Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I fought an interesting implementation of customized spam on a web app registration form a few months back. Suddenly, every 2-3 seconds, we would get a sign up from a random email address @qq.com (it really clogged our sign up Slack channel). I didn’t want to go full CAPTCHA so I dropped in a simple honeypot and the spam stopped for a good 4-5 hours. Then it picked right back up like normal. I then implemented a randomized honeypot, e.g. <input name=“lastname478482”> and again, it ceased immediately and picked up a few hours later. Finally I just blocked all submissions with emails @qq.com and it stopped completely and hasn’t returned months later.

Sometimes I wonder if there was a real person on the other end writing code to combat the code I was writing at the same time, and finally gave up on the 3rd iteration.



There is someone else on the other end. I had one of them previously get on the forums I worked on and complain about how quick I was to blocked them. I wrote an entire system for learning the patterns and automatically blocking them as they occurred. Eventually I determined that the vast majority of the IP addresses originated from Bangladesh so I just banned the entire country from accessing the web sites. That was the only solution, unfortunately for those legitimate users there, that made the spam stop for good.


I have to ask, why do people do this? What do they get out of it?


I assume SEO targeting and associating phrases with various products. For example, people on Reddit will name and shame by dropping people's names accused of crimes next to the thing they are accused of in a complete sentence. This is an attempt to promote the relevance of those two facts in Google Search to each other.


Doesn't the nofollow attribute [1] work to remove that incentive? IIRC that was the intended purpose of nofollow?

[1] https://en.wikipedia.org/wiki/Nofollow


The automated spam tends to be for financial gain somehow, Either by spaming links thinking someone will click them or SEO stuff. The non automated spam is usually people who find enjoyment in being annoying


I recommend reading the book "Spam Nation" by Brian Krebs(sp?). He goes into the different motives behind spam, the big actors, and how people get paid for creating spam.


i have the same experience, exclusively bangladeshi and indian IPs signing up to enter SEO spam for small businesses in the US (insurance, hair salons, lawyers, house renovation etc etc). Stopforumspam has most of them in their lists.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: