When offering to create a profile (for example, login+pwd) for a web service, what are the best practices one should implement to avoid mass spamming/creation of fake profiles? I am thinking about email confirmation, captchas, etc... any other ideas that work in practice?
Asked
Active
Viewed 2,776 times
3 Answers
15
A very good idea to avoid mass profile making without adding a captcha (let's admit it, even when you know they are for the good, captchas can be just annoying) is to make a hidden <input> element.
You check if this element is filled up: then it usually means it was a bot: in this case you give the bot a false success message and just throw the data in the bin. In case it was not filled in (because no human would go look in your source code for hidden inputs), you process the data and register the user.
Sunyatasattva
- 440
7
I think you should consider using an SMS or email verification method in addition to a CAPTCHA. You should also consider logging IP addresses who create accounts and if someone attempts to register another account with in a time window you should deny it or ask for further verification.
Another approach you could take would be to have moderators and make sure there are no spam-type accounts.
You could also watch the user behaviour to identify spam accounts: - Is the form filled in very quickly for signup - Does any interaction appear to be preprogrammed
You need to find the right mix of preventative measures to prevent legitimate users from being harmed.
Sam
- 6,172
3
Some services require you to enter a verification code sent to your phone by text. Its quite effective at stopping bots but does take some effort on your part to set up though.
Tom Squires
- 17,835