bbs.spamgourmet.com

A few spamgourmet users have been violating the terms of service by using the service "in a way that consumes resources in a manner grossly disproportionate to that of other users of the service, including, but not limited to the use of scripting or other automated means to create large numbers of accounts or addresses over a short period of time." This has caused some performance problems as the servers struggle to keep up. I'm going through and finding the patterns that indicate this condition, and disabling the relevant accounts and clearing the queues. This helps <i>some</i>, but we'll have to find a better long term solution.

Many websites overcome automated scripts by employing image-based verification. This way, only humans can complete the registration process.

Have you considered this method?

Prog.

Edit: Another option, require new users to donate a dollar as part of every registration, just like freeshell.org does.

We employ the image verification technique already.

I wonder if OCR software have become so good that they can now overcome such verifications? I don't know how many false registrations you've had, but if it's a relatively low number then perhaps it wasn't automated after all.

Anyway, the "freeshell.org method" should be good enough and should deter anyone who tries to abuse the system.

Prog.

You could add a little problem solving to the registration process, such as:

Mr. Ed Norton lives in New York. This winter, oil heat is so much per gallon, gas heat is so much per cubic foot. What should he do?
A. Use oil
B. Use gas
C. Pack up and move to Florida

[ -- From the Honeymooners, Norton's answer was 'C']

All kidding aside, a problem with a little arithmetic and spelled-out numbers should fox the spammers.

The problem we have is not with automated sg user registrations -- rather, it's with automated signups on other sites. The scripts in question hit some other site repeatedly, using a slightly different disposable address each time

Do you mean it's just a few spamgourmet users, but they try to open unlimited disposable addresses?

I know what to do:

Limit the rate at which new disposables can be created by INCOMING mail. Some number per day, or perhaps per hour.

Per hour makes sense, since only scripts (the "automated signups on [the] other sites" mentioned by josh) would cause the coincidence of MANY NEW ADDRESSES, ALL FROM THE SAME ORIGINATING site, all within a few minutes. Even if a user gets lots of new spam, it would not all come from the same place WITH ONE NEW ADDRESS EACH. This would be the signature of this form of abuse.

Make the limit reasonably large, to give the user time to recover if a spammer or prankster actually DOES attack the spamgourmet address creation concept itself [other threads have postulated this possiblity; replies in those threads say this has NOT happened yet]. If ever attacked, of course, the user would begin using or change his watchword[s] or prefix.

Of course, this limitation would make spamgourmet vulnerable to a new form of denial of service attack: Create lots of addresses for a victim and they go dead. But this is also unlikely.

I think this is it. I can't think of any difficulty this protocol would create for a legitimate user.

Anyone have any ideas?