Welcome to Software Development on Codidact!
Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.
Is it a bad idea to block proxies/vpns for interacting with my app?
I run a small website and Im considering blocking proxies and vpns with ipquery to cut back on spam. I keep having bots autofill the contact us even though im using recaptcha. Does anyone have any solutions or recommendations for dealing with platform spam? Im worried that if I block proxies/vpns Ill also stop real users. (Tech stack php, wordpress, etc)
2 answers
You are accessing this answer with a direct link, so it's being shown above all other answers regardless of its score. You can return to the normal view.
For contact form spam specifically, there is a more direct solution. If you use a form service like formspree.io it will already have built in spam filtering features. This isn't based around trying to detect bot access behavior, but a much simpler and more effective method of looking at the data entered into the forms. You can configure custom rules as well, and it is trivial to implement things like hidden/honeypot inputs ("please leave this field blank to show you're not a bot"). Usually the responses classed as spam don't count towards your quota on these services.
If you do want to build your own solution, an easy way is to have a simple custom question like the other answer describes. Most contact form bots seem to be built generically, so that the operator can have the one bot spam millions of sites. They are not trying to go after your website specifically, because building a bot just for you would not be worth it unless your site is very popular. Economically it's only worth it if they can use the same bot for many sites without custom solutions, and if there's any sites that use non-standard captcha it's better to just skip them and move on.
Using a well-known VPN as a spammer is a rookie way to do it. Most sites already do block them. A real spammer would either find an obscure VPN/exit IP that's not in the blocklists you use, or they would proxy it through some "clean" IP so that you never see the VPN IP. Meanwhile a lot of legitimate users use VPNs depending on how technically sophisticated/privacy conscious your userbase is. Especially if you block popular VPNs, you will have a high false positive rate. It might also send a message to your users that you are hostile to net privacy.
A lot of bots also come from cloud services like Microsoft or Alibaba cloud. I would consider banning those before VPNs. There will be fewer false positives, although some people do use machines from these clouds as a personal proxy. In any case, you should analyze which IPs are sending you spam first. Maybe you have done this and found out it's mostly VPNs, but you haven't said so in the question.
0 comment threads
If you block proxies and VPNs it will stop real users.
reCAPTCHA also stops real users, often blocks proxies and VPNs, and isn't very good at stopping bots.
You can try a custom CAPTCHA. It can be a simple question. For example, if your site is about LEGO, you can ask how many studs are on the most common type of rectangular brick (it's 8). It doesn't have to be something that requires specific knowledge - as long as it's different from most other sites, like "how many letters are in 'the pizza'?" bots that generically search the internet for "contact us" forms won't get it. Bots developed for your site specifically can be programmed to enter 8, but... why would someone develop a bot for your site specifically?
You can also try hCaptcha.
0 comment threads
2 comment threads