1

I have my little web application, with simple registration strategy - provide email and password and you are done.

Recently bot's starting to attack my application, registering big number of users from non existent emails using the same passwords.

I want to prevent that. My idea is to extend login verification, but check the existance of email address. Do you know any web services (prefereably WCF) that could do that?

Alexander Beletsky
  • 19,453
  • 9
  • 63
  • 86
  • It would require connecting to each domain email server to check the existence of the email address, it seems unlikely. Why don't you use some challenge to leave the bots out (like captcha for example) ? – Johann Blais Aug 08 '11 at 08:17

4 Answers4

5

This is definitely not the way to solve this problem. Try one of these

  1. Allow user to enter only username and send auto-generated password to their email.
  2. Send a verification link to the user email and approve him/her only after verification
Community
  • 1
  • 1
naveen
  • 53,448
  • 46
  • 161
  • 251
  • Thanks, but I would like to avoid verification letter as much as possible. I personaly hate them, I think my users are same; – Alexander Beletsky Aug 08 '11 at 08:16
  • 1
    i agree that it is a minor inconvenience. but thats the best method to solve this problem. plus if i am professional spammer ( whoever will ever choose this as a profession ) i would have tons of *valid* emails :) – naveen Aug 08 '11 at 08:20
1

This has been discussed on How to check if an email address exists without sending an email? . Basically there are ways verify email addresses, but in practice none of them is reliable. However, you can still check via SMTP, and if the server denies the existence of the expected user, send him an email with a verification link anyway. This does not prevent spammers from setting up fake servers that acknowledge the existence of any user, of using other peoples email addresses, but it's probably the closest you can get to your initial requirement of having no verification email.

Community
  • 1
  • 1
Malte Clasen
  • 5,637
  • 1
  • 23
  • 28
  • Thanks.. Taking into account everything said, I thing captcha is the best way of stopping spammers in my case; – Alexander Beletsky Aug 08 '11 at 14:26
  • 1
    @alexanderb You might want to consider hidden captchas which try to distinguish bot and human on their own, such as (for WebForms) http://www.asp.net/ajax/ajaxcontroltoolkit/samples/NoBot/NoBot.aspx . – Malte Clasen Aug 08 '11 at 14:54
0

I would recommend you to update your registration form. Try to use something tricky for bots. For example, post the form via AJAX with JSON object wrapper.

Aleksei Pugachev
  • 276
  • 2
  • 6
0

Try a service like: http://elasticemail.com/

You can use the api to check if the email was delivered. There is also a 'bouce list' you can check.

Lee Smith
  • 6,339
  • 6
  • 27
  • 34