We run a couple of competition entry pages for various clients - recently we've had issues with some **** spamming the entry pages.
At the moment it's nothing more than an annoyance - the competitions will usually get no more than 1000 or so entries, so when the spammers turn up and autometically drop 10,000 entries in the database, it's pretty noticeable. In addition, there are fairly obvious patterns to the entries:
* They come from about 1500 IP addresses, but all of those are in the same range (someone is running a botnet based on an ISP's subscribers?)*
* They use email addresses at about 15 or different domains - and it follows a pattern of letters and numbers that would be pretty easy to spot with a regex.
However, I'm stumped as to how I can stop this... nice person... spamming us in future.
* I really don't want to put a captcha on there - it would discourage too many genuine entrants
* I can't rely on genuine information in the referer, or the user agent.
* I could put a timer on there and only let entries from particular IP ranges through every 3 minutes or so. That seems about the best bet at the moment, but it's gonna involve a processing overhead.
* I can ban whole IP ranges - it's a bit overzealous but it'd put a spanner in the works.
* I can - and am - blocking the email domains they're using, but there's nothing stopping them coming back with the same mechanism and a whole bunch of different email addresses.
*Botnets - I don't know much about how these operate and would like to. Anyone? I'm seeing about 1500 distinct IP addresses associated with these spam entries, and they all come from a range controlled by the ISP Deutsche Telecom AG. How is someone doing that? Should I alert Deutsche Telecom? Are they likely to care? Is this just a botnet of compromised machines that share the same ISP?
Any and all advice / knowledge would be gratefully received.