Hey folks π,
Hope you all doing good!
As we all know recently dev.to got flooded with spam, read more here.
In this article let us see how to detect and prevent spam automatically in your social platform. Here as an example, I'll show how we fight for spam in Taskord (https://taskord.com).
Detection
What is rate-limiting?
Rate limiting is the control of the number of requests per unit time. It can be applied to ports, IP, routes, users, etc. It can efficiently block out malicious bots.
Throttle Web requests
Taskord is built using Laravel, which has inbuilt throttler for requests.
This snippet is used in routes/web.php
Route::group(['middleware' => ['throttle:30,1']], function () {
// All Routes
});
throttle:30,1
means it allows 30 requests per minute.
When a user tries to abuse the platform by clicking links back and forth from the same IP address they will hit the limit and it will automatically be redirected to the warning page.
I tried to simulate simple DOS attack by using curl from multiple terminals, this is what I end up with.
Throttle API requests
API endpoints are most vulnerable one, most of the attackers target on these. It is very important to rate limit API requests
The same rules can be applied in what we followed in throttling the web requests. In Taskord we use GraphQL API so we have added some additional steps to prevent spam.
For Queries requests, we do simple 30 reqs /Β min throttling. But for Mutations request, we flag the user if they rate-limited twice in a short period of time. (User can ask admins for more requests and we will validate the use case and provide them with additional points).
Prevention
Block disposable emails
Blocking disposable emails is the very first important step to prevent spam. So make sure to implement disposable email blocker.
Multiple accounts on the same IP
If multiple users registered or logged with the same IP the system will automatically flag all the users connected with the same IP and it will notify the admins and we review it manually if they violated the terms we will suspend their account if not we will un-flag them.
Limit the functionality
Limit users with 3 types
- Unverified - User can do everything except liking and creating the post.
- Flagged - User can log in but they can only see other's activities, and the profile is hidden from the public.
- Suspended - User can do anything, not even log in.
Rate limit based flagging
Count the throttled requests, if the limit is N and the account exceeds N+10 within mentioned time requests, the system will automatically flag the account.
$throttler = Throttle::get(Request::instance(), 20, 5);
$throttler->hit();
if (count($throttler) > 30) {
Helper::flagAccount(Auth::user());
}
if (! $throttler->check()) {
return session()->flash('error', 'Your are rate limited, try again later!');
}
Hide entities
You can hide only the particular entities without affecting the user.
You can use the following package to prevent DOS attacks.
For Laravel
GrahamCampbell / Laravel-Throttle
A rate limiter for Laravel
Laravel Throttle
Laravel Throttle was created by, and is maintained by Graham Campbell, and is a rate limiter for Laravel. Feel free to check out the change log, releases, security policy, license, code of conduct, and contribution guidelines.
Installation
This version requires PHP 7.4-8.3 and supports Laravel 8-11.
Throttle
L5.5
L5.6
L5.7
L5.8
L6
L7
L8
L9
L10
L11
7.5
β
β
β
β
β
β
β
β
β
β
8.2
β
β
β
β
β
β
β
β
β
β
9.0
β
β
β
β
β
β
β
β
β
β
10.2
β
β
β
β
β
β
β
β
β
β
To get the latest version, simply require the project using Composer:
$ composer require "graham-campbell/throttle:^10.2"
Once installed, if you are not using automatic package discovery, then you need to register the GrahamCampbell\Throttle\ThrottleServiceProvider
service provider in yourβ¦
For Rails
rack / rack-attack
Rack middleware for blocking & throttling
Rack::Attack
Rack middleware for blocking & throttling abusive requests
Protect your Rails and Rack apps from bad clients. Rack::Attack lets you easily decide when to allow, block and throttle based on properties of the request.
See the Backing & Hacking blog post introducing Rack::Attack.
Table of contents
- Getting started
- Usage
- Customizing responses
- Logging & Instrumentation
- Testing
- How it works
- Performance
- Motivation
- Contributing
- Code of Conduct
- Development setup
- License
Getting started
Installing
Add this line to your application's Gemfile:
# In your Gemfile
gem 'rack-attack'
And then execute:
$
β¦Thanks β€
Happy Shipping π
Top comments (2)
I'm generally against blocking disposable email addresses.
They're perfectly valid, they're just more open to abuse than others.
I mean, for a while I had a catchall on notareal.email so I could sign up with "fakename@notareal.email" or "justtesting@notareal.email" and whatever I used would work.
Disposable emails add a level of privacy some people might want - or need - and they don't have to expire, either.
Disposable emails have both advantage and disadvantages!