Hi we have just noticed a bunch of Nigerian spam accounts in our email system. Now, we do have a reCaptcha in the signup form but apparently they circumvent it, manually or otherwise. It seems like a semi-manual circumvention since the accounts aren't created in bulk but instead as a steady stream with a few minutes in between.
Since most of the spam accounts were created by IP addresses from Nigeria, we have just set up some simple IP filters over a couple of pretty broad IP ranges and that seems to be working for now. However we would like to make a more permanent solution to this problem.
The most reasonable improvement we are thinking about is to change from using reCaptcha to use a textcaptcha in danish. This might make it hard for a Nigerian to manually enter the answer since he would have to learn Danish or search the web for an answer. However, I would like to know if you have a better suggestion or maybe just alternative or additional screening methods we could implement.
The best approach that I know of is requiring verification via SMS. It's very easy for you to detect that the same phone number is being tried more than once, and it's reasonably difficult to have a large number of SMS-capable phones.
Having thought about this for a little more, I think I do have a solution, though not necessarily one you will like:
From what I understand of your question, you are giving out email accounts to people who
- don't pay you money;
- you don't know personally; and
- you have no contract with.
It could be argued that organizations doing what you are doing are part of the problem.
Unless your primary business is being a provider of free email (and that's surely a thankless business), I don't see a need to hand out email accounts to people. If you want them to be able to communicate with you or with other of your users, let them use their own, already owned private email accounts. If you only need communication with you, a Web feedback form will do. If you want them to communicate among each other and it's some kind of social site, provide messaging capability between accounts. But don't give strangers access to your worldwide-connected email server! This is the equivalent of operating an open relay.
Anybody can get an email account from Google (or Yahoo, or...) for free. Let those companies worry about spammers, they make more money than you do.
You could set up a hidden field in the form with a name like "email" or something thats not used, real humans wouldn't fill it in, but a robot would since they usually read the code, not look at the page.
Thoughts from our Glorious Leaders on combating spammers who are prepared to solve captchas:
http://blog.stackoverflow.com/2009/02/new-question-answer-rate-limits/
来源:https://stackoverflow.com/questions/3247478/stopping-spammers-from-creating-accounts-recaptcha-not-doing-the-trick