I launched my first web app (node/express backend, running on a Heroku server) into production last week, and already I am seeing some strange signup behaviour in the logs.
At first I though that it was real users, but it's happened enough times with the same pattern for it to be clearly some sort of spam bot.
My website contains a signup form that requires a firstname, lastname, email, password1 and password2 (must match). On submitting the form, users must then click an additional button to select the type of account they wish to register for, and an email is sent to the provided address for validation.
For the past few days I've had a number (around 10) suspicious signups with a browsing pattern like below (two examples from last night):
timestamp page
04:48:45 viewBlogPage
04:48:47 registerUser
[ Send email for user to verify ]
04:48:54 sendResetToken
04:48:56 sendResetToken
04:48:58 getBlogPost
04:49:10 getBlogPost
04:49:12 getBlogPost
04:49:15 getBlogPost
04:49:15 getBlogPost
22:22:32 viewBlogPage
22:22:32 registerUser
[ Send email for user to verify ]
22:22:38 sendResetToken
22:22:39 sendResetToken
22:22:40 getBlogPost
22:22:41 getBlogPost
22:22:42 getBlogPost
22:22:42 getBlogPost
22:22:43 getBlogPost
In every case, the user has:
form data and submitted the form. In every case, the firstname and lastname are nonsensical, seemingly random character strings (e.g. firstname: 'Iluuxpmv', lastname: 'Yrtkaugn' and firstname: 'Qatocgyp', lastname: 'Hdfurawghgkqs')user then navigates to the login page and attempts to reset their password twice in quick successionuser then navigates to one particular blog post five timesMy first question is How can I stop this?
More broadly though, I'm interested in why these (presumably) bots are navigating my site in this weird way.
If this is a spam bot, it seems strange that this has only happened around 10 times, and that they are then clicking on non-random pages that don't contain forms.
Is there some explanation for what is going on that might help me prevent against this?
If the question is "How do I stop this?", then the answer is that you may not be able to stop it altogether, but you can add in some additional security or verification. Ideally add security measures on the server side, as this is strongly arguable that that's where security actually happens. Verification can happen client-side also, but it's just that it can be undone, or bypassed more easily.
Some quick wins can be -
Whitelist not blacklist
Don't sit and work through a number of conditions in which your validation should catch an error. This will very quickly become outdated, and you'll have to update it. i.e. Don't blacklist certain values or conditions, and then all others that are uncaught are passed.
Instead, whitelist - so provide a set of conditions by which your verification DOES pass. Then everything that doesn't pass that - fails, and is not submitted. This allows your application to always continue allowing content that you've ensured it's allowed to, and all other changing input / bypass techniques, fail.
Add A Timer To Your Registration Pages
A normal user will take at least a few seconds to input their details and choose a suitable password etc - whereas a bot will not. A bot will execute the script almost immediately. This means you could implement a timer, and on submit on the form check if the timer is less than 3 seconds or so. If it is, prevent the submit and redirect the user.
Rename Your Email Field And Misdirect
Instead of having a single email field, you could have two, but with one being hidden.
<input type="hidden" value="" name="email" id="email" placeholder="Enter your email...">
<input type="email" value="" name="eee" id="eee" placeholder="Enter your email...">
A bot will search for any fields and try to input valid inputs to be successfully submitted. So a bot will find the now fake hidden field "email" and fill it out, however a regular user should not be able to see that field. Therefore, when the form submits, simply check if the hidden field has any value in it, other than an empty string.
Ensure No Inputs Are Equal
A lot of spam bots just input the same values into every input. While this doesn't seem to be the case with your given example, it is a regular occurrence. They might just input iamafakebot@fakeemail.com for the first name, last name, email, AND password - assuming that this will allow successful submission against the fields it expects.
Therefore, you can compare your submitted values, and if they equal one another, you can not submit your form, and even present a message that would be readable to a user.
Conclusion
This may not solve your problem in totality, as security is a massive topic, with many varying opinions and ever updating conditions - however, these will at the very least add some additional security to your application.
Hopefully, one of these is applicable in your scenario, and you start to see fewer bots in your system.