Topics

Tribe Support

Tribe Support's Topics

Nick Swinford

Nick Swinford

October 02 2017

Spam accounts

I got my first spammer today. They created 3 accounts and about 1,200 groups on my site.

https://www.getanahita.com/photos/162831

Any recommendation on how to stop these guys?

Rastin Mehr
Rastin Mehr
October 02 2017 Permalink
Oh wow, any idea how they got in? Was it a single author who created all the groups? Do you think google recaptcha will stop them?
Nick Swinford
Nick Swinford
October 02 2017 Permalink
It was three user accounts. Whenever we closed one, they registered a new one. I think it was a real person creating the accounts cause they didn't make a ton of those. Then they used a bot to auto-create the groups so I disabled group creation.

Idk, I can try implementing it on the registration form, but not sure if its a real person registering.
Rastin Mehr
Rastin Mehr
October 02 2017 Permalink
We never had such a scenario until now!

Google recaptcha seems to be quite efficient in stopping bots from registering or logging in. Once they login, they can use a bot or chrome app to make rest calls and create new groups.

Also are you using cloudflare? They filter out a lot of bot traffic before they can reach your website.

I'd start with putting in google recaptcha on both registration and login forms: https://developers.google.com/recaptcha/docs/invisible
https://developers.google.com/recaptcha/docs/verify
Rastin Mehr
Rastin Mehr
October 03 2017 Permalink
You can also build an app that puts limit on the number of post requests one can do per day or hour
Greg Willson
October 03 2017 Permalink
also- could the three users be associated with a certain ip range and browser configuration, etc, you could filter against such a pattern if one existed in the signup form procedure.
Rastin Mehr liked this
Rastin Mehr
Rastin Mehr
October 03 2017 Permalink
Also try limiting your server's Access-Control-Allow-Origin to all the requests coming from your domain only.
Rastin Mehr
Rastin Mehr
October 03 2017 Permalink
Another approach is only allowing members who meet certain criteria to create groups. For example those who have gained some followers on their profiles as well as comments, and likes on their posts.
Nick Swinford
Nick Swinford
October 04 2017 Permalink
We currently have an SPA that connects to the Anahita API and requires access-control-allow-origin to be set pretty widely. I might be able to make it a bit stricter.

That second option is a possibility. Would be an interesting application for #gamification.
Rastin Mehr
Rastin Mehr
October 05 2017 Permalink
You can also allow only the verified accounts create groups. That's a good way too.
Rastin Mehr
Rastin Mehr
October 07 2017 Permalink
For those who are following this topic, the implementation of reCaptcha is happening here: https://www.getanahita.com/topics/162886-developing-a-google-recaptcha-plugin
Rastin Mehr
Rastin Mehr
October 21 2017 Permalink
Update on this topic. We have implemented a google recaptcha plugin which protects your Anahita installation from bot attacks. It is using the invisible reCaptcha which is the more subtle and advanced version. https://github.com/anahitasocial/anahita/tree/master/packages/reCaptcha

You need to sign up for the reCaptcha service and obtain key and secret code for the plugin to work: https://www.google.com/recaptcha/intro/

The plugin protects the registration, login, and add group forms.

Powered by Anahita