Scammers and spammers

Posted on 2010-01-08 14:14

Some of the sites I run are database driven and allow a lot of user interaction. For users to participate on these sites at some elevated level with rights to create, modify, or delete content I usually set the system to require email authentication. Since most of my sites are fairly low traffic dealing with new applications for user accounts hasn't been too taxing, but even with Captcha in place (which makes you type in the funky letters you see) there are still plenty of obviously bogus applications.

For instance, one of my sites is set up for a local group of re-enactors. This site is obviously about history and of interest mainly to a group of people who live local to each other, but I continually get applications from people in Eastern Europe or with obviously bogus or completely un-related information. The instructions for what to fill in on the application are pretty clear so when I see fields filled out listing an applicant's interest in sports or fast cars as the reason for joining the site or with what looks to be a lot of random characters its obvious that its just a script running which is filling in the fields automatically. If I were to allow the application, the scammer's thinking is that they would then have gained permissions on the site and the next step would be either to:

  • post a lot of comments with links to web based viruses or their real or scam advertising businesses which make fractions of a cent for each "impression" (page load) from Google or Yahoo or some other service
  • or its possible that the fake user would then attempt to attack the site directly by making posts on the site which try to exploit vulnerabilities in the code of the website. When you run a popular blogging software like Wordpress the likelihood of this increases, and updates are constantly released to combat this, but they take time and scammers know that not all the sites will be updated immediately.

As a result I'm fairly paranoid about approving any application at all until I know for sure that I'm dealing with a real person who isn't just going to turn the account into a platform to launch attacks.

The interesting thing here to me is that even with all the technology involved, it's still fairly easy for a human to spot this kind of thing. This could be evidence of poor coding skills on the part of the scammer, since it doesn't seem like it would be all that hard to write a script that auto-applies for an account on hundreds of sites at a time that doesn't suck. Sometimes referred to as script-kiddies a lot of this stuff has been done by kids with remedial English abilities since a lot of them are launching their attacks from Eastern Europe. It may just be easy to spot due to the fact that they're trying to cast a wide net with a program and aren't phishing sites one by one. If someone really wanted an account on any of my sites and took 5 minutes to figure out what was actually relevant information to the site, it would probably be easy to fool me. Of course they'd be banned at the first evidence of a non-relevant post, but they'd have gotten their foot in the door.