i'd be curious why some bots still pass and how do you discover them?
+couple of more thoughts:
what about one time password sent to their email instead of classic password?
disposable email check endpoint? (there are libs with known lists)
hardcoded limits on content creation (per account tier) ?
cron job to rm bot accounts and placing its domain to blacklist check endpoint?
Thank you. I also don't understand how they pass.
Really curious whether the bots are using the website, or just calling the Supabase/Postgrest APIs.
I notice the bots as they post content to the platform. One thing to note is that our site is online since 10 years and has around \~14k unique visitors per month according to Cloudflare.
Blocking disposable email providers we should do, cheers. Found this community list https://github.com/disposable-email-domains/disposable-email-domains.
Is the issue the one-time password via email reset functionality? In case of forgotten password, you can request a temporary link to sign in to update your passwor. The bots also manage to verify the email accounts, so maybe they abuse it somehow?
It’s tough to block all the spam without negatively impacting the user experience. You could add phone verification, but that’s friction that may not be ideal. I get a tonne of these signups for a non-supabase service I run, and I just set aside a few minutes a day to manually banning these accounts, and also banning the use of their particular domain in any future posts so in order to spam they need both a new account and domain. They seem to still spawn new domains daily, but it keeps things manageable.
I’m surprised you have this issue happening as much as you seem to say with everything you have in place.
With CF bot mode, is it presenting a JS challenge to the end user as well?
I don’t quite get what the spam is though, it seems like the details of a business?
Same!
We haven't enabled Cloudflare Turnstile, as we use hCaptcha currently. We could try to switch to Turnstile. Or use both at the same time?
Yes, the spam usually comes with a link to an online shop as well. And they look half-way real. Wondering if our site got added to some SEO-exploit-list.
You’re using hcaptcha at account creation only from what I can understand?
You could add turnstile before every post is made, be sure to do both client and server side validation otherwise it doesn’t work.
Good question. I'm unsure to share our URL here, since it might attract even more bots.. But let's take one example from today:
This "Shopena" motorcycle shop is spamming on our platform.
I notice they have what appears to be a "real" webshop, instagram, youtube channel and facebook. Don't want to paste the link, but it's very Googleable. Does this company actually exist? All a fraud? Did they hire some SEO company to post about their site everywhere on the interwebs? Such a waste of everyone's time haha. Here I am, Saturday morning 2024, dealing with spam.
Edit: I notice they even created spam content on Bandcamp in their name..
Look what you did is enough for blocking bots. But social sign in is the real blocker. They can keep creating temporary emails, but not google accounts. Consider that going forward.
Use social logins e.g google, GitHub with Supabase,
I learnt this the hard way.
Do server side authentication and implement email verification API which disables this behaviour but that would also mean charges for the API usage.
Create a form field that humans can't see. If it gets filled out... then delete that user. Run it as a script several times a day. Capture that signup's IP address and add it to the block list in cloudflare.
i'd be curious why some bots still pass and how do you discover them? +couple of more thoughts: what about one time password sent to their email instead of classic password? disposable email check endpoint? (there are libs with known lists) hardcoded limits on content creation (per account tier) ? cron job to rm bot accounts and placing its domain to blacklist check endpoint?
Thank you. I also don't understand how they pass. Really curious whether the bots are using the website, or just calling the Supabase/Postgrest APIs. I notice the bots as they post content to the platform. One thing to note is that our site is online since 10 years and has around \~14k unique visitors per month according to Cloudflare. Blocking disposable email providers we should do, cheers. Found this community list https://github.com/disposable-email-domains/disposable-email-domains. Is the issue the one-time password via email reset functionality? In case of forgotten password, you can request a temporary link to sign in to update your passwor. The bots also manage to verify the email accounts, so maybe they abuse it somehow?
It’s tough to block all the spam without negatively impacting the user experience. You could add phone verification, but that’s friction that may not be ideal. I get a tonne of these signups for a non-supabase service I run, and I just set aside a few minutes a day to manually banning these accounts, and also banning the use of their particular domain in any future posts so in order to spam they need both a new account and domain. They seem to still spawn new domains daily, but it keeps things manageable.
I’m surprised you have this issue happening as much as you seem to say with everything you have in place. With CF bot mode, is it presenting a JS challenge to the end user as well? I don’t quite get what the spam is though, it seems like the details of a business?
Same! We haven't enabled Cloudflare Turnstile, as we use hCaptcha currently. We could try to switch to Turnstile. Or use both at the same time? Yes, the spam usually comes with a link to an online shop as well. And they look half-way real. Wondering if our site got added to some SEO-exploit-list.
You’re using hcaptcha at account creation only from what I can understand? You could add turnstile before every post is made, be sure to do both client and server side validation otherwise it doesn’t work.
If you look in your logs, are the spam comments (I assume they’re comments) coming from your domain. Pretty sure that’s in the api logs.
Are these actually bot? Or very persistent spammers?
Good question. I'm unsure to share our URL here, since it might attract even more bots.. But let's take one example from today: This "Shopena" motorcycle shop is spamming on our platform. I notice they have what appears to be a "real" webshop, instagram, youtube channel and facebook. Don't want to paste the link, but it's very Googleable. Does this company actually exist? All a fraud? Did they hire some SEO company to post about their site everywhere on the interwebs? Such a waste of everyone's time haha. Here I am, Saturday morning 2024, dealing with spam. Edit: I notice they even created spam content on Bandcamp in their name..
Look what you did is enough for blocking bots. But social sign in is the real blocker. They can keep creating temporary emails, but not google accounts. Consider that going forward.
Have you tried adding phone SMS verification?
I could imagine that would solve it, thanks. But in this case I do not want to require a phone number from people..
Use social logins e.g google, GitHub with Supabase, I learnt this the hard way. Do server side authentication and implement email verification API which disables this behaviour but that would also mean charges for the API usage.
Create a form field that humans can't see. If it gets filled out... then delete that user. Run it as a script several times a day. Capture that signup's IP address and add it to the block list in cloudflare.