Welcome, Guest!!
follow us on... rss

Author Topic: Bots that just register not being caught?  (Read 9789 times)

dzerkle

  • Newbie
  • *
  • Posts: 3
    • View Profile
Bots that just register not being caught?
« on: March 14, 2013, 02:15:53 PM »
I am running a Drupal site.  Drupal has forums built-in, but I don't have them enabled.

The site is getting a steady stream of bots attempting to register accounts.  They go to the 'user/register' URI and attempt to create an account.  I eventually turned off self-registration (buying a product gets you an account).  There are now no links to this registration page, so these aren't spiders.  Before I turned off registration, these bots attempted to add content to the site, so they're definitely link spammers.

Many of the IP addresses of these bots are NOT showing up in the Botscout database.  I suspect that they're being used only to create accounts, so they're not triggering the honeypots.  The botters presumably use other bots to attempt to create the spam.

Some samples of these registration bots:  113.212.71.10, 86.178.209.126, 188.126.69.148 (in DB), 66.249.73.237, 198.167.239.164, 188.142.16.131 (in DB), 108.20.177.249. 192.95.38.127.

As you can see, only a quarter of the bots are in the Botscout database.  This isn't going to stop the spammers from clogging my user database with their crap.  Any idea what's going on here?  Is a honeypot based on user registrations a good idea?

Is reporting the IP addresses at http://www.botscout.com/bot_submitter.htm a good idea?  I tried entering some IP addresses there (no e-mail or name is available), but there is no acknowledgement after I submit the form, so it's hard to tell if that does anything.

dzerkle

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: Bots that just register not being caught?
« Reply #1 on: March 14, 2013, 02:59:22 PM »
 66.249.73.237 is Google, presumably following an archived link from before I disabled it.

Mike

  • Administrator
  • Sr. Member
  • *****
  • Posts: 300
    • View Profile
Re: Bots that just register not being caught?
« Reply #2 on: March 14, 2013, 05:40:18 PM »
Many of the IP addresses of these bots are NOT showing up in the Botscout database.

That's because new IPs are constantly being used and discarded; it's literally impossible for anyone or any service to keep up with it 100% because there is no way to predict in advance what IP or IP range the spammers will use next.


I suspect that they're being used only to create accounts, so they're not triggering the honeypots.  The botters presumably use other bots to attempt to create the spam.

That's also possible.

Some samples of these registration bots:  113.212.71.10, 86.178.209.126, 188.126.69.148 (in DB), 66.249.73.237, 198.167.239.164, 188.142.16.131 (in DB), 108.20.177.249. 192.95.38.127.

As you can see, only a quarter of the bots are in the Botscout database.

Yes, please see above. As new IPs are caught they're added, but there will always be a lag regardless of how you do it or what service you use. It's simply not always possible to tell if a given registration event is from a bot or a real person (who may in fact be a spammer).


This isn't going to stop the spammers from clogging my user database with their crap.  Any idea what's going on here?  Is a honeypot based on user registrations a good idea?

Nothing will prevent all bots or humans acting in concert with bots. You may want to add some additional layers of spam or bot protection (hidden fields, time-gating, stronger CAPTCHAs, etc). But nothing will completely stop spam registrations, the best you can hope to do is reduce it radically. In some cases manual validation of registrations may be necessary.



Is reporting the IP addresses at http://www.botscout.com/bot_submitter.htm a good idea?  I tried entering some IP addresses there (no e-mail or name is available), but there is no acknowledgement after I submit the form, so it's hard to tell if that does anything.

You need all 3 items (IP, e-mail, and name) for a valid entry.
Please don't PM me for assistance- post your questions in the forum where others can see them.

dzerkle

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: Bots that just register not being caught?
« Reply #3 on: March 15, 2013, 07:43:25 AM »
I'm thinking there could be some "registration honeypots".  Heck, all I would have to do is to turn on self-registration on my site and disable all links to that page, and that's a honeypot.

Basically, set up something that looks like a real site but real people have no reason to register an account there.  The bots have profiles of every kind of site that can handle posts or comments, so they'll find the registration page and do their thing.  So, every single registration is a bot.

In fact, I'm a little surprised this sort of thing doesn't already exist.  The registrations alone from those bots are a problem, even if they can't post spam.

Mike

  • Administrator
  • Sr. Member
  • *****
  • Posts: 300
    • View Profile
Re: Bots that just register not being caught?
« Reply #4 on: March 13, 2014, 07:05:55 AM »
We already do this. :)

I'm thinking there could be some "registration honeypots".  Heck, all I would have to do is to turn on self-registration on my site and disable all links to that page, and that's a honeypot.

Basically, set up something that looks like a real site but real people have no reason to register an account there.  The bots have profiles of every kind of site that can handle posts or comments, so they'll find the registration page and do their thing.  So, every single registration is a bot.

In fact, I'm a little surprised this sort of thing doesn't already exist.  The registrations alone from those bots are a problem, even if they can't post spam.
Please don't PM me for assistance- post your questions in the forum where others can see them.