Tuesday, June 11, 2024

Re: Rate limit the httpd web server for signup requests

On 2024-06-11 15:41, Martin wrote:
> I already do some rate limiting with stateful tracking options for PF,
> which works really great for the stuff I use it for.
>
> I also use block lists of known bad IP addresses etc.
>
> But what useful methods exists that prevent spamming a HTML signup form
> from stuffing the database with useless signups?
>
> Naturally the accounts that haven't been validated one way or another
> gets deleted, but the initial signup is a problem as thousands upon
> thousands of requests are stored before deletion.
>
> I have tried blocking by IP, but this is difficult as the IP changes
> faster than it can be blocked.
>
> The User Agent is spoofed with random garbage.
>
> Honey pot empty hidden fields gets detected and ignored.
>
> Randomly generated form IDs that gets submitted and validated using a
> session cookie also doesn't work as the cookie is just stored and then
> send along.
>
> A simple CAPTCHA reduces some of the irrelevant noise, but the more
> sophisticated bots solves the CAPTCHA.
>
> Using Cloudflare's or Google's CAPTCHA is frowned upon by the real
> users, which I fully understand.
>
> So I was wondering, if some other clever method can reduce the noise?

I haven't tried it and I'm not sure how useful it is in your case, but
mCaptcha uses proof of work.

https://mcaptcha.org/

Paul

No comments:

Post a Comment