• Howdy! Welcome to our community of more than 130.000 members devoted to web hosting. This is a great place to get special offers from web hosts and post your own requests or ads. To start posting sign up here. Cheers! /Peo, FreeWebSpace.net
managed wordpress hosting

That was fast for the first day listed

ttb62

New Member
The first day listed on freewebspace.net and the sign ups start. I used a simple contact form for sign up. some sent two or three duplicate request. Mostly from China. Most requested hosting for a sub domain. Then I realized they might be live spammers. So that's not going to work. I am getting traffic, but I moved the sign up to a forum. Maybe I can weed out the ones who actually want hosting for there domain. The package is so small a user will have to know how to use it. A script like wordpress is just to big for it. But I got traffic already.

ttb
 
The first day listed on freewebspace.net and the sign ups start. I used a simple contact form for sign up. some sent two or three duplicate request. Mostly from China. Most requested hosting for a sub domain. Then I realized they might be live spammers. So that's not going to work. I am getting traffic, but I moved the sign up to a forum. Maybe I can weed out the ones who actually want hosting for there domain. The package is so small a user will have to know how to use it. A script like wordpress is just to big for it. But I got traffic already.

ttb

Welcome to FWS.

I noticed this too, every time I make a hosting offer for a few days after that I get 2-3 signups a day originating from Chinese and Russian address space with bot-like info. Unfortunately enough hosts use automatic activation and these bots actually do succeed in getting live accounts.

Not sure though if there is anything that can be done about it here at FWS, but filtering the signups is relatively effective if time consuming.
 
I get these all the time, at least 20-30 per day. It's just a matter of thorough checking by your staff. Many are attempting to get smart and are using US addresses and American names...even US proxies. Just have to be really careful and use due dilligence.
 
There are a number of different things you can do to help filter your new signups.

- MaxMind MinFraud checking - http://www.maxmind.com/app/ccfd_promo?promo=WHMCS4562

1000 basic queries per month are free and additional queries are as little as $0.005 per query for standard.

- Use GeoIP blocking to protect your signup page. You can simply block all Russian, Chinese, etc IPs from every reaching your signup page without blocking them server wide.

- Use two or more separate captcha tests that will be difficult for robots to bypass.

http://www.recaptcha.net/ and custom questions such as "What is the third word in second paragraph on our Terms of Service page?" might be a good start.

- Check the signup IP against DNSBL of known problem and proxy IPs and block access to the page to any known bad IPs.
 
Some good advice there. But I wouldn't make it too hard to sign up as people are kind of tired of all the forms and captcha they have to enter for everything. Out of curiousity, anyone tried requiring signup using facebook connect? I imagine that would reduce spam bots? And it would make it easy to sign up.
 
Some good advice there. But I wouldn't make it too hard to sign up as people are kind of tired of all the forms and captcha they have to enter for everything.

MaxMind checking is offloaded to the billing software (WHMCS, Hostbill, Blesta, etc), GeoIP/DNSBL blocking is handled via Apache extensions such as mod_security and mod_httpbl, and the two captcha tests are only shown on one form one time at signup taking an extra 5 - 10 seconds while they read the Terms of Service and Forum Rules. 90% of it is transparent to the user.

Out of curiousity, anyone tried requiring signup using facebook connect? I imagine that would reduce spam bots? And it would make it easy to sign up.

Leaving aside Facebook's extremely poor track record on privacy, Facebook's own signup form uses recapthca.net and email address verification. Beyond that there is no additional confirmation at signup. I don't consider the methods mentioned above to be very difficult from a user perspective. Compared to SMS verification for many Google services, copy and pasting a confirmation code from a linked page is simple.
 
Ok, but if you already have a Facebook account you don't have to enter captcha or verify your email.
 
Incidentally since I posted this, they appear to be coming more frequently. I'm up to 5 a day now, with more and more of them having japanese IPs.
 
I do not think its bots signing up any more I think it live people. I was getting five of the same sign up put in some java to clear the form fields and some anti spam and the sign ups went way down. blocked some IP's also.
 
What software are you guys using? I don't have any problems with WHMCS, but then I am not a free host.
 
What software are you guys using? I don't have any problems with WHMCS, but then I am not a free host.

I wrote my own software for this. Going to be giving it another security shakedown soon, since they seem to have found a way into it again.

But I also have my eye on some new coding techniques that I was perfecting over the weekend, so it's possible that I have another solution to this problem.
 
Just a php contact form. no where near as bad since I clear the form fields on page load. I think they were just hitting the back button and resubmitting.
 
what do you mean the php contact form is not a secure site?

Even if you are sending it via HTTPS, spambots will figure out what values to put in for the fields of a http post or http get, and will blindly post data to it once it is figured out how to make it accept data.

Many of these will even use any sort of activation email that you try to send in order to further their goals.

Not only that, but if you leave any kind of vulnerability such as MySQL injection or XSS based exploits, they will eventually discover and begin to use them.

On mine I use a HTTPS post and email activation, and even with input filtration to prevent a SQL injection I still get a bunch of obviously spam signups every day. The only really foolproof way to stop them is to actually talk to the client before accepting their registration, that way you can get a feel for what to expect from them and they know you are paying attention to your equipment.
 
Even if you are sending it via HTTPS, spambots will figure out what values to put in for the fields of a http post or http get, and will blindly post data to it once it is figured out how to make it accept data.

Its just a simple form to mail. no database with trim() stripslashes() htmlspecialchars(), a simple anti spam and a hidden anti spam feature. there is no security issues and no spam any more. so I still wonder what was meant by "not a secure site". There is never a request for finical information or personal. sure would like to hear his/her reasoning behind the statement.
 
Last edited:
WOW the spam bots have gotten really advanced when they know to check the e-mail address and click the link. I guess this is why I see so many of those type the letters from this image tests.
 
Ok, but if you already have a Facebook account you don't have to enter captcha or verify your email.

That is very true. I have started to look at this again and it seems to be a valid way to increase signups. Implementing Facebook Connect, Google/Yahoo OAUTH, and a few others for European users should reduce the barrier to entry considerably. I still think that having a secondary confirmation layer for hosting account signups will be required. Google and Facebook have already pioneered SMS confirmation for their services so that seems like a reasonable course to take.
 
Just a random idea I just came up with:

How about you guys try this to prevent spam bots, "An E-mail Image Captcha", isn't it brilliant ? :D

So, my idea is, to generate a random code with PHP and use some somewhat distorted font to do it, to prevent OCR and still keep it within the limits of human readability, save that text to MySQL/whatever database you use, and then generate a random, unique file name send the image in an email along with the link to the activation code for that email, which in turn will check against the MySQL data for a match in the codes, tell me what you think. :wave:
 
Back
Top