1. Howdy! Welcome to our community of more than 125.000 members devoted to web hosting. This is a great place to get special offers from web hosts and post your own requests or ads. To start posting sign up here. Cheers! /Peo, FreeWebSpace.net
    Dismiss Notice
  2. Add your web host to our brand new web hosting directory (beta).
    Dismiss Notice

That was fast for the first day listed

Discussion in 'Free hosting discussions' started by ttb62, Nov 8, 2011.

  1. ttb62

    ttb62 New Member

    The first day listed on freewebspace.net and the sign ups start. I used a simple contact form for sign up. some sent two or three duplicate request. Mostly from China. Most requested hosting for a sub domain. Then I realized they might be live spammers. So that's not going to work. I am getting traffic, but I moved the sign up to a forum. Maybe I can weed out the ones who actually want hosting for there domain. The package is so small a user will have to know how to use it. A script like wordpress is just to big for it. But I got traffic already.

  2. Seraphim

    Seraphim Active Member

    Welcome to FWS.

    I noticed this too, every time I make a hosting offer for a few days after that I get 2-3 signups a day originating from Chinese and Russian address space with bot-like info. Unfortunately enough hosts use automatic activation and these bots actually do succeed in getting live accounts.

    Not sure though if there is anything that can be done about it here at FWS, but filtering the signups is relatively effective if time consuming.
  3. wswd

    wswd Premium Premium Member

    I get these all the time, at least 20-30 per day. It's just a matter of thorough checking by your staff. Many are attempting to get smart and are using US addresses and American names...even US proxies. Just have to be really careful and use due dilligence.
  4. Trel

    Trel Zen NLC

    There are a number of different things you can do to help filter your new signups.

    - MaxMind MinFraud checking - http://www.maxmind.com/app/ccfd_promo?promo=WHMCS4562

    1000 basic queries per month are free and additional queries are as little as $0.005 per query for standard.

    - Use GeoIP blocking to protect your signup page. You can simply block all Russian, Chinese, etc IPs from every reaching your signup page without blocking them server wide.

    - Use two or more separate captcha tests that will be difficult for robots to bypass.

    http://www.recaptcha.net/ and custom questions such as "What is the third word in second paragraph on our Terms of Service page?" might be a good start.

    - Check the signup IP against DNSBL of known problem and proxy IPs and block access to the page to any known bad IPs.
  5. Peo

    Peo Administrator Staff Member Admin

    Some good advice there. But I wouldn't make it too hard to sign up as people are kind of tired of all the forms and captcha they have to enter for everything. Out of curiousity, anyone tried requiring signup using facebook connect? I imagine that would reduce spam bots? And it would make it easy to sign up.
  6. Trel

    Trel Zen NLC

    MaxMind checking is offloaded to the billing software (WHMCS, Hostbill, Blesta, etc), GeoIP/DNSBL blocking is handled via Apache extensions such as mod_security and mod_httpbl, and the two captcha tests are only shown on one form one time at signup taking an extra 5 - 10 seconds while they read the Terms of Service and Forum Rules. 90% of it is transparent to the user.

    Leaving aside Facebook's extremely poor track record on privacy, Facebook's own signup form uses recapthca.net and email address verification. Beyond that there is no additional confirmation at signup. I don't consider the methods mentioned above to be very difficult from a user perspective. Compared to SMS verification for many Google services, copy and pasting a confirmation code from a linked page is simple.
  7. Peo

    Peo Administrator Staff Member Admin

    Ok, but if you already have a Facebook account you don't have to enter captcha or verify your email.
  8. TaoPhoenix

    TaoPhoenix Well-Known Member NLC

    Trel's post sounds like it has a lot of info though. I tried to mod him but "have to spread more"
  9. Seraphim

    Seraphim Active Member

    Incidentally since I posted this, they appear to be coming more frequently. I'm up to 5 a day now, with more and more of them having japanese IPs.
  10. ttb62

    ttb62 New Member

    I do not think its bots signing up any more I think it live people. I was getting five of the same sign up put in some java to clear the form fields and some anti spam and the sign ups went way down. blocked some IP's also.
  11. sander k

    sander k Well-Known Member NLC

    What software are you guys using? I don't have any problems with WHMCS, but then I am not a free host.
  12. Seraphim

    Seraphim Active Member

    I wrote my own software for this. Going to be giving it another security shakedown soon, since they seem to have found a way into it again.

    But I also have my eye on some new coding techniques that I was perfecting over the weekend, so it's possible that I have another solution to this problem.
  13. ttb62

    ttb62 New Member

    Just a php contact form. no where near as bad since I clear the form fields on page load. I think they were just hitting the back button and resubmitting.
  14. cassiejmiller

    cassiejmiller New Member

    That could be one. Not a secure site for me.
  15. ttb62

    ttb62 New Member

    what do you mean the php contact form is not a secure site?
  16. Seraphim

    Seraphim Active Member

    Even if you are sending it via HTTPS, spambots will figure out what values to put in for the fields of a http post or http get, and will blindly post data to it once it is figured out how to make it accept data.

    Many of these will even use any sort of activation email that you try to send in order to further their goals.

    Not only that, but if you leave any kind of vulnerability such as MySQL injection or XSS based exploits, they will eventually discover and begin to use them.

    On mine I use a HTTPS post and email activation, and even with input filtration to prevent a SQL injection I still get a bunch of obviously spam signups every day. The only really foolproof way to stop them is to actually talk to the client before accepting their registration, that way you can get a feel for what to expect from them and they know you are paying attention to your equipment.
  17. ttb62

    ttb62 New Member

    Its just a simple form to mail. no database with trim() stripslashes() htmlspecialchars(), a simple anti spam and a hidden anti spam feature. there is no security issues and no spam any more. so I still wonder what was meant by "not a secure site". There is never a request for finical information or personal. sure would like to hear his/her reasoning behind the statement.
    Last edited: Dec 9, 2011
  18. vServer Center

    vServer Center New Member

    WOW the spam bots have gotten really advanced when they know to check the e-mail address and click the link. I guess this is why I see so many of those type the letters from this image tests.
  19. Trel

    Trel Zen NLC

    That is very true. I have started to look at this again and it seems to be a valid way to increase signups. Implementing Facebook Connect, Google/Yahoo OAUTH, and a few others for European users should reduce the barrier to entry considerably. I still think that having a secondary confirmation layer for hosting account signups will be required. Google and Facebook have already pioneered SMS confirmation for their services so that seems like a reasonable course to take.
  20. Expo

    Expo New Member

    Just a random idea I just came up with:

    How about you guys try this to prevent spam bots, "An E-mail Image Captcha", isn't it brilliant ? :D

    So, my idea is, to generate a random code with PHP and use some somewhat distorted font to do it, to prevent OCR and still keep it within the limits of human readability, save that text to MySQL/whatever database you use, and then generate a random, unique file name send the image in an email along with the link to the activation code for that email, which in turn will check against the MySQL data for a match in the codes, tell me what you think. :wave:

Share This Page