send a confirmation request to the email
address on file and delay the post until it is confirmed.  If necessary
the confirmation could require reading a character string from a graphic
image and entering it on the website.

Nataraj