The below is what you get after creating awareness of your project on reddit ๐คจ
and there are thousands more.
After sharing my project on r/php, the following day, I started getting so many Mail Delivery System error, bounces and all sorts of gibberish:
This is as a result of automated bot registration, unfortunately, as this is a work in progress project, a lot of things are not in place and one of them is prevention of simple spam such as in this case.
The Implementation
I needed a way to do something simple and complex simplicity if it needs be to prevent this nonsense.
I came up with the idea of chaining several spam protection mechanism, for example, Mechanism A would check if there is a spam, if no spam, it passes it to Mechanism B, and so on until it can detect a spam and reject the registration. If no spam is detected, that's fine, we allow the registration.
As this is an open-source project, it should also be expandable and hookable, this way, developers can add their own mechanism.
The below are the ones I have:
Honey Trap ๐ฏ
This is where we have a decoy input to lure automated bots into interacting with hidden fields or traps.
Global Variable Check ๐ค๐พ
This is simple but you can make it complex if you want, here we not only check the request header and it's value, it also has an option of checking the input data, and as such, it can replicate the honey trap, here are examples (SERVER can be swapped with POST):
// if there is no user agent, we mark as spam
[SERVER keyNot='HTTP_USER_AGENT' spam='1']
// if there is user agent and the value contains bot, we mark as spam
[SERVER key='HTTP_USER_AGENT' valueContains='bot' spam='1']
// reject all email that ends with .ru
[POST key='email' valueEndsWith='.ru' spam='1' ]
// the value can be value|valueStartsWith|valueEndsWith|valueContains
// negate value with valueNot e.g valueNotStartsWith, valueNotContains, etc
// you can check if value is not empty with: valueEmpty='0' OR valueEmpty='1' for empty value
If the key or the combo of key and value is true, you mark it with spam='1' or not spam='0', so, there are lots of things you can do here, e.g, flagging IP, only accepting a specific request headers and so on.
Prevent Disposable Emails ๐๏ธ
This is simple, we filter out disposable email addresses using a predefined lists, I currently have over 3k of them by defaults and you can add your own custom list as well if the mechanism is not catching it, spammers uses disposable domains alot.
Result
After pushing the update, the bot registration is silent, I mean 100% silent.
None of the implementation is novel, so, it is a simple implementation, however, I really like the fact it can be expanded and the global variable thing looks cool ๐.
The below is what the implementation looks like:
You can always get in touch with me at olayemi@tonics.app or devsrealmer@gmail.com