OzBargain under Spam Bot Attack

scotty on 29/04/2013 at 2:33 pm, filed under OzBargain

Here are some reports from the developers :) OzBargain has been under some spam bot attack over the last couple of weeks. We first discovered the attack at around mid-April, and through our new account creation logs, we found:

  • Lots of new accounts were created with weird sounding names, strange looking @hotmail addresses and originated from all over the world.
  • Most newly created account never logged in. However for a few that did manage to come back, the first thing they did is to update their user profile to include a link to their spammy website (or sites loaded with malware, which I didn’t dare to try).
  • Going through our webserver logs reveals that they are hitting only the pages and none of the other assets (Javascript, CSS, images, etc). That pretty much concludes that these are “bots”.

We do utilise Google’s reCAPTCHA on the user registration page to stop the bots, but from our incident obviously reCAPTCHA is broken or can be easily defeated. The spam bots however, aren’t very smart either. All of them are using “Firefox/13.0”, a 10-month old browser, as their user-agent. So I ended up just blocking all Firefox 13 on the web server level and be done with it. That stopped the spam account creation pretty much straight away, although also cause some false positives.

Fast forward two weeks and on inspection of our new account creation logs, spam bot accounts are back again! It’s pretty much the same pattern, except they have smartened up and changed the user-agent to the latest Chrome! Well, due to similar behaviour, they are still easy to spot and block. We have been running some new spambot detection code on the user registration page for the last 3 days, and here are some of the stats that we have collected:

Average number of account creation attempts per hour — **320**. That’s 5.3 account creation attempts by spam bot every minute.

Three biggest offending countries — Ukraine, United States and China. Mostly from residential broadband addresses so most likely part of some spambot network.

Going forward, we’ll continue to monitor new accounts for abnormal activities.


Sorry, the comment form is closed at this time.