Spammers Randomate and Captchas
Spammers can crack any captcha on any site now in a matter of seconds. There are even sites like http://www.captchakiller.com which allow you to break captcha’s using API’s. I was able to break All of americansingles sites captches in a matter of seconds, my own and every other dating site I could find. Now we get a lot of losers like Art Harrison at Randodate are using automated programs to break captchas on my site and attempt to create thousands of fake profiles and spam their site all over. But the most annoying are by far the russians and other spam groups which are really stepping up their attacks lately.
Does anyone have one of these automated spam bots? I’d love to get my hands on one so I can test and figure out how they work. Post a link below or send me an email if anyone knows of any.
April 7, 2008 at 8:43 pm
Here’s one guy I’ve seen around for auto spam on websites like myspace, yahoo, craigslist, etc.
http://www.adsoncraigs.com/index.php
April 7, 2008 at 8:45 pm
Captchakiller.com ist using humans to solve captchas … there is no fighting that …
April 7, 2008 at 10:27 pm
Markus,
I’m a vancouver local and may be able to offer you some insight/advice.
You have my email. Feel free to get in touch.
April 8, 2008 at 1:18 am
I haven’t tried anything against forms with a captcha but i’ve done comment spammers for blogs and ripping data off of sites. I’ll have to check out captchakiller to see if they have something I can use!
April 8, 2008 at 4:38 am
Hey Marcus, sorry to hear about the spam bots. I have a moderately busy forum and have spent a few years fighting them and spammers and con artists in general. I’ve never used captchas but on the registration page I force the user to select year, month and day of a birthday before they register. The 2nd and 3rd drop down only appear after the first one has been selected. This makes it a bit trickier for the bots to control.
I also maintain a spam domain list and a spam IP list but as you know they aren’t that helpful.
There is one thing that I haven’t tried and that’s alternating between captcha’s, general knowledge quizes, math questions, and other type of interogation that might reduce the onslaught.
Finally have read this blog post by Jeff Atwood?
http://www.codinghorror.com/blog/archives/001067.html
Towards the end he names some interesting captcha-esque techniques include ASCII art and “Solve failed OCR inputs”.
Feel free to drop me a line if you want to brainstorm some of this further.
April 8, 2008 at 10:40 am
PHPbb has been hit by automated spammers all over the world. The one thing which seems to keep them out is a math question during registration. Assuming you have a large enough pool of questions and answers (the questions could be something other than math) - in theory that should keep them at bay as the questions require understanding and logic of the question.
There is also the ReCapcha project at Carnegie Mellon University http://recaptcha.net/ which is interesting in itself, and may well help block the spammers too.
April 8, 2008 at 12:30 pm
A couple of solutions I’ve considered for the problem are as mentioned above. Questions instead of capchas, questions which would be difficult for a computer to process automatically. Simple logic and linguistic questions would seem to me to be more secure than math problems. Parsing math problem and calculating a response should be fairly trivial for a computer - it’s what they’re good at by design after all.
Fundamentally the answer is going to be to remove any benefits gained from spamming by burying or flagging content created from questionable sources for review. Some ideas we’ve considered implementing are:
1) Check the authenticity of the users’ registration details and weigh accordingly
1a) confirm the email address, this is elementary and most sites do it
1b) location of the IP against the country the user has specified when signing up.
2) As posters above mention maintaining black or grey lists of IPs and domains both used for email confirmation and signups to add further weight. I agree that they won’t solve all your problems but they can be effective to add weight to the scores.
3) Using the logic question, or captcha and not providing feedback. Allow the account to be created and use the results to add further weight to your review or burying process.
4) Spam controls on the actually content, content similar to spam content should be flagged and weighted as spam controls for email have been doing for years.
5) Batch cleanup of profiles and accounts that are inactive and over a certain spam threshold, mark the accounts as inactive and heavily weigh or exclude them from the results. Again, spam or no spam accounts this would only serve to improve the usefulness for users.
6) Use your users’ passion for your service, provide a mechanism to allow them to flag inappropriate content as spam and use the results when weighing the visibility.
The big problem I have with captchas is you’re taking part in an arms race with the spammers and giving them instant feedback on how well they’re doing. The primary concern should be to provide higher quality content, results or matches to users and adding a spam score to a result can drastically affect it’s visibility and thus usefulness to an attacker.
Focus on improving results and visibility for genuine content users have an interest in and try to give as little feed back to spammers as possible. I’m not advocating security through obscurity, but don’t give them the blueprints to the vault either.
You don’t have to run faster than the bear, just faster than the guy behind you. Make it more difficult to game your site and piggy back on your success than to build and publicise a competing service.
April 8, 2008 at 12:36 pm
Markus,
Great blog and congrats on your success. I was trying to reach you to ask you a question but couldn’t find your email. I used to have an Adsense banner ad 728X90 on plentyoffish last year and then it stopped running on your site for some reason. I tried to find out why but couldn’t get an answer. Please contact me if you have a chance, you have my email.
Thanks,
Aaron
April 8, 2008 at 7:08 pm
Markus,
The software they are probably using is xrumer 4. This software bypasses catchpas and submits to guestbooks, forums, etc. Im sure it is some variation of that.
Regards,
Michael Francis
P.S. i liked you post about free chat lines we just started one and we are monetizing it through different means but not paid for. The way we are moving we will have a huge chunk or lavalife, livelinks, and other paid chat line soon competitors market share very soon. We have alot of ways to monetize just like free conference on the backend and audio advertising on the actual call. Great business i surprised how big its growing how quickly.
Best wishes to your continued success Markus…
April 9, 2008 at 1:07 am
I have a question for Markus or anybody else who could fill me in =P I’ve read about the initial start of plentyoffish (great site by the way). And I read about a “viral” marketing approach to get the site up and going. When Markus refers to “viral”, does anybody know what he means or examples of viral marketing. Thanks so much everybody!
Jenny
April 9, 2008 at 1:08 pm
@Jenny,
i presume he used word of mouth between his coworkers and friends, one friend told another and it spread like wildfire in Canada.
Use word of mouth to friends, coworkers.. use cheap flyers, learn how to use Yahoo Publishing Network for starters(get their $100 voucher) and later when you are profitable start advertising with Google Adwords(visit uberaffiliate.com to understand how to advertise on Adwords but don’t jump right on adwords but start with YPN).
Just use your creative thinking how to get new visitors.
Best of luck Jenny!
April 10, 2008 at 7:12 am
Markus, we use a random simple question/answer to stop the bot spammers…. Human spammers are still a problem but we at least stopped the bots with this…..we have five random questions like: spell the word red…..what is 2 plus 2 etc…. you can see these examples at ezdate123 on our sign up page.. Just hit refresh to see the random questions…Also Markus I have been on your site and it is really good and I have never encountered any spam….I did have a plug on my profile about ezdate123 but out of respect for you and your website i did take it out…..The best to you, Mike/ezdate123
April 15, 2008 at 4:57 pm
Mike, problem is when your site becomes really popular they just sit there and try and break whatever you put up. It definatelly happens to all the top dating sites… There are legions of hackers selling myspace break in tools.
April 16, 2008 at 12:53 am
hey Marcus what makes you think you can do something but anyone else does it and their losers? think your a loser too. anyone that can allow their memberes to commit defamation on their site and you allow them to get away with it is a loser and not much of a man. as long as you feel you don’t have to give a damn about american laws why don’t you get the heck out of here.
April 17, 2008 at 6:41 pm
I run a site http://www.gojuryu.net and http://www.budomall.com
My solution is BotSlap. Dig around a little for which version is best for your needs.
April 22, 2008 at 12:03 pm
It’s a cat and mouse game–there’s no end in sight. And the harder your Turing tests, the less accessible your site becomes.
The only reliable way to combat spam is using Bayesian filtering as it uses statistical modeling to find outliers. Anything else would be broken in due time.
Short of using statistical analysis to find spammers, the next best thing is to use the collective power of your community. You’d need a weighted algorithm so that older users get more weight on their vote vs new users etc. If a 100 users report a user as a spammer, you can block their account and put them on probation.
I am afraid, going any other route will just make your life harder as you alone combat the collective will of spammers–a very determined adversary.
April 29, 2008 at 3:39 pm
You know, if we just made it a crime to spam and started executing these fuckers, I am willing to bet the rate of spam will drop dramatically.
May 2, 2008 at 3:26 pm
Some spam fighting methods:
* Turing tests such as Captcha or whichever ones you can think of. You can change them frequently enough so bots cannot get you.
* Since humans can spam (and labor is too cheap in some countries) you can add some rules to reduce it. You can give full permissions only after a validated email was given and some time + logins + normal pageviews have passed (say only after 10 logins, 7 different days on the site and views of different pages).
* Simply block what it is that they’re trying to achieve. If somebody’s out to publish their website, simply block this expression and put the user on a mode that would require further authentication.
Truth is that since you’re fighting with other humans, it’s simply an ongoing battle. Good luck
May 3, 2008 at 7:53 pm
Your captchas are very poor, that is why they can get into yours, your captchas can be broken in less than 1 second by programs that go for less than $200 (there are many)…. try not using words and scramble them, also make it less easy to distinguish between text and background you should maybe use multi colour captchas and backgrounds that randomate between colors. also lines through the text or making each letter a different font…
one thing i have not seen anyone do is a flash captcha, i know this would almost impossible to read, if you have some movement in it.
May 7, 2008 at 1:48 pm
For a US-specific solution, TXT-messaging is compelling. User signs up, enters their number to get TXT’d a code to, enters the code in the website and on they go. A lot of the spammers breaking those CAPTCHAs are outside the US, so you’d massively narrow their options. Facebook seemed to do this for a while.
Another more severe approach is the SomethingAwful approach. You’re allowed to browse for free, but searching and posting require a one-time fee (say, $5 - although I think SomethingAwful is 10 + 10 now). By doing this you off-load the scammer problem to the major credit card companies. You also make it scarier to scam your site (You’ve got their credit card info, useful for legal purposes), and expensive (if they create 100 false accounts it costs them $500 instead of $0). As SomethingAwful clearly noticed, you also make a little bit of cash.
But you’ll force out most of the younger audience (under 1
out there - which may actually be good for a dating site - and you’ll scare off those who are skittish about associating their real identity with a dating website. That might scare off the skeezy cheater types though. Maybe one-time membership fees are workable for PoF.