1

I am struggling these days to prevent spam from my signup form. I do not want just to prevent it from bots (with honeypots etc) but when a real human writes a script designed for my website to fill my database with dummy registrations(i do not want to use captcha). I have the following things in my mind to implement about it:

  1. Check if email addresses exist (not only valid).I have read that you may be banned if there are lots of requests.Moreover it is possible that the script can contain valid email addresses (for instance when a university provides students email that are slightly different).

  2. The other solution is to make a comparison between IP/Time_of_request and in case the same IP gives lots of requests for signup, consider user as spammer. For this you can set a threshold that you can consider signup request as spam. The problem here is that the script may find the threshold (e.g. 1 second ) and send request every 1.1 seconds. Moreover someone may use onion routing(?) and i will not be able to ban him.

3.What do you think about random input names ?

So what practices here are considered to be good enough to come through this situation?

Thanks!

UPDATE

I send email with confirmation link for activation,but i give users the feature to use the site for about 4 days without activating their accounts! I do not want in first step my database to have spam accounts!

SOLUTION

For everyone interested in, i used honeypots combined with a temporary database ! It seems to work fine!Thanks!

Themis Beris
  • 910
  • 1
  • 11
  • 25
  • add captcha to the registration form? – Ashalynd Aug 04 '14 at 11:59
  • @Ashalynd I hate them as a user, so i do not want them in my signup form! :) – Themis Beris Aug 04 '14 at 12:00
  • possible duplicate of [Blocking comment spam without using captcha](http://stackoverflow.com/questions/1577918/blocking-comment-spam-without-using-captcha) – ClmentM Aug 04 '14 at 12:06
  • @ThemisBeris Are you creating new email addresses here or validating existing ones? – Trick Aug 04 '14 at 12:08
  • @ThemisBeris I'd do what the comment below suggests (http://stackoverflow.com/a/25118357/3763023), and require them to get an email with a validation link in it. Were you looking for help with coding or just the idea? – Trick Aug 05 '14 at 00:28
  • @Trick just the idea! I am trying to implement some pseudo-random input name fields ! I think that i should not worry about spam if the bot/human is given different input names for registration form – Themis Beris Aug 05 '14 at 07:53

3 Answers3

3

One more thing you can create a temporary registration database, and if someone verify email in 24 hours of registration, his/her data will moved to main registration database. and every entry will be deleted in 24 hours if email is not verified by user.

GoalDone
  • 345
  • 1
  • 2
  • 14
2

To validate the email address you could send a confirmation email with a validation link and the user should click on that link to confirm that is his email address and is not a boot.

Laur
  • 134
  • 1
  • 6
1

In Response to OP Update: If you need to give users the option of using the site without clicking the activation link for X days, perhaps you could also send a set of two 4-digit (or just 6, but not secure) PIN numbers in the email (or separately) and have them use that as their temporary password until the account is activated via the original email link. In your database you'd notice if the PIN was used or not, indicating if it was a spam account. It could even be a one-time-use PIN.

Trick
  • 636
  • 4
  • 7
  • i do not want users to open their email in first place, just sign in immediately! And i do not want database to get spammed in first place. – Themis Beris Aug 05 '14 at 07:57
  • What about the same idea, only have them click a link that will either **a)** give them some method of logging in _(a PIN?)_, or **b)** use javascript on the second page (or even the sign up page, if you're careful) that performs several checks to see if it's really a human typing. Check for keypresses that are **validated server-side**, check for mouse clicks, etc. This isn't bulletproof, but it should cut down on any spam you do get significantly. – Trick Aug 05 '14 at 13:43
  • Yeap! This is what i ended up to do and seems to work fine ! Thank you Trick ! – Themis Beris Aug 05 '14 at 13:54
  • I'm glad it was helpful. I'd be interested in your particular implementation of this solution, _Please feel free to send me a message @ trick.developer@gmail.com to discuss further._ – Trick Aug 05 '14 at 14:07