On Tue, Jun 11, 2024 at 10:41:33PM +0000, Martin wrote: > I already do some rate limiting with stateful tracking options for PF, > which works really great for the stuff I use it for. > > I also use block lists of known bad IP addresses etc. > > But what useful methods exists that prevent spamming a HTML signup form > from stuffing the database with useless signups? > > Naturally the accounts that haven't been validated one way or another > gets deleted, but the initial signup is a problem as thousands upon > thousands of requests are stored before deletion. > > I have tried blocking by IP, but this is difficult as the IP changes > faster than it can be blocked. > > The User Agent is spoofed with random garbage. > > Honey pot empty hidden fields gets detected and ignored. > > Randomly generated form IDs that gets submitted and validated using a > session cookie also doesn't work as the cookie is just stored and then > send along. > > A simple CAPTCHA reduces some of the irrelevant noise, but the more > sophisticated bots solves the CAPTCHA. > > Using Cloudflare's or Google's CAPTCHA is frowned upon by the real > users, which I fully understand. > > So I was wondering, if some other clever method can reduce the noise? >
It's not perfect, but I have a long list of regexes that I know are spam that I have my Perl code that processes the form block. Trying to block from a log is not very helpful. It can let through thousands of the same spam attempts before the log catches up to the attempts reaching the log, which is a pretty long time. -- Regards, Chris Bennett "Who controls the past controls the future. Who controls the present controls the past." George Orwell - 1984
