Stopping spammers from creating accounts (reCaptcha not doing the trick)

Asked 14/7, 2010 at 15:1 Answered 14/7, 2010 at 15:16

Hi we have just noticed a bunch of Nigerian spam accounts in our email system. Now, we do have a reCaptcha in the signup form but apparently they circumvent it, manually or otherwise. It seems like a semi-manual circumvention since the accounts aren't created in bulk but instead as a steady stream with a few minutes in between.

Since most of the spam accounts were created by IP addresses from Nigeria, we have just set up some simple IP filters over a couple of pretty broad IP ranges and that seems to be working for now. However we would like to make a more permanent solution to this problem.

The most reasonable improvement we are thinking about is to change from using reCaptcha to use a textcaptcha in danish. This might make it hard for a Nigerian to manually enter the answer since he would have to learn Danish or search the web for an answer. However, I would like to know if you have a better suggestion or maybe just alternative or additional screening methods we could implement.

Zena answered 14/7, 2010 at 15:1 Comment(0)

The best approach that I know of is requiring verification via SMS. It's very easy for you to detect that the same phone number is being tried more than once, and it's reasonably difficult to have a large number of SMS-capable phones.

Hokkaido answered 14/7, 2010 at 15:12 Comment(4)

Yeah, we've considered that possibility as well. Know any good sms services that work in denmark & greenland? – Zena 14/7, 2010 at 15:18

Finding a reliable sms gateway is hard and then you have to pay good money to send each sms. It's an old technology that continues to make a lot of profits for the mobile operators. – Instinct 14/7, 2010 at 15:33

@zaf: Yeah, the prices on sms gateways are unbelievable. – Zena 14/7, 2010 at 15:40

Bear in mind that some people don't have mobile plans by choice (have you seen the prices here in Canada?) and others (myself included) wouldn't give a site their SMS number regardless because it's become the targeted advertisers' holy grail for cutting through people's attempts to maintain multiple separate identities online. – Nucleonics 13/7, 2019 at 15:2

Having thought about this for a little more, I think I do have a solution, though not necessarily one you will like:

From what I understand of your question, you are giving out email accounts to people who

don't pay you money;
you don't know personally; and
you have no contract with.

It could be argued that organizations doing what you are doing are part of the problem.

Unless your primary business is being a provider of free email (and that's surely a thankless business), I don't see a need to hand out email accounts to people. If you want them to be able to communicate with you or with other of your users, let them use their own, already owned private email accounts. If you only need communication with you, a Web feedback form will do. If you want them to communicate among each other and it's some kind of social site, provide messaging capability between accounts. But don't give strangers access to your worldwide-connected email server! This is the equivalent of operating an open relay.

Anybody can get an email account from Google (or Yahoo, or...) for free. Let those companies worry about spammers, they make more money than you do.

Mcdonough answered 14/7, 2010 at 15:16 Comment(1)

Hi Carl thank you for your answer. It is an interesting perspective and I agree that we are a part of the problem if we can't keep out the spammers (which is a hard problem to solve). While we don't make money like Google or MS, we do actually make some money by providing a free email service so I don't suspect the decision makers will look kindly on a suggestion to terminate the service. I just have to deal with the problems that comes along. ;) – Zena 14/7, 2010 at 15:37

You could set up a hidden field in the form with a name like "email" or something thats not used, real humans wouldn't fill it in, but a robot would since they usually read the code, not look at the page.

Incoming answered 14/7, 2010 at 15:6 Comment(3)

Yes that, might help a little. But it is extremely easy to circumvent and the spammers are pretty crafty, so I don't think that will slow them down for more than a day (max). – Zena 14/7, 2010 at 15:15

And it doesn't necessarily sound like these guys are using bots. – Septuplicate 14/7, 2010 at 15:24

The question in dannish makes the most sense, maybe a question about the danish language? Then tehy couldn't just translate it, a simple grammar question, like if we were talking english "what character comes after a sentence" (that might be a bit too generic between languages though...) – Incoming 14/7, 2010 at 15:45

Thoughts from our Glorious Leaders on combating spammers who are prepared to solve captchas:

https://blog.stackoverflow.com/2009/02/new-question-answer-rate-limits/

Catima answered 14/7, 2010 at 15:15 Comment(1)

Thank you. The post anti-spam protection Jeff uses (peer-review, anti-bot measures and post throttling based on "points") wouldn't work very well for our purpose. We deal with email account abuse where a spammer creates a new account and start sending spam mails almost certainly by handling the anti-bot stuff (reCaptcha and other measures) manually. We need the system to be better at thwarting Nigerian spammers from creating accounts. – Zena 14/7, 2010 at 15:30

Recommended topics

Hot tags