[thelist] tracking spammers

Bob Meetin bobm at dottedi.biz
Sat Jul 9 10:16:23 CDT 2011

On 07/06/2011 07:33 AM, Renoir Boulanger wrote:
> Tracking spammers
> Here is my take on what I would start searching from. My experience is mostly PHP application development, Email server management and Linux System administration. BTW, in montreal we have good technical conferences: ReCon (in a few weeks),  Hack.us in eastern townships and ConFoo.ca (Im part of the organizers).
> What I wrote for:
> == My opinion ==
> I tend to say that using the password as an element to detect a registrant as a spammer is unreliable. First, ethical issue, then, we, tech savy people, teach [non tech savy] friends and family to have better passwords. I don't know where your research went so far but here is some places I might look onto:
> == Patterns ==
> - run a dictionary check on username it doesnt happen often, when user has right to decide username, to pick something non human
> - Keep track of IP and check if IP did not try already some time ago
> - Use MX check on user email domain provider then try to send email to it and require user email confirmation from a generated URL (obvious but good filter I think)
> - Use Facebook connect. If there is a session opened and the username doesnt fit at all with user. Remove validity points
> == Open source utilities ==
> - SpamAssassin
> They provide a suite of testing tools and scoring system. I think you could be able to use the engine as a filter and pass your registration fields through it like we do with mail servers there is lots of documentation.
> == Webservices ==
> - Get API access to Relay Black Lists they could give some hint on spammer networks. Do not use as hard evidence because it's SMTP IP addresses and not actual users
> - Try to see what WordPress has done with their Akismet, they provide professionnal API and they work well on comments on blogs
> - ReCaptcha is a captcha provider. Could be useful. Why re-creating captcha system.
> == ConFoo ==
> A web techno conference from the PHP, ruby, java, Javascript usergroup communities Happening in montreal in Feb-March.
> We are about to open call for speakers if you are interrested, send a mail to board at confoo.ca
> Cheers Guys
> devLABmtl.org/
> ConFoo.ca/
> evocatio.com/
> (envoyé de mon téléphone)
Update thelist time...

A little more background - all my new websites run Joomla CMS.  Joomla comes with a registration component, but I've implemented a licensed commercial ajaxy component called Ajax Registration. It comes with options to enable recaptcha and a cool-ish drag/drop captcha. Neither is much of a deterrant.  I contacted the component developer a while back and he was cordial enough to give me some insight into some minimal registration form options.  This was good.

I added a visible admin_only field which is being totally ignored (just wanted to see), then added URL (per Meshack) and some date captures. The hidden URL field has been active, is key. Yesterday on a hunch I added 2 more fields, website and link.  One of the spammers found both.  Pat on the back, thank you.

The dates are meaningful, about 2 seconds, but not enough info to act on yet.  The registration component already does some email/domain checking.  I as well am recording IP addresses in a table and this gets checked before submission. Facebook Connect is on the drawing board.

Akismet - that is a part of the Wordpress component for Joomla.  I think there is something called "Bad Behavior" for Joomla, perhaps similar theory.

Locally, on my linux desktop, just for "kicks", I check flagged IPs by doing: % lynx http://www.projecthoneypot.org/ip_$ip_addr . If I had a simple way of doing this and looking for specific honeypot output like 'this is a known spammer' and including this in the check, it might be a nice add.

Bottom line - adding URL made a world of difference.  All the ideas are great.


More information about the thelist mailing list