Anyone have any success in stopping one of these attacks?
The site I administer must have got on one of those sites where people can complete CAPTCHAS to get paid or see porn. I've been reading about these all day since it's the first I have heard about them having never been nabbed by one in the past few years.
Spam user accounts are being created at a rate of about 30 per hour. Then each account manages to create about 5-10 spam blog posts per hour. This site is already using a free Mollom account as a spam and quality control service, but Mollom isn't blocking the user creation very well and they are real people behind the keys anyway.
The IP addresses are from all over, like India, Estonia, France, Philippines, Brunei Darusalam, and the US, so it doesn't make any sense to block specific geographic IP addresses. The spam email addresses being used have no rhythm that I can predict so I can't successfully block them that way.
Manually moderating user submissions doesn't make any sense for this community website, since the admins would never find the real users amid the hundreds of CAPTCHA-porn user accounts. For now, I have stopped all public registration of the site. I've had the registration switched off for three days and I set it back to our normal public registration and the waves of spam picked right up where they left off.
CAPTCHA.net seems to think it's a pretty small threat, but it doesn't make it any less annoying to admins trying to keep the site content at a high quality:
It is sometimes rumored that spammers are using pornographic sites to solve CAPTCHAs: the CAPTCHA images are sent to a porn site, and the porn site users are asked to solve the CAPTCHA before being able to see a pornographic image. This is not a security concern for CAPTCHAs. While it might be the case that some spammers use porn sites to attack CAPTCHAs, the amount of damage this can inflict is tiny (so tiny that we haven't even noticed a dent!). Whereas it is trivial to write a bot that abuses an unprotected site millions of times a day, redirecting CAPTCHAs to be solved by humans viewing pornography would only allow spammers to abuse systems a few thousand times per day. The economics of this attack just don't add up: every time a porn site shows a CAPTCHA before a porn image, they risk losing a customer to another site that doesn't do this.
That's fine insight, but I'm still being porn attacked. Anyone have any tactic I can deploy to stop this madness?
Comments
Followup
Follow up on this with the issue in Mollom's tracker:
http://drupal.org/node/632288
I'll assume these are bots,
I'll assume these are bots, and not actual human spammers.
Do you currently require users to validate their email in combination with Captcha? I don't know if that route would work for your site. Sometimes admins are reluctant to add this step as it does add an extra step to the registration process.
Also, try changing your Captcha settings to a math question and see if that works.
Edit: Sorry, I missed this part in your original post.
Is there any performance
Is there any performance difference in stopping this based on Free vs Pay options?
Or is it strictly a volume thing in the difference between Mollom accounts?
The problem is that real
The problem is that real people are completing the CAPTCHAs through some sort of porn or pay service, Mollom can't do anything about that whether I have the free or premium service from them.
All emails are being validated at registration. They even have the gall to email me from Estonia to ask why they can't log in after they create their accounts. "I am not log on. Please to help me?"
What about creating a spam
What about creating a spam list? So even if the CAPTCAH is triggered, can't it still look at the content and guess about the spamminess?
So CAPTCHA is not a cart blanche if it is their first xx posts.
Surely even with an account they will not keep posting things if it is not going on the site. They will move on...
Can Mollom pass it off to the SPAM module eveytime it triggers and use both together?
you could set up a
you could set up a Non-authenticated role and use login toboggan to force them to verify their email address.
The Non-authenticated user would not be able to post without verifying their email and maybe add another captcha box for good measure.
Just a thought.
Latte/