To hell with them!
I run a modest forum which has been operating for about four years, more than enough time to be noticed by spammers. However, it wasn’t until early this year they became a problem. With increasing frequency, posts in questionable English appeared, advertising various websites selling MMORPG currency and the sort. I believed these advertisements to be the work of spambots, so I attempted to counter by increasing the difficulty of the CAPTCHA on the registration page. No effect. Even when I made it barely human readable, the spam didn’t subside.
Annoyed, I reduced the CAPTCHA difficulty to a more friendly level, and instead decided to enable account authentication. When the spambots registered an account, they would be unable to post until a link within an email was visited. I didn’t expect the bots to use valid email addresses, let alone have the ability to visit a link within an email. Imagine my surprise when within hours of enabling this authentication method, spam from a new account was spotted. Worse yet, the account had registered with a Gmail address. Certainly Google has measures in place to prevent bots from checking email, right? Either I was dealing with some mighty sophisticated bots, or these weren’t spambots at all, but in fact… humans!
Still annoyed, I disabled the account authentication and turned to the web server’s log. Having recorded the IPs of a few “bots,” I analyzed the logs and determined through access patterns my forum was indeed a victim of human spammers. Assholes.
Curious, I performed a WHOIS on all the IPs and learned they all originated from China. To this day, every spammer who has defiled my forum is in China.
Happily armed with this new information, and very much annoyed, I resolved to… BAN CHINA. Yeah, there are less brutal methods to deal with spammers, but preventing an entire country from accessing a site is overkill, and overkill is neat.
I found a number of Chinese IP lists however, while merciless in my banning, I didn’t wish to inadvertently ban a legitimate user outside of China. So I created my own list starting with the IPs I already recorded, and added to it whenever a spammer from a yet unbanned IP registered. It’s grown to encompass over 5 million IPs, and works very well. Several would-be spammers are blocked daily.
Instead of blocking Chinese visitors outright, I redirect them to a page informing them why they have been denied the ability to register. The notice is in English, as my forum is English speaking. Should an English speaking visitor from China (or a false positive outside of China) see the page, they will understand why they cannot register, and are given the option of contacting me should they desire to do so. This was accomplished with the magic of mod_rewrite.
