At this point we've not had any of the "bamwar" spam for around 18 hours. I don't think it's safe to assume that we've seen the end of the problem yet. I am hopeful that in the future the impact of such a flood would be less than we've seen in the past week. I think this is a good point to let you know what we saw, what we've done and some of what we're going to do shortly.
Until just over 2 years ago, to sign up for an account you needed to own a piece of mbed hardware which had a signup code. We started getting occasional spam items on the site after we removed that restriction. This low level of spam perhaps made us complacent to the potential problem.
From the morning on the 7th of May the spam flood started by attacking the questions pages. Later, when we fixed a bug that was preventing posting in the forums, they were also attacked.
Above you can see a chart of our signups, each bar represents one hour. You can see a clear spike in signups on the 7th. The rise shows the start of the attack and the reduction came when we added captchas to the signup forms. That did reduce the signup rate but the volume of spam was still enough to make the questions pages and the forums almost unusable. I don't have full figures but we've removed hundreds, maybe even thousands, of spam users and tens of thousands of spam posts.
It's hard to know for certain, but I suspect that the attack was part manual and part scripted. Either way the captchas alone did not solve the problem.
I had heard that captchas are no longer effective. A bit of searching revealed that it is even possible to pay to have captchas solved for you. There are APIs selling captcha solutions. Artificial intelligence can solve many of them. For the rest there are marketplaces with prices that fluctuate with supply and demand where people solve them by hand. I saw prices as low as $1.39 for 1000 solutions.
It seemed worth trying Google's latest version of the captcha. You can read a more detailed comparison on Google's security blog, it's meant to be much easier for humans and much harder for robots. Which is great, I'm sure we've all had the experience of captchas being hard to solve. I can see that since we replaced our captchas about 30% of people only have to click on the checkbox to verify.
After we replaced the captcha system we added them to the forms for creating new questions and forum posts. This should at least slow down the spammers or make it more expensive for them to post.
We now prevent signups from IP addresses that spammers have used. We have started adding rate limits to how fast users can post new content to further reduce the spammers' impact.
To further improve our spam protection we want to
- continue adding and refining rate limits,
- use external services to check if signups are coming from known spammers,
- use external services to determine if new content is spam before it is published.
I'm new to Mbed and have some questions regarding the platform however this apparent forum hack is getting in the way of that.
Any ETA on stopping it?