Spambots Revisited

Back at the beginning of April, I killed about a thousand spambot accounts on this blog and added some new defenses against them. Those defenses helped quite a bit; I was still getting about ten attempts a week, but any spambot that gave an invalid e-mail address got blocked, as was any that gave a known blog-spammer address. As a result, in the nine months since that, only twenty or thirty spambots managed to register an account.

That was still more than I liked, so over last week or two I’ve been playing with a few settings. Using a plug-in called Register Plus Redux, I tried making the “About Yourself” field required. No luck — any spambot smart enough to get past my existing defenses was also programmed to handle such standard fields.

My second attempt was adding a new field to the registration page, one that’s labeled “I am a…” and has two choices, “human” and “spambot”. It’s a required field, you’ve got to choose one or the other or you can’t submit the form.

Since I added that, I haven’t had any new registrations. That’s pretty much what I wanted. I don’t require registration for anything, so there’s no reason for a human to register, but spambots are programmed to register just because some blogs require registration before someone can leave a comment and some anti-spam software is easier on logged-in users.

As a defense, it’s very weak. A human can beat it with less than a second’s thought. A spambot-writer could program his spambot to defeat it with five minutes of work. But it’s unique. No such person is going to bother adding that stuff if it’s only going to work on a single blog with a handful of readers. If enough blogs start using the same sort of defense, and spambots start getting adapted to it, I’ll change it to something else unique, like “how many legs does the average horse have?” or “what part of the human body contains the brain?”

That’s the trick: you just need to make something that is slightly different, just different enough that it would require a little extra work from a spambot-writer, and change it as necessary. It wouldn’t work for a very popular blog, but for most people — myself included — it’s sufficient.


  1. You registered before it was in place. 😉 But even so, you’re a human, not a spambot — I’ve met you, and I guarantee that you’re human. Nobody would make a machine that looks like that. 😉

Comments are closed.