DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

Cover image for Tips to prevent spam β˜”οΈ
Yogi
Yogi

Posted on

Tips to prevent spam β˜”οΈ

Hey folks πŸ‘‹,

Hope you all doing good!

As we all know recently dev.to got flooded with spam, read more here.

In this article let us see how to detect and prevent spam automatically in your social platform. Here as an example, I'll show how we fight for spam in Taskord (https://taskord.com).

Detection

What is rate-limiting?

Rate limiting is the control of the number of requests per unit time. It can be applied to ports, IP, routes, users, etc. It can efficiently block out malicious bots.

Throttle Web requests

Taskord is built using Laravel, which has inbuilt throttler for requests.

This snippet is used in routes/web.php

Route::group(['middleware' => ['throttle:30,1']], function () {
  // All Routes
});
Enter fullscreen mode Exit fullscreen mode

throttle:30,1 means it allows 30 requests per minute.

When a user tries to abuse the platform by clicking links back and forth from the same IP address they will hit the limit and it will automatically be redirected to the warning page.

Screenshot (22) (1)

I tried to simulate simple DOS attack by using curl from multiple terminals, this is what I end up with.

image

Throttle API requests

API endpoints are most vulnerable one, most of the attackers target on these. It is very important to rate limit API requests

The same rules can be applied in what we followed in throttling the web requests. In Taskord we use GraphQL API so we have added some additional steps to prevent spam.

For Queries requests, we do simple 30 reqs /Β min throttling. But for Mutations request, we flag the user if they rate-limited twice in a short period of time. (User can ask admins for more requests and we will validate the use case and provide them with additional points).

Prevention

Block disposable emails

Blocking disposable emails is the very first important step to prevent spam. So make sure to implement disposable email blocker.

image (1)

Multiple accounts on the same IP

If multiple users registered or logged with the same IP the system will automatically flag all the users connected with the same IP and it will notify the admins and we review it manually if they violated the terms we will suspend their account if not we will un-flag them.

image (2)

Limit the functionality

Limit users with 3 types

  • Unverified - User can do everything except liking and creating the post.
  • Flagged - User can log in but they can only see other's activities, and the profile is hidden from the public.
  • Suspended - User can do anything, not even log in.

Rate limit based flagging

Count the throttled requests, if the limit is N and the account exceeds N+10 within mentioned time requests, the system will automatically flag the account.

$throttler = Throttle::get(Request::instance(), 20, 5);
$throttler->hit();
if (count($throttler) > 30) {
    Helper::flagAccount(Auth::user());
}
if (! $throttler->check()) {
    return session()->flash('error', 'Your are rate limited, try again later!');
}
Enter fullscreen mode Exit fullscreen mode

Screenshot (23) (1)

Hide entities

You can hide only the particular entities without affecting the user.

Screenshot (24)

You can use the following package to prevent DOS attacks.

For Laravel

GitHub logo GrahamCampbell / Laravel-Throttle

A rate limiter for Laravel

Laravel Throttle

Laravel Throttle was created by, and is maintained by Graham Campbell, and is a rate limiter for Laravel. Feel free to check out the change log, releases, security policy, license, code of conduct, and contribution guidelines.

Banner

Build Status StyleCI Status Software License Packagist Downloads Latest Version

Installation

Laravel Throttle requires PHP 7.2-8.1. This particular version supports Laravel 6-9.

Throttle L5.1 L5.2 L5.3 L5.4 L5.5 L5.6 L5.7 L5.8 L6 L7 L8 L9
4.1 βœ… ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌
5.3 βœ… βœ… βœ… βœ… ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌
6.0 βœ… βœ… βœ… βœ… βœ… ❌ ❌ ❌ ❌ ❌ ❌ ❌
7.5 ❌ ❌ ❌ ❌ βœ… βœ… βœ… βœ… βœ… βœ… ❌ ❌
8.2 ❌ ❌ ❌ ❌ ❌ ❌ ❌ ❌ βœ… βœ… βœ… βœ…

To get the latest version, simply require the project using Composer:

$ composer
…
Enter fullscreen mode Exit fullscreen mode

For Rails

GitHub logo rack / rack-attack

Rack middleware for blocking & throttling

⚠️ You are viewing the development's branch version of README which might contain documentation for unreleased features For the README consistent with the latest released version see https://github.com/rack/rack-attack/blob/6-stable/README.md.

Rack::Attack

Rack middleware for blocking & throttling abusive requests

Protect your Rails and Rack apps from bad clients. Rack::Attack lets you easily decide when to allow, block and throttle based on properties of the request.

See the Backing & Hacking blog post introducing Rack::Attack.

Gem Version build Code Climate Join the chat at https://gitter.im/rack-attack/rack-attack

Table of contents

Getting started

Installing

Add this line to your application's Gemfile:

# In your Gemfile
gem 'rack-attack'
Enter fullscreen mode Exit fullscreen mode

And then execute:

$
…

Thanks ❀

Happy Shipping πŸš€

Top comments (2)

Collapse
moopet profile image
Ben Sinclair

I'm generally against blocking disposable email addresses.
They're perfectly valid, they're just more open to abuse than others.

I mean, for a while I had a catchall on notareal.email so I could sign up with "fakename@notareal.email" or "justtesting@notareal.email" and whatever I used would work.

Disposable emails add a level of privacy some people might want - or need - and they don't have to expire, either.

Collapse
yo profile image
Yogi Author

Disposable emails have both advantage and disadvantages!

  • If a user lost his password there is no way to reset it
  • Cuz it is disposable the email sent from the server will bounce back, providers like AWS SES, Sendgrid hate bounces, if your bounce rate is above 10% they will block the website's email address
  • There is the possibility to steal someone's account if you see anyone can log into someone's email and request for reset password.

🌚 Friends don't let friends browse without dark mode.

Sorry, it's true.