How can I prevent such automated attack on websites?

Question

I notice that this email address graceamsalu10@yahoo.com compromised my site and sent a message (not email, it used the site's message app) to every member on the site. It registered and activated it's membership through email. I ran a google search on the email and all the results on the first page was showing others websites that the same email address sent exactly the same message that it sent to members on my site.

• Please has anyone encountered this attack before?

• and what are the ways I could use to prevent further similar attack on my sites? Thank you.

My website was developed with PHP and MYSQL

Answer 1

Use google catpcha. Even human sometimes are not able to understand it ;) http://www.google.com/recaptcha

Also it is good practice nowadays to confirm registration by sms. Some services provide this for free! (they add little ads in the text). Works perfectly.

After this step you can implement a ban system.. and it will be much harder to create fake accounts to do bad things on your website.

Answer 2

Captcha is one thing among many others, but one that added to captcha will keep them away mostly: register for each message sent in the database the unix time for that user, set a value for $timeBetweenMessages for example to 60 (seconds) and each time someone wants to send a message if $timeBetweenMessages has not passed then they need to wait. Usualy all "hackers" look for a way to do things fast and leave, no sane "hacker" will stay on your web site to send messages every $timeBetweenMessages intervals.

Answer 3

You can try some things ...

a. check the referrer on form posts, and deny posts from other urls ( if form posted from your website or remote script )

b. use captcha images (i really don't like it)

c. limit daily user posts per account or minute

hope this to help you

Answer 4

If you want to spare your regular users the CAPTCHA hassle, you can use a service like Mollom or Akismet to check the messages and postings for spammy content before they are sent. Both services offer PHP libraries.