I have admin powers over at Pathfinders Online which I use to vet user registrations. The spambots recently figured out how to get past the captcha’s, and we were getting 50 spambot registrations per day. We went to a system where each user account has to be manually approved by an admin, and that admin has been me.

With most spambots it’s pretty easy to tell that they’re not human. An email address like asdasdadskjkj@gmail.com is almost certainly a spambot. So is an account with a user name of “Christine McLane” with an email address of “bert_johnson34876@gmail.com”. For those cases that are hard to tell, I check them against Stop Forum Spam which has a series of “honeypots” – forums that appear to be regular old forums, but are really just there to attract spammers. Anyone who registers there is a spammer, and they get added to the database.

Last month I downloaded their list of spambot IP addresses and added them to the banlist at our forum. Spam registrations dropped from 50 per day to 5 per day. Then 6. Then 10. Then 20.

For a while I wouldn’t delete those accounts, but would rather just leave them in limbo. That way they couldn’t reuse the username or email address. But then I decided that it might be better to ban their email addresses and delete the accounts. So over the past three weeks or so I’ve been banning and deleting users.

And then the forum went down. I guess it went down because it was eating up to much processing power. The spammers were still slamming the forum and getting rejected, but every time they did that, the server would have to churn through the banlist which had 32,000 bad ip’s in it. So the ISP shut it down until it could be resolved.


We’re back online again, but with no banlist, we got a dozen registration attempts in about 30 minutes. Wow. So I tried a new tactic. I added a custom field to the registration form. THe field is called “I am a human” and the description (which appears on the form) says something like “Type any three letters here to show us that you are a human.” If fewer than or more than three letters are entered, the registration bounces you back to the “try again” screen. Spambots cannot handle this, but people can (I hope). That change has been in place now for eight hours or so, and we haven’t seen one registration during that time.

We get maybe one legitimate registration per week, so I’m thinking this is good. It’s way more effective than the banlist, both in preventing spammers and in easing computation requirements. Yay!

I’ll keep an eye on this of course, but I think we have a winner.