One time, I managed to trace one of the IP addresses signing up all these porn accounts to a web development / marketing agency in Malaysia -- tracked down their out of hours emergency number -- and phoned (what I assume was) the founder of the company at 2am his time.
Conversation
I said please can you stop sending us all this porn. We're a 5 person nonprofit organisation just trying to survive. We're not google or facebook, and you're destroying our servers with all these pixelated penises.
He was very apologetic and for a while there was no more porn.
1
1
52
Eventually, though, other people caught on and created more spam sites - and at the start of 2018 we finally decided to validate credit cards in order to start a free trial.
No charge on signup, and no auto-charge at the end of trial. Just validation.
Spam solved! Until 2020
1
40
At the start of this year, the strategy we used to get rid of one type of spammer... attracted a new type. Fuck me.
Now there's people who do a "big hack" of cards stored in plaintext somewhere, then try to sell them on the black market before the breach is up on
1
3
28
But you're a hacker, and you just got 100,000 credit card details from a database somewhere which you now want to sell on. The first question you're going to get to establish market value is... "how many of them work?"
1
31
And so it turns out we inadvertently designed the ultimate credit card testing tool.
A public facing credit card form, which DOES validate a card can be charged, but DOESNT charge it, meaning it's nearly invisible to the victims:
1
7
98
Doesn't show up on printed statements, doesn't show up on internet banking, doesn't show up ANYWHERE except for a temporary "pending transaction" list with some more modern providers.
Best of all! It's from a known merchant (us) with well established reputation/history!
1
47
So these motherfuckers start running big batches of thousands of card tests against our signup page. Spam prevention is now spam magnet.
They do it via a distributed botnet masquerading as real users filling out/submitting the form, so there's basically no way of filtering.
1
2
69
Infrastructure team is trying everything but they're getting through all our honeypots, and we're losing our minds.
I'm going through our firewall logs looking at the requests and spot a couple of signatures which are easy to block. Then, all of a sudden there's a new spike
3
1
35
You can really easily pass CAPTCHAs using services such as 2captcha. Although it may not be always rentable, I guess it would have been the case here.
What about Recaptcha v3 + rate limits on the payment form route?
1
If you lie on your fingerprint + do some IP rotation, I don't feel like reCaptcha v3 will really help
1
Show replies
That's right, you can use 2captcha to recognize captcha!