The Forum has been Updated
The code has been upgraded to the latest .NET core version. Please check instructions in the Community Announcements about migrating your account.
I have a personal website that gets no real traffic, but has become an interesting test bed for fighting spam bots. The game began soon after adding an email form and a basic tag board to the site. It didn't take long before the spam began arriving.
I solved the contact form spam by simply removing any recognizable email header terms from the form values, changing them instead to nondescript values; value1, value2, etc. No need for CAPTCHA or other deterrents if the bots can't even find the form. I haven't had a single spam email in 6 weeks!
But the tag board/guestbook is making me nuts. It also has nondescript form values, and even a CAPTCHA and keyword filter. But a German spammer keeps getting thru. His bot posts in spurts, seconds apart, trying to making it appear as if many posters are carrying on a conversation.
I finally added his IP address to my blocking script, but it doesn't work. The script works in testing, but not on this bot. His IP is detected and added to the database by the guestbook. But if I try to direct that IP away from my site or manipulate his posts, there is no effect.
I even separated the form and the processing functions into separate files to be sure the bot couldn't bypass my counter measures, but still no luck. My understanding of how these bots actually function is limited, so I'm hoping someone can help.
My basic IP block script is this:
I solved the contact form spam by simply removing any recognizable email header terms from the form values, changing them instead to nondescript values; value1, value2, etc. No need for CAPTCHA or other deterrents if the bots can't even find the form. I haven't had a single spam email in 6 weeks!
But the tag board/guestbook is making me nuts. It also has nondescript form values, and even a CAPTCHA and keyword filter. But a German spammer keeps getting thru. His bot posts in spurts, seconds apart, trying to making it appear as if many posters are carrying on a conversation.
I finally added his IP address to my blocking script, but it doesn't work. The script works in testing, but not on this bot. His IP is detected and added to the database by the guestbook. But if I try to direct that IP away from my site or manipulate his posts, there is no effect.
I even separated the form and the processing functions into separate files to be sure the bot couldn't bypass my counter measures, but still no luck. My understanding of how these bots actually function is limited, so I'm hoping someone can help.
My basic IP block script is this:
Code:
'Ban Problem IP Addresses
Dim sIP
Dim sIParray(1)
'assign our blocked IP addresses to our array
sIParray(0) = "78.46.98.3"
sIParray(1) = "83.233.30.101"
'retrieve the visitors IP address
sIP = Request.ServerVariables("REMOTE_ADDR")
'loop through the banned IPs using the UBound function
For i = 0 to UBound(sIParray)
'check if IP address matches any of the blocked IPs
If sIP = sIParray(i) Then
response.redirect "http://www.yahoo.com"
End If
Next
Posted
Change this portion of your routine and see if it doesn't help.
Code:
strsIP = cStr(Request.ServerVariables("REMOTE_ADDR"))
For i = 0 to UBound(sIParray)
If strsIP = sIParray(i) Then
response.redirect "http://www.yahoo.com"
End If
Next
Posted
I'm not sure how popular your guestbook is, but you could try to create a separate flood control for it and apply the time limit between entries to all users (guests and members) not just one.
Meanwhile, you could record all attempts to post messages (during the flood timeout period) in a separate table where you can collect the ip addresses (and the messages) of the automated post attempts. The values would be inserted into the table just before each flood control message is displayed.
If you wanted to create code that restricted an ip address based upon the amount of failed tries within a certain flood timeout period, you could then block that ip address and present a message stating that the poster will have to come back again tomorrow or next week or whenever to try to post again.
These things might help you slow this person down or even discourage him. If the guy has a routine that posts messages one after the other using an automated script, it will most likely make his posts look out of order resulting in an unintelligible conversation. If he is actually posting these messages live, then he will probably get upset with your countermeasure.
Just some thoughts ...
Meanwhile, you could record all attempts to post messages (during the flood timeout period) in a separate table where you can collect the ip addresses (and the messages) of the automated post attempts. The values would be inserted into the table just before each flood control message is displayed.
If you wanted to create code that restricted an ip address based upon the amount of failed tries within a certain flood timeout period, you could then block that ip address and present a message stating that the poster will have to come back again tomorrow or next week or whenever to try to post again.
These things might help you slow this person down or even discourage him. If the guy has a routine that posts messages one after the other using an automated script, it will most likely make his posts look out of order resulting in an unintelligible conversation. If he is actually posting these messages live, then he will probably get upset with your countermeasure.
Just some thoughts ...
Posted
Originally posted by ShaggyThe spam comes in floods, with as many as 40 or 50 entries in a session with the individual posts often just seconds apart. And my manual tests are easily thwarted by the IP block, but these spam posts get thru.
What makes you so certain it's a bot and not a manual spammer?
Etymon: My guestbook isn't popular. I could remove it entirely and not miss it. My attempts to block the spam are mostly for educational purposes, although with this spammer it's starting to feel personal.
The flood control is a good idea. I may try that.
Regarding recording spam attempts, my guestbook records IPs, so I tried letting the bot post but having the IP block script change the entries to inactive (they are entered into the database but not displayed). Both methods work great during testing but aren't stopping this bot.
Like I said, this is not an urgent issue. It's academic at this point, but it's an interesting opportunity to test different methods.
Posted
Okay, I'm an idiot. 
The more I thought about this, the more I KNEW any one of my antispam measures SHOULD be stopping this bot. Last night, while again wondering why my traps were just totally bypassed, a thought occurred to me, "It's as if the bot is using a cached version or something."
Duh!
I looked again, and sure enough, there was an early version of my guestbook, with the same database connection, still on the server. I'd duplicated and renamed the folder, but failed to remove the original, and that's what the spammer has been using this whole time.
Boy, do I ever feel stupid.
The more I thought about this, the more I KNEW any one of my antispam measures SHOULD be stopping this bot. Last night, while again wondering why my traps were just totally bypassed, a thought occurred to me, "It's as if the bot is using a cached version or something."
Duh!
I looked again, and sure enough, there was an early version of my guestbook, with the same database connection, still on the server. I'd duplicated and renamed the folder, but failed to remove the original, and that's what the spammer has been using this whole time.
Boy, do I ever feel stupid.
