OzBargain under Spam Bot Attack

scotty on 29/04/2013 at 2:33 pm, filed under OzBargain

Here are some reports from the developers :) OzBargain has been under some spam bot attack over the last couple of weeks. We first discovered the attack at around mid-April, and through our new account creation logs, we found:

  • Lots of new accounts were created with weird sounding names, strange looking @hotmail addresses and originated from all over the world.
  • Most newly created account never logged in. However for a few that did manage to come back, the first thing they did is to update their user profile to include a link to their spammy website (or sites loaded with malware, which I didn’t dare to try).
  • Going through our webserver logs reveals that they are hitting only the pages and none of the other assets (Javascript, CSS, images, etc). That pretty much concludes that these are “bots”.

We do utilise Google’s reCAPTCHA on the user registration page to stop the bots, but from our incident obviously reCAPTCHA is broken or can be easily defeated. The spam bots however, aren’t very smart either. All of them are using “Firefox/13.0”, a 10-month old browser, as their user-agent. So I ended up just blocking all Firefox 13 on the web server level and be done with it. That stopped the spam account creation pretty much straight away, although also cause some false positives.

Fast forward two weeks and on inspection of our new account creation logs, spam bot accounts are back again! It’s pretty much the same pattern, except they have smartened up and changed the user-agent to the latest Chrome! Well, due to similar behaviour, they are still easy to spot and block. We have been running some new spambot detection code on the user registration page for the last 3 days, and here are some of the stats that we have collected:

Average number of account creation attempts per hour — **320**. That’s 5.3 account creation attempts by spam bot every minute.

Three biggest offending countries — Ukraine, United States and China. Mostly from residential broadband addresses so most likely part of some spambot network.

Going forward, we’ll continue to monitor new accounts for abnormal activities.

5 Comments

  1. cdg:

    Seems like quite a bit of this is happening recently

    ala

    http://mashable.com/2013/04/26/ddos-attack-visualized/

    30/04/2013 @ 8:37 pm

    • Not really DDoS — more like spammers trying to spam OzBargain with their dodgy links. Although with a real DDoS OzBargain won’t stand a chance…

      01/05/2013 @ 11:31 am
  2. Davo1111:

    Nice one scotty. Have you considered posting your own captcha? say a blurry photo of parliament house (can’t be reverse image searched), or even completing a sentence?

    You also might want to check the IPs with the tor or known proxy networks. See if you can block it that way

    17/05/2013 @ 1:39 pm

    • I am doing security by obscurity at the moment :)

      In this case it’s probably botnet as there’s large variety of countries. But yeah proxy server has always been issues, with spammers logging in through Australian proxy servers to bypass some of our checks.

      17/05/2013 @ 2:09 pm

  3. I agree. My site experienced the same traffic explosion about a month ago…It appears they were coming through proxy servers also.

    20/06/2013 @ 10:53 am

Sorry, the comment form is closed at this time.

Recent Posts