Another day, another crypto/pharma/work from home comment spam invasion

Posted ; Updated

One of our clients is getting hit from all sides — they’ve got an actual bad actor trying to get into critical systems… and then there’s a spam bot who just keeps knocking on the door, trying to get them to invest in crypto or buy viagra from overseas or whatever.

(Aside: you know this new movie, Heretic, with Hugh Grant? It’s a horror movie where two young evangelical women knock on his door and then I guess he does horrible things to them, and is explicitly the villain? My pet theory is that this movie was written by someone who got real real tired of people knocking on their door and it’s actually a revenge fantasy, but I digress.)

Anyway:

A few thoughts about the spam bot arms race

  • The bots can get around reCAPTCHA v2. Upgrade to v3, like now.
  • Don’t take it personally. They are almost never actually after your stuff. It’s less like a car thief really wanting your car, and more like a car thief walking around a parking lot with a fob trying to see which car it might match to.
    • Actually, it’s more like a car thief attaching the fob to one of those new Roombas that have arms and just setting it loose in a parking lot.
    • And then they’re not even really after your car, just the airbags or the catalytic converter or something.
  • Brute force protection is your (occasionally misguided) friend. The bot that’s trying to get into your site will always used spoofed IPs. Block Russia if it makes you feel better, but none of the bad traffic is going to look like it’s coming from there. Brute force protection that works by IP will be fooled into blocking the spoofed IPs. End result is, you end up making it so that no one can view your website from Navy Pier. (Yes, this happened to me.) But brute force protection can take the pressure off your site for a bit.
  • Leverage a spam service on your website’s contact forms and mailers — don’t try to roll your own.

In our particular case, we found this stack worked pretty well:

  • WordPress (stay up to date)
  • Akismet
  • Gravity Forms
    • Akismet add-on
    • Honeypot enabled
    • reCAPTCHA 3 add-on enabled
  • SolidWP’s Solid Security
    • Brute force enabled
    • Hard passwords enabled
    • Hide the backend enabled (I’m torn on this one; it feels like hiding your spare key in a planter instead of under the doormat, but whatever)

Finally, have a robust backup schedule in place. I like to keep the last seven daily backups, the last three weekly backups, and the last three monthly backups.

Posted in Dev