Ask HN: I have so many 'bots' signing up to my site. Why?
Hello HN,
Was wondering if anyone else has seen this type of activity on any of the projects they have worked on, and/or know what is going on.
My friends and I have a small community site for content creators to discuss news (think of it like hn but for content creators specifically)[0].
Recently, I have seen a ton of accounts being registered with our email and pw option (the only option). This was very strange considering we are a really small community, and most of our registrations are high quality people at a slow rate through word of mouth. After looking into it, I noticed that all the accounts had usernames like "jDwJeVTQEaP" with a variety of @gmail and @yahoo email's associated to them. There have been 100s of them registered over the course of a week.
These accounts have no activity, mostly because they cannot log in due to needing to be verified via email first. So these accounts are pretty much just shells.
So I am trying to understand what the point of all this is for the account creation spammer? What would you do in my situation to mitigate this?
[0] https://www.cbx.gg/ A long time ago I was into what I called "aggressive content syndication" and I wrote a script that (over the course of two months) made several thousand users on an active developer's forum that didn't require email verification to make an account. I made a lot of effort to make believable profiles for the users, they had first and last names randomly chosen out of a database and profile pics too, though I made no effort to match the pics with the name of the user (e.g. nationality, gender, etc.) I had the users randomly upvote stories so if you looked at the upvote profile of the users it would look pretty normal. However when I finished a blog post I would have the system choose maybe 20-50 users to upvote my post and my post would go right to the top and usually get a large number of what I called "volunteer" upvotes. I lost the database that had the users in a hard drive crash so that was the end of that project. Note adding users at a high rate (usually many per second) is one of the more efficient ways to crash a web site because the users table in the database is frequently very active. ---- Generally people like to spam links into forums and any place where it is possible to insert links and personally I don't believe it matters much if the links are "nofollow" or not. Note it is more of a hassle to do this on a site that supports email verification, I used to set up highly interactive qmail servers that could do things like that but all the sign up emails would be on a limited number of domains that would stick out. I think the pro spammers have methods of creating large numbers of accounts at places like Google and Yahoo which are a great choice if you don't want your email addresses to stick out too much. Thanks for the write up, that makes sense. I would of thought these 'spammers' would of given up because of verification, but it seems to continue despite many of accounts not being verified yet, perhaps they think they can verify later (which makes me think a TTL on verification emails is important) or that was an oversight completely on their end. their trying to flag your domain as a spam source...once your emails are received they flag them as spam...with enough of those your domain will be in the black list Any recommendation to stop this? Perhaps only offer social sign on? One possible option I have seen is to reverse the flow. Give people a code and have them email you that code to a dedicated MX end-point using a dedicated inbound-only email domain that only processes codes, discards attachments, discarding anything else beyond a string+16 digit code and does not send bounces also block outbound connections from this thing. Invalidate and prune the code after an hour or less to keep the clutter out of Redis or your DB in the event of bot-flooding-signups. Format the code in a way that cell phone users can easily copy/paste into email or perhaps use javascript for that. id try using a captcha, not perfect but they might give up...also worth trying control the ip where those requests come from: duplicates would be suspicious, triplicates or more worth human attention