Problem solve Get help with specific problems with your technologies, process and projects.

How can I prevent spammers from populating my mailing list?

SearchSecurity.com's information security threats expert, Ed Skoudis, explains the workings of a spambot and teaches the strategies you need to counter spammers and clean up your mailing lists.

I'm the administrator of a security mailing list and recently found the comment field of several form submissions populated with pure spam content. Can you suggest a way to find out who or what is spamming our list and what I can do to prevent this scenario from occurring again?
Yes, these spambots that search for Web-based forms and fill them with advertising crud are very annoying. Several of the lists I read have been plagued with them. The business model is this: attackers write an automated Web crawler that surfs from Web site to Web site, searching for forms. When they find one, they fill it with ads and links. The ads are designed to be read by humans, who, as you describe, may read a mailing list associated with the form. The links, however, are meant for other Web crawlers, such as those connected with the popular search engines. If a spammer's crawler data is then put on a Web site, the spammer's information will register an additional link with search engines. Thus, the spammer's site will seem more important and appear higher in search engine results. This practice is highly annoying, but clever.

So, if you run a list that allows entry via a Web form, how can you cut down on such problems? There are no sure-fire solutions, but an increasing number of lists are turning to CAPTCHAs, a tortured acronym standing for Completely Automated Public Turing test to tell Computers and Humans Apart. They are those little puzzles that let a human prove that he or she is indeed a human. So, when your user wants to enter data to be sent to your list, they first have to type in some text that has been obscured in an image. This tests the pattern-recognition abilities of humans, which most automated Web crawlers don't have. To use a CAPTCHA associated with the input, you'll have to install CAPTCHA software on your Web site. There are several free CAPTCHA programs available for various Web servers, as described here: http://freshmeat.net/search/?q=captcha. The free phpBB suite also includes a CAPTCHA routine you could use if you are relying on PHP generally and phpBB in particular.

Unfortunately, the bad guys can create automated software to break and bypass the CAPTCHA. Or, at a minimum, some can simply employ low-cost human form-fillers to surf the net, fill in CAPTCHA forms, and then paste in ads. Don't laugh... some aggressive advertisers do just that.

Another option, which may or may not meet your needs, is to create a whitelist of allowed users who can authenticate and then post to your list. Such moves are draconian and require administrative overhead, but they do significantly cut down on the problem of clutter.

For more information:

  • Learn how to reduce enterprise-level spam.
  • Learn about the latest spamming technique, image spam, and how to protect against them.
  • This was last published in September 2006

    Dig Deeper on Email and Messaging Threats-Information Security Threats