Sending SPAM bots to a blackhole

Question

I have a few forms on my site that have been getting hammered by SPAM bots lately. I've finally got it under control (without the use of a captcha).

Basically, I'm checking the form for various flags. If detected, I simply redirect them request to google.

Is there a way to redirect the bot either back to it's IP address, or some kind of infinite loop that will possible slow it down, or at least cause a minor headache for the person behind it?

CLARIFICATION:

I am already blocking the SPAM, I'm looking for a clever way to irritate the spammer once I redirect them.

Answer 1

This is was worked for me from one day to another:

I set this invisible formfield that bots fill out with gibberish and if it was filled, I didn't process the form and just returned a success page.

But the posting to this particular form grew on a daily base. It started with 2 POST requests a day and at the end there were 20+ requests.

So TL;DR I send a 404 Not Found http header on this particular page now. Humans and browser don't see the different, but as far as I observed, the bot checked the availibility of the page first (HEAD request) - so the form was still there but how can the bot know when he get a 404 back?

This turned the POST action of bots completely down so far. I know this solution doesn't work for pages that have to be visible for good bots (google etc) - but for a contact form or Login form it works fine.

Maybe one can whitelist "good" bots and send 404 for everyone?

Answer 2

No.

Spam bots look for obvious email and comment forms. They won't do anything with a redirect. You could setup some server that is a spider trap full of email forms that don't work.

So, you would want auto URL generation mechanisms to define a site tree, with each new url having another email form. You'd probably want to do this on a dedicated server.

But in the end NO. Think about it: how is your tiny little PHP server ever going to wear-out zombies or a 64-core spam server in Russia?

I don't think you understand what a redirect even does. It sets a response code and says content moved 'here'. A spam bot won't care and probably wont do anything if there's no email form there.

If you really want to avoid spam, read this. You can trap them, but if you're dealing with zombies it's ultimately not going to matter. http://www.neilgunton.com/doc/?doc_id=8580

Answer 3

Once one of my teachers told us that they developed a sort of anti-spambot honeypot. It was pretty simple, it redirected bots to a dynamic-generated page which contained an infinite loop of fake addresses. The aims where two: keep them busy and fullfill their DB with unusable email addresses, damaging the spammers. This was just an idea, i don't know if it fits your needs but..it's worth the shot^^ Of course, it's easier to simply drop spambot-related request if you are able to identify them..

Answer 4

Technically it is still a captcha, but what about using a static 'general' question with your form.

What is the value of two plus two?

Check that field in your PHP script to ensure the answer is in fact correct. If it is not, stop processing!

Failing that and if you have control over your firewall (and proper logging) start dropping request from the most abusive IP address. Be warned though, this approach might make legit users unable to access your site!

Answer 5

You should be blocking these requests if you can identify them. Block their IP addresses on the server side.

Also, this thread is related to DOS attacks, but might be useful to you.

BOT/Spider Trap Ideas