September 1, 2007Human Spammers
In a word, “uh oh.”
My Checkbox Challenge MOD has so far proven to be remarkably effective at combatting spam. On boards with low new member rates it is blocking upwards of 90% of the registration attempts. On my biggest board where I get 10-15 new legitimate users per day, it’s still blocking about 45% of the registration attempts. So imagine my surprise the other day when I logged in to my board and found this post:
Thank you!
I’ll do it as you say!I think it’s useful!
Thanks again!
iphone accessories
And of course that last line was a link.
How did this happen?
The email address used to register this account was from China. Hm. I get some legitimate users from China, but not that many. When I reviewed the log entries from the Checkbox Challenge for this user here is what I found:
+---------------------+--------------------------+ | log_time | log_email | +---------------------+--------------------------+ | 2007-08-27 01:15:26 | yingjun_2009@163.com | | 2007-08-27 01:16:53 | yingjun_2009@163.com | | 2007-08-27 01:17:12 | yingjun2009@yahoo.com.cn | +---------------------+--------------------------+
Now the first registration attempt was made with 163.com email address. I have banned that email domain as a known favorite of spammers. A minute and a half later they tried again with the same result. Then finally they switched email accounts to what you see above. This is not bot behavior, this is human behavior. In all three cases they got the checkbox challenge correct.
They posted their spam comment on my board at 4:24:29 AM two days later. A search for their email address found this post on another site:
Correct
I must agree, things have got rather large
i have to say looks very good …ipod converter
And of course, those are spam links. I found them on two other sites with the yahoo.com.cn address as well.
Here’s the next case.
+---------------------+-------------------------+--------------+-----------------+ | log_time | log_email | log_username | log_result_code | +---------------------+-------------------------+--------------+-----------------+ | 2007-08-28 01:08:22 | yoba_0_0_0 | yoma101010 | 2 | | 2007-08-28 01:08:54 | yoba_0_0_0@yahoo.com.hk | yoma101010 | 2 | | 2007-08-28 01:09:33 | yoba_0_0_0@yahoo.com.hk | yoma101010 | 0 | +---------------------+-------------------------+--------------+-----------------+
In this case the spammer used an invalid email, and they failed the checkbox challenge. About thirty seconds later they got the email address correct but still failed the checkbox challenge. Notice the email domain? The .hk top level domain is from Hong Kong. I am wondering if they had to take a break and go find someone that spoke (or at least read) English in order to be able to pass the test. If they did, it went quick, because you see the next registration attempt was made about thirty seconds later. This is not bot behavior. This is the behavior of a confused human who probably does not speak English.
In this second example, the spammer got rejected because this particular board admin uses admin activation for all of their new members. So I don’t know if this person would have come back in a few days and spammed. If they had, I have a feeling I know what they would have put, as a google for this username turned up a variety of links (very few, actually) that seemed to be in a foreign language character set but referenced pornography.
I am very concerned.
It’s one thing to outsmart / outwit / outplay someone’s bot code. I think there are any number of documented tactics that work well for that. But when the spammers start employing humans to defeat our anti-bot tactics, what are we to do?
Summary
A long time back I wrote a blog post about combatting spam. I said that as I saw it, there were three techniques that have to be applied. First, keep spammers from registering. Second, if spammers do register, keep them from posting. Third, if they do post, make it easy to clean up. I have written code for all three aspects of this battle. It looks like I am going to have to use them all.
Related Links
- Checkbox Challenge Posts
This is my best MOD for keeping spammers from registering. - Post Approval MOD
This MOD keeps posts from new users hidden until they are approved. - Spammer Hammer Introduction
This MOD allows a moderator to click one button that removes all traces of a spammer’s posts, removes all active sessions (if any), deactivates their account, and marks their activation key invalid. One click to hammer the spammer.
Note: I have applied both the Checkbox Challenge and the Spammer Hammer MODs on my largest board. I have not (yet) had to install the Post Approval MOD. I am now strongly considering that. On my lower traffic boards where I don’t go every day I feel like the Post Approval MOD has now become manditory rather than optional, even with the other measures in place.
That’s too bad.
Comments (4)
I hope the danger is overestimated. Manual spam is too expensive. It can’t become a massive disaster.
// By the way, you are welcome to my new blog http://bbspam.com/
Comment by Oleg — September 1, 2007 @ 2:50 am
I am not so sure. As you yourself noted in your blog there are folks out there willing to work for next to nothing. If someone is willing to work for $75 for an entire week (the mind boggles, but that’s another story) and they can get through the registration process on the order of 1 every three minutes and they work an 8 hour day, a five day week, then they can register on 20 * 8 * 5 or 800 boards a week. That might not sound like much at the moment, but read on.
Once the spammer has a database of registrations, they can either a) sell it, or b) use it, or c) do both. What I have seen over the past year or so is that all of our (board owners) attempts have been focused on keeping the bots from registering. Very little effort has been put into parts 2 and 3 of what I listed in my blog post. Let’s say that out of those 800 boards they get registered on they now turn loose a posting bot, as opposed to a registration bot. They are able to post on 80% of those boards. The number is high because as I said very few boards implement a CAPTCHA or other mechanism for posting, only for registration. 80% of 800 is 640 boards.
Suppose each board has about 100 members that are active and see the links, and suppose they get 0.5% click-thru rates on whatever links they spam. 640 boards * 100 users * 0.005 is 320 people. If they earn $0.50 per click they’ve earned $160. It cost them $75 per 800 boards.
If you take those numbers and extrapolate to the tens of thousands of boards on the web, it’s easy to see where the incentive is. Using the $0.50 CPC as a baselinem, what is the break-even point? With 100 members on 640 boards that’s 64,000 potential clickers. How many clicks do I need to make my $75 investment back? I need 150 clicks. 150 clicks from 64,000 people is 0.23%. That means 2.3 out of one thousand people have to click my spam links and I break even.
Let’s say there’s half a million boards out there, each with 100 members, and the click rates are at my original number which was a half a percent (0.005). That’s a quarter million clickers, and $125,000 in revenue for me. Even if the click rate is a quarter of a percent (0.0025) then I still get $62,500 in click revenue.
The only way to truly stop spam is to make it unprofitable. The only way to make it unprofitable is to increase their cost or reduce their revenue. Adding anti-spam measures to a board is one way to increase their cost. But the only true way to affect the spammer’s bottom line is to reduce their revenues. And I am afraid that we don’t have any control over that.
Comment by Dave Rathbun — September 1, 2007 @ 8:39 am
I just got word the final solution has been found
http://blog.phpbb.cc/2007/09/05/the-final-solution-to-comment-spam/
Comment by damnian — September 5, 2007 @ 3:44 pm
How… interesting. I think I will stick with my own techniques, thank-you-very-much.
For those that don’t click through to damnian’s blog post, he has been contacted by someone that “knows a lot of spammers” and in return for putting a small link on his (damnian’s) site this person will “talk to them, and get them to stop” or at least reduce their activites. It’s the old shakedown for protection money scam, reborn for the blogosphere. I think I will pass.
Comment by Dave Rathbun — September 6, 2007 @ 9:10 am