Looking for best solution for this problem ( Almost all the social networking sites encounter this issue)
I have a small social networking website for our community . One of the features is that a user can send emails to users in the system ( Just like facebook)
Couple of days ago one of the users sent a spam email to all the users using Macros or using some other automated system . This whole process hardly took 3 minutes and every one received that email . I deleted that user and added captcha to prevent any other user to spam in this way . But I am sure this is not a best solution .
So thinking about
- Only allow user to send at most one email in 2 minutes
- Daily maximum 100 messages user can send
- If he reaches max 100 block that user
And same applies to comments , To post on wall , or to send add as friend request and in other cases .
Looking at this link http://nedbatchelder.com/text/stopbots.html and thinking of using Honeypot ..
But the spam I explained is with the registered activated user , are there any other best ways to prevent him /her ..?
There are, I think, three considerations:
1. Restricting New Accounts
The first point you’ve already mentioned has been solved (at least temporarily) with a captcha. Facebook and Google have, for a long time, required some other form of verifiable identification, like a cellphone number, in order to create new accounts. Other sites use referral-based signup, and can trace back to the referrer if a user is abusive. And many sites have some sort of throttling on how many new accounts can be created.
2. Feature Protection
What criteria of features require additional protection than just allowing access to registered users?
For instance, anything that exposes someone’s personal information (name, contact information, etc.) should be restricted in some way, whether it’s using hidden e-mails (like craigslist, Source Forge, and many forum systems), or requiring the user’s approval before that information is shared with someone else (Facebook friends and privacy settings).
Also, how do you protect these features? Throttling? Delayed access to more powerful features, like Stack Overflow? Some sort of machine-learning to analyze behavioral patterns and identify abuse?
3. Proactive Damage Control
Finally, how do users establish that they are not abusive, and what steps do you take to identify these types of users proactively?
For example, you might set a threshold for e-mails, but rather than turning off e-mails if a user sends too many, you might delay them or put them in a moderation queue. If the user sends many identical e-mails or too many e-mails, you might decide to temporarily suspend their account or disable access to certain features.
Another important consideration is, what do you do when a legitimate user’s account is compromised, and what actions do you take to identify, lock down, and ultimately restore those accounts?
Dealing with Attacks
A common first reaction to these events is to do damage control and immediately clean up the mess. Don’t. Make backups of your logs and databases, disable the user rather than delete it, and then do cleanup. Almost all abuse follows a certain type of pattern, and in order to identify, understand, and defend against this pattern, you need to be able to examine the data left behind.
Obviously, you also need to prevent immediate repeat attacks by disabling the offending account or the method of attack (by disabling the e-mail system for instance), but be careful about throwing away data.