Detecting registration bots

[kjkoster]

Dear All,

I have noticed recently that the automated spammer registrations use fairly predictable patterns. I am wondering if anyone has used such patterns to kill their tools?

First is that their tools only request the precise pages they need. The style sheets and images are not requested at all.

Second is that one of their tools always use the date jan 1st 1980 as their date of birth.

1) Are there any mods that use this information to poop the spamtools?

2) What would you think of a mod that checks that certain images are actually downloaded before the user can register to the site?

Kees Jan

[Lynne]

They are also very quick to register - faster than any human can do so. Is Bot will check how fast they register and if it's faster than xx seconds, they can't register.

[kjkoster]

Dear Lynne,

Here is a sample that I lifted from my access log. The times between the first and second request are indeed quite fast, but the third request tool human-like time.

Code:

121.231.14.208 - - [18/Apr/2009:07:45:13 +0200] "GET /forum/register.php?do=signup HTTP/1.1" 200 12749 126819 "http://java-monitor.com/forum" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
121.231.14.208 - - [18/Apr/2009:07:45:14 +0200] "POST /forum/register.php?do=register HTTP/1.1" 200 19209 39837 "http://java-monitor.com/forum/register.php?do=signup" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
121.231.14.208 - - [18/Apr/2009:07:47:13 +0200] "POST /forum/register.php?do=addmember HTTP/1.1" 200 10887 893786 "http://java-monitor.com/forum/register.php?do=register" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"

[foroalfaromeo]

These are the IPs and mail domains I blocked in my VB

194.8.75.109
194.8.75.191
194.8.75.192
195.2.240.126
195.2.241.162
200.126.238.235
217.116.138.185
24.12.148.237
62.43.160.66
66.197.231.213
72.232.61.165
87.118.102.57
87.152.131.102
87.152.143.240
87.248.169.14
88.198.157.210
89.105.228.141
89.248.160.195
91.124.60.190
91.124.61.15
91.206.15.66
94.125.179.5
87.118.120.6
194.8.74.37

@getasiansex.com
@islandaccommodation.info
@lovecasino.net
@mail.ru
@mainru.com
@onllinevideo.cn
@yandex.ru
@megapochta.cn

We can build a black list with info..... what do you think?
If everyone cooperates.

[kjkoster]

Dear foroalfaromeo,

You are aware of http://www.stopforumspam.com/ and its vb plugin: https://vborg.vbsupport.ru/showthread.php?t=176481 are you?

Let's not duplicate efforts. I was trying to find some *additional* tools to throw at the spammers.

[kermit2]

I use a few lines of code to moderate any first posts which contain a URL. Since the user's post count isn't incremented, if they then make a second post containing a URL, that too is moderated. Sometimes there are false positives, but approving those gives my mods something to do. Obviously the spammers could easily get round it, but the majority just move on to another forum.

Suppose you could do something similar to automatically moderate users with a birth date of 1st Jan 1980, and accept that there are going to be some false positives. Presumably this is only the signature of one particular spammer though.

Or you could just firewall off China