Hey folks 👋,

Hope you all doing good!

As we all know recently dev.to got flooded with spam, read more here.

Spam sucks

Ben Halpern for The DEV Team ・ Oct 6 '20

#meta #security

In this article let us see how to detect and prevent spam automatically in your social platform. Here as an example, I'll show how we fight for spam in Taskord (https://taskord.com).

Detection

What is rate-limiting?

Rate limiting is the control of the number of requests per unit time. It can be applied to ports, IP, routes, users, etc. It can efficiently block out malicious bots.

Throttle Web requests

Taskord is built using Laravel, which has inbuilt throttler for requests.

This snippet is used in routes/web.php

Route::group(['middleware' => ['throttle:30,1']], function () {
  // All Routes
});

throttle:30,1 means it allows 30 requests per minute.

When a user tries to abuse the platform by clicking links back and forth from the same IP address they will hit the limit and it will automatically be redirected to the warning page.

I tried to simulate simple DOS attack by using curl from multiple terminals, this is what I end up with.

Throttle API requests

API endpoints are most vulnerable one, most of the attackers target on these. It is very important to rate limit API requests

The same rules can be applied in what we followed in throttling the web requests. In Taskord we use GraphQL API so we have added some additional steps to prevent spam.

For Queries requests, we do simple 30 reqs / min throttling. But for Mutations request, we flag the user if they rate-limited twice in a short period of time. (User can ask admins for more requests and we will validate the use case and provide them with additional points).

Prevention

Block disposable emails

Blocking disposable emails is the very first important step to prevent spam. So make sure to implement disposable email blocker.

Multiple accounts on the same IP

If multiple users registered or logged with the same IP the system will automatically flag all the users connected with the same IP and it will notify the admins and we review it manually if they violated the terms we will suspend their account if not we will un-flag them.

Limit the functionality

Limit users with 3 types

• Unverified - User can do everything except liking and creating the post.
• Flagged - User can log in but they can only see other's activities, and the profile is hidden from the public.
• Suspended - User can do anything, not even log in.

Rate limit based flagging

Count the throttled requests, if the limit is N and the account exceeds N+10 within mentioned time requests, the system will automatically flag the account.

$throttler = Throttle::get(Request::instance(), 20, 5);
$throttler->hit();
if (count($throttler) > 30) {
    Helper::flagAccount(Auth::user());
}
if (! $throttler->check()) {
    return session()->flash('error', 'Your are rate limited, try again later!');
}

Hide entities

You can hide only the particular entities without affecting the user.

You can use the following package to prevent DOS attacks.

For Laravel

$ composer require "graham-campbell/throttle:^10.0"

For Rails

# In your Gemfile
gem 'rack-attack'

$

Thanks ❤

Happy Shipping 🚀