<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>rails rack-attack spammers captcha on random thoughts</title><link>https://awesomeprogrammer.com/categories/rails-rack-attack-spammers-captcha/</link><description>Recent content in rails rack-attack spammers captcha on random thoughts</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><lastBuildDate>Wed, 25 Jun 2014 00:00:00 +0000</lastBuildDate><atom:link href="https://awesomeprogrammer.com/categories/rails-rack-attack-spammers-captcha/index.xml" rel="self" type="application/rss+xml"/><item><title>How to protect your website against spammers</title><link>https://awesomeprogrammer.com/blog/2014/06/25/how-to-protect-your-website-against-spammers/</link><pubDate>Wed, 25 Jun 2014 00:00:00 +0000</pubDate><guid>https://awesomeprogrammer.com/blog/2014/06/25/how-to-protect-your-website-against-spammers/</guid><description><![CDATA[<p>-&gt; <img src="/images/spam.png" alt="Spam" title="We don't want your spam"> &lt;-</p>
<p>When you&rsquo;re running community-driven website sooner or later you will have to fight back spammers. There can be different kind of spammers, but the main question here is - how do we stop them from flooding your precious site?</p>
<p>Few days ago I noticed huge spike in users registration count, apparently some &lsquo;seo&rsquo; agency (quote indented) decided that website I&rsquo;m running is a great place for new backlinks directory ;-).</p>
<p>I&rsquo;m running devise with obligatory email confirmation, so that&rsquo;s the first gate you have to pass. Let&rsquo;s say you don&rsquo;t have to confirm your account, what are the other options here? Obviously captcha comes to mind. You can go and try good (?) old <a href="https://github.com/ambethia/recaptcha/">reCAPTCHA</a>, but personally I&rsquo;m not a big fan of it. You can get some great results with something similar to <a href="https://github.com/subwindow/negative-captcha">Negative Captcha</a> that is 100% transparent to the user.</p>
<p>If that won&rsquo;t help I recommend using some heavy artillery - <a href="https://github.com/kickstarter/rack-attack">rack-attack</a>. It&rsquo;s a rack middleware that can be a great help in those situations. Let&rsquo;s go over few common cases here:</p>
<ul>
<li>spam is coming from few IP addresses, maybe a IP range or something, it&rsquo;s should be quite easy to block with this formula (first see <a href="https://github.com/kickstarter/rack-attack#usage">usage notes</a>):</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ruby" data-lang="ruby"><span style="display:flex;"><span><span style="color:#66d9ef">Rack</span><span style="color:#f92672">::</span><span style="color:#66d9ef">Attack</span><span style="color:#f92672">.</span>blacklist(<span style="color:#e6db74">&#39;block spammers&#39;</span>) <span style="color:#66d9ef">do</span> <span style="color:#f92672">|</span>req<span style="color:#f92672">|</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">[</span><span style="color:#e6db74">&#34;1.2.3.4&#34;</span>, <span style="color:#e6db74">&#34;5.6.7.9&#34;</span>, <span style="color:#e6db74">&#34;and-so-on&#34;</span><span style="color:#f92672">].</span>include?(req<span style="color:#f92672">.</span>ip)
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span>
</span></span></code></pre></div><ul>
<li>you can&rsquo;t filter traffic based on IP, but spammers are hitting your sign up page pretty hard - let&rsquo;s blacklist too many sign up attempts</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ruby" data-lang="ruby"><span style="display:flex;"><span><span style="color:#66d9ef">Rack</span><span style="color:#f92672">::</span><span style="color:#66d9ef">Attack</span><span style="color:#f92672">.</span>blacklist(<span style="color:#e6db74">&#39;allow2ban signup attempts&#39;</span>) <span style="color:#66d9ef">do</span> <span style="color:#f92672">|</span>req<span style="color:#f92672">|</span>
</span></span><span style="display:flex;"><span>  <span style="color:#75715e"># After 5 requests in 6 hours, block all requests from that IP for 24 hours</span>
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">Rack</span><span style="color:#f92672">::</span><span style="color:#66d9ef">Attack</span><span style="color:#f92672">::</span><span style="color:#66d9ef">Allow2Ban</span><span style="color:#f92672">.</span>filter(req<span style="color:#f92672">.</span>ip, <span style="color:#e6db74">maxretry</span>: <span style="color:#ae81ff">5</span>, <span style="color:#e6db74">findtime</span>: <span style="color:#ae81ff">6</span><span style="color:#f92672">.</span>hours, <span style="color:#e6db74">bantime</span>: <span style="color:#ae81ff">24</span><span style="color:#f92672">.</span>hours) <span style="color:#66d9ef">do</span>
</span></span><span style="display:flex;"><span>    req<span style="color:#f92672">.</span>post? <span style="color:#f92672">&amp;&amp;</span> req<span style="color:#f92672">.</span>path <span style="color:#f92672">=~</span> <span style="color:#e6db74">/sign_up/</span> <span style="color:#75715e"># POST request pointed to your sign_up url</span>
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">end</span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span>
</span></span></code></pre></div><ul>
<li>still not good? Try limiting requests per seconds - just be sure to set this accordingly to your app (traffic you&rsquo;re getting, amount of ajax requests etc.)</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ruby" data-lang="ruby"><span style="display:flex;"><span><span style="color:#75715e"># Throttle requests to 5 requests per second per ip</span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">Rack</span><span style="color:#f92672">::</span><span style="color:#66d9ef">Attack</span><span style="color:#f92672">.</span>throttle(<span style="color:#e6db74">&#34;throttle req per ip&#34;</span>, <span style="color:#e6db74">limit</span>: <span style="color:#ae81ff">5</span>, <span style="color:#e6db74">period</span>: <span style="color:#ae81ff">1</span><span style="color:#f92672">.</span>second) <span style="color:#66d9ef">do</span> <span style="color:#f92672">|</span>req<span style="color:#f92672">|</span>
</span></span><span style="display:flex;"><span>  req<span style="color:#f92672">.</span>ip
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span>
</span></span></code></pre></div><p>Good luck and may the Force be with you ;-).</p>]]></description><content:encoded><![CDATA[<p>-&gt; <img src="/images/spam.png" alt="Spam" title="We don't want your spam"> &lt;-</p>
<p>When you&rsquo;re running community-driven website sooner or later you will have to fight back spammers. There can be different kind of spammers, but the main question here is - how do we stop them from flooding your precious site?</p>
<p>Few days ago I noticed huge spike in users registration count, apparently some &lsquo;seo&rsquo; agency (quote indented) decided that website I&rsquo;m running is a great place for new backlinks directory ;-).</p>
<p>I&rsquo;m running devise with obligatory email confirmation, so that&rsquo;s the first gate you have to pass. Let&rsquo;s say you don&rsquo;t have to confirm your account, what are the other options here? Obviously captcha comes to mind. You can go and try good (?) old <a href="https://github.com/ambethia/recaptcha/">reCAPTCHA</a>, but personally I&rsquo;m not a big fan of it. You can get some great results with something similar to <a href="https://github.com/subwindow/negative-captcha">Negative Captcha</a> that is 100% transparent to the user.</p>
<p>If that won&rsquo;t help I recommend using some heavy artillery - <a href="https://github.com/kickstarter/rack-attack">rack-attack</a>. It&rsquo;s a rack middleware that can be a great help in those situations. Let&rsquo;s go over few common cases here:</p>
<ul>
<li>spam is coming from few IP addresses, maybe a IP range or something, it&rsquo;s should be quite easy to block with this formula (first see <a href="https://github.com/kickstarter/rack-attack#usage">usage notes</a>):</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ruby" data-lang="ruby"><span style="display:flex;"><span><span style="color:#66d9ef">Rack</span><span style="color:#f92672">::</span><span style="color:#66d9ef">Attack</span><span style="color:#f92672">.</span>blacklist(<span style="color:#e6db74">&#39;block spammers&#39;</span>) <span style="color:#66d9ef">do</span> <span style="color:#f92672">|</span>req<span style="color:#f92672">|</span>
</span></span><span style="display:flex;"><span>  <span style="color:#f92672">[</span><span style="color:#e6db74">&#34;1.2.3.4&#34;</span>, <span style="color:#e6db74">&#34;5.6.7.9&#34;</span>, <span style="color:#e6db74">&#34;and-so-on&#34;</span><span style="color:#f92672">].</span>include?(req<span style="color:#f92672">.</span>ip)
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span>
</span></span></code></pre></div><ul>
<li>you can&rsquo;t filter traffic based on IP, but spammers are hitting your sign up page pretty hard - let&rsquo;s blacklist too many sign up attempts</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ruby" data-lang="ruby"><span style="display:flex;"><span><span style="color:#66d9ef">Rack</span><span style="color:#f92672">::</span><span style="color:#66d9ef">Attack</span><span style="color:#f92672">.</span>blacklist(<span style="color:#e6db74">&#39;allow2ban signup attempts&#39;</span>) <span style="color:#66d9ef">do</span> <span style="color:#f92672">|</span>req<span style="color:#f92672">|</span>
</span></span><span style="display:flex;"><span>  <span style="color:#75715e"># After 5 requests in 6 hours, block all requests from that IP for 24 hours</span>
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">Rack</span><span style="color:#f92672">::</span><span style="color:#66d9ef">Attack</span><span style="color:#f92672">::</span><span style="color:#66d9ef">Allow2Ban</span><span style="color:#f92672">.</span>filter(req<span style="color:#f92672">.</span>ip, <span style="color:#e6db74">maxretry</span>: <span style="color:#ae81ff">5</span>, <span style="color:#e6db74">findtime</span>: <span style="color:#ae81ff">6</span><span style="color:#f92672">.</span>hours, <span style="color:#e6db74">bantime</span>: <span style="color:#ae81ff">24</span><span style="color:#f92672">.</span>hours) <span style="color:#66d9ef">do</span>
</span></span><span style="display:flex;"><span>    req<span style="color:#f92672">.</span>post? <span style="color:#f92672">&amp;&amp;</span> req<span style="color:#f92672">.</span>path <span style="color:#f92672">=~</span> <span style="color:#e6db74">/sign_up/</span> <span style="color:#75715e"># POST request pointed to your sign_up url</span>
</span></span><span style="display:flex;"><span>  <span style="color:#66d9ef">end</span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span>
</span></span></code></pre></div><ul>
<li>still not good? Try limiting requests per seconds - just be sure to set this accordingly to your app (traffic you&rsquo;re getting, amount of ajax requests etc.)</li>
</ul>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-ruby" data-lang="ruby"><span style="display:flex;"><span><span style="color:#75715e"># Throttle requests to 5 requests per second per ip</span>
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">Rack</span><span style="color:#f92672">::</span><span style="color:#66d9ef">Attack</span><span style="color:#f92672">.</span>throttle(<span style="color:#e6db74">&#34;throttle req per ip&#34;</span>, <span style="color:#e6db74">limit</span>: <span style="color:#ae81ff">5</span>, <span style="color:#e6db74">period</span>: <span style="color:#ae81ff">1</span><span style="color:#f92672">.</span>second) <span style="color:#66d9ef">do</span> <span style="color:#f92672">|</span>req<span style="color:#f92672">|</span>
</span></span><span style="display:flex;"><span>  req<span style="color:#f92672">.</span>ip
</span></span><span style="display:flex;"><span><span style="color:#66d9ef">end</span>
</span></span></code></pre></div><p>Good luck and may the Force be with you ;-).</p>]]></content:encoded></item></channel></rss>