Best practices to avoid fake profiles?

Question

When offering to create a profile (for example, login+pwd) for a web service, what are the best practices one should implement to avoid mass spamming/creation of fake profiles? I am thinking about email confirmation, captchas, etc... any other ideas that work in practice?

I'd suggest going to the WordPress plugin site and pick apart the various anti-spam plugins (my favorite is the Growmap one). Even if you aren't coding in PHP, you can pick up some good ideas from them. Most are a lot like Sunyatasattva's idea with little twists to break common auto-spammers. Of course, paid manual spamming will get through most of these traps, especially when not linked to an IP blacklist or the like. — jfrankcarr, Mar 04 '13 at 03:46
As far as captchas go, http://areyouahuman.com/ are worth looking at; they (believably) claim to be harder for bots but easier & less frustrating for humans. — vaughandroid, Mar 04 '13 at 16:39

score 15 · Accepted Answer · answered Mar 03 '13 at 22:45

15

A very good idea to avoid mass profile making without adding a captcha (let's admit it, even when you know they are for the good, captchas can be just annoying) is to make a hidden <input> element.

You check if this element is filled up: then it usually means it was a bot: in this case you give the bot a false success message and just throw the data in the bin. In case it was not filled in (because no human would go look in your source code for hidden inputs), you process the data and register the user.

answered Mar 03 '13 at 22:45

Sunyatasattva

440
3
9

12

Sure that fools a stupid bot. However any descent hacker could still just look at a working registration and write a bot around that. – Tom Squires Mar 03 '13 at 22:48
1

clever! I like it. It would be tricky, but if you named this field `username`, and your actual username field something completely different, like `robert`, that would probably add an extra layer of tricky. Of course it doesn't stop someone who's simply automating the *browser*... – Wayne Werner Mar 03 '13 at 22:48
Also would screw over anyone using a screen reader. Not sure if that's important in your use case. – Tom Squires Mar 03 '13 at 22:49
2

@TomSquires — Most screen readers [**actually honour both `visibility: hidden` and `display:none`**](http://css-discuss.incutio.com/wiki/Screenreader_Visibility). – Sunyatasattva Mar 03 '13 at 22:58
And yes, of course, any really determined hacker could easily get around that. But that's why I suggested to add a fake *success response*, so that it would add another level of protection. This is not the best way to defend yourself, as I pointed out, but it is a method that doesn't hinder user experience: in a lot of free services, you just don't want to lose time in *yet another registration form*. – Sunyatasattva Mar 03 '13 at 23:03
4

Since username is common, would it be affected by the autofill features of some browsers or do those fields have to be visible? – JeffO Mar 04 '13 at 00:23
1

@TomSquires - I think he'd have to be a reasonably big target before any human attention was paid to him, wouldn't he? This trick would at least cut off the first layer of knuckleheads, keeping the spam accounts down to a more manageable amount. – Michael Kohne Mar 04 '13 at 02:27
@JeffO Perhaps he could do something like "usern@me". I'm not sure if that's legal (I bet it's not), the point is still there. Another option is perhaps to hot swap the field names before submission with some JS. Certainly you could use some kind of psuedorandom algorithm that would slow down a lot of hackers. – Ryan Amos Mar 04 '13 at 04:20
3

Messing with the field names will nail users who use form fillers. Just because a bot filled the form doesn't mean it's not a human trying to use it. – Loren Pechtel Mar 04 '13 at 04:27

score 7 · Answer 2 · answered Mar 04 '13 at 02:20

7

I think you should consider using an SMS or email verification method in addition to a CAPTCHA. You should also consider logging IP addresses who create accounts and if someone attempts to register another account with in a time window you should deny it or ask for further verification.

Another approach you could take would be to have moderators and make sure there are no spam-type accounts.

You could also watch the user behaviour to identify spam accounts: - Is the form filled in very quickly for signup - Does any interaction appear to be preprogrammed

You need to find the right mix of preventative measures to prevent legitimate users from being harmed.

answered Mar 04 '13 at 02:20

Sam

6,152
2
20
34

The IP thing isn't very hard to get around. I've written proxy-list trawlers that can identify hundreds of proxies with ease and switch between them. Some of the higher-end proxy websites will only provide images of the ports to avoid this problem, but not all of them do... and that's all it takes. – Ryan Amos Mar 04 '13 at 04:24
1

Of course. You'd include it as part of a more holistic approach, imho. – Sam Mar 04 '13 at 04:26
Exactly. You can't rely on it, but if you see a single IP address registering multiple times, it should instantly throw up a flag. – Ryan Amos Mar 04 '13 at 04:29

score 3 · Answer 3 · answered Mar 03 '13 at 22:58

3

Some services require you to enter a verification code sent to your phone by text. Its quite effective at stopping bots but does take some effort on your part to set up though.

answered Mar 03 '13 at 22:58

Tom Squires

17,695
11
67
88

9

That would probably stop a lot of humans too who aren't willing to give out their phone number, or don't have mobile phones. – Mar 03 '13 at 23:18
2

If I saw that, it would freak me out, because every other service that does that sells your phone number and charges you $10 a month for the rest of your life. – Ryan Amos Mar 04 '13 at 04:21
What most people forget is that you can send a text to a regular phone, and it will be read to you. So if you go this way, make sure you make this clear on your website. – pritaeas Mar 04 '13 at 09:11

Best practices to avoid fake profiles?

3 Answers3