SaaS founders: you might wanna block Tor

jitbit · January 6, 2017, 9:23pm

Hi.

We just detected a whole network of spamming/abusing bots who use Tor exit nodes to sign up for fake trial accounts - in Saas apps that have some inbound/outbound email functionality (like webmail services, helpdesk apps, email marketing apps etc.)

I’m talking tens of thousands of fake user accounts and trials.

Anyways… Long story short you might want to block Tor exit nodes from accessing your website or at least your landing pages/signup forms. At best they will ruin your metrics. There’are no paying customers there anyway.

If you’re using a CDN - it probably has a a built-in way to do this. If not - you can quickly detect a tor-node IP by running a special DNS query, just google for examples in php/ruby/whatever.

PS. their intent is still unclear to me, seems like they’re building a massive network of fake email addresses, probably used for fake social profiles used n click-fraud. Just my guess…

rbur0425 · January 6, 2017, 9:36pm

Interesting…I bet they are trying to exploit the PHP mail service that was just found to be exploitable. Make sure your servers are upgraded.

mpalmer · January 8, 2017, 11:03pm

Rather than block Tor, you might want to consider making your service less abuseable. Tor is far from the only way that a miscreant can obfuscate their actual IP address, and it isn’t even the easiest to use – there’s (still!) no shortage of open HTTP proxies, and trivially exploitable routers and IoT devices are out there in droves. If your service is abuseable, it will be abused, even if you block Tor, so you’d do better to fix your app than disadvantage people with a legitimate desire to mask their address in a futile attempt to stop abuse.

jitbit · January 8, 2017, 11:49pm

Yeah, yeah…

Banning TOR is like banning China. Of course, instead of banning China you could come up with some really intelligent intrusion prevention system, also find a smart way to qualify your trial accounts so all the “noise” doesn’t distort your metrics, probably use a neural network to find patterns among legit uses so you can quickly detect non-legit uses of your app…

Or you could just ban China.

PS you have a point though

mpalmer · January 9, 2017, 6:15am

That’s actually an excellent comparison: yes, you could block potentially hundreds of millions of potential customers, or you could fix your app to not be trivially abuseable. I encourage all my competitors to block China (and Tor).

rfctr · January 9, 2017, 3:32pm

According to various sources, China is only 6th as the source of web attacks (6%).

First one is US (20%). Let’s ban US.

(Of course, I realize that the attacks are proxied and the source IP hence is not correlating to the real source country of the attack. Even less point in banning China then.)

jitbit · January 9, 2017, 3:54pm

I agree, China was just a (bad) example.

What I meant to say was: In a small company you don’t have time for huge projects that have small impact. In a small company you literally can’t measure a 10% increase.

Instead of hiring 10 developers and 5 sysadmins work for a 2 months to make your app invincible - you can spend your money& resources on… say, doubling your signups or conversion rates - and just ban TOR/China/Morocco/Egypt/[whatever destination you never had your B2B customers coming from] that annoys you

Once I get to the scale of Facebook… (well, ok, not Facebook… lets say… Trello?) then I’ll worry about TOR

rfctr · January 9, 2017, 7:39pm

That is true.

However, as it was mentioned, the “simply ban them” doesn’t actually solve anything, because the problem is not the source of the traffic, but the opportunity to abuse the application in particular way. If that opportunity exists, the abuse traffic will come one way or another.

The “ban them” can only help for a short time, when the attack has already started and you need to buy a time to apply some fix that makes the abuse harder to implement.

But eventually you’ll have to think on how to make it worthless (or at least worth less) for spammers to create an account in your application.

And it doesn’t have to be a large project. Smaller measures may eliminate 99% of abuse. Recently I heard somewhere how a SaaS doesn’t allow to import a list of emails for explicit reason to prevent spamming. Something like this.

Chris · January 11, 2017, 4:50pm

Hmmmm. Not trying to be rude or anything, just want to provide some help here (hopefully i can be successful at this, apologies if I’m not), but…

That is limited thinking.

You’ve already convinced yourself that stopping the abuse on your system takes an insurmountable amount of work + expense ( 10 devs, 5 sysadmins over 2 months ). Sure, sure… it was “just a figure of speech” to convey a point. I get it. But… in the end it’s really not.

This is you setting in stone that there is no other way to stop “the opportunity to abuse the application” as @rfctr put it.

Regardless of what IP ranges you ban, you’ll still have this problem. You really need to “fix your app to not be trivially abuseable” as @mpalmer states.

THAT is the solution to your problem. Take our advise for what it’s worth to you (if anything at all), but at least be open enough to the idea that you have not yet learned what you don’t yet know.

Hope that wasn’t offensive, but instead helpful in some way

jitbit · January 11, 2017, 5:20pm

I agree. And I’m already doing that on the background - limiting the number of users you can add in a trial account, limiting the inbound email rate for trial accounts etc-blah-blah…

But these attacks still ruin my metrics. They distort my conversion rates. They make my AB-tests useless. I need to tell a legitimate user from an abuser at the signup page even before it gets into the app. Otherwise I’m unable to make informed decisions.

This ban is a business decision, not a technical one. Running a business sometimes requires you dump the idealistic shit and make a friggin decision. So I’d rather block TOR/China/Egypt/Morocco/Ukraine/whatever for a month or two and let them abuse my less protected competitors instead and forget about me, then I’ll lift this ban. Probably

And before making that decision I checked the logs and the order history. No one ever buys my software from these locations, and certainly not from TOR. I’m selling b2b enterprise software, where people do the shopping from their corp. networks. Trust me, banning Tor has NO effect on the sales. Zero. Zilch. Nada.)

davedevelopment · January 12, 2017, 1:07pm

Similar boat here, we don’t block outright, but we have background jobs that check each registration and flag those from TOR, known proxies, too many registrations from the same IP in X days etc. At the minute, the flagging restricts access to certain parts of the site but we’re thinking of moving it towards a full shadow ban.

We’ve had very few false positives and it has helped us fight spammers and scammers significantly.

Anderson_Dadario · January 12, 2017, 1:11pm

That’s a problem of your SaaS, not of Tor users.
Automated sign ups can happen inside or outside Tor.

Next time put a captcha in the sign up form.

Chris · January 13, 2017, 4:55pm

So we had something similar not too long ago. Came in one morning and had something like 10k form submissions haha

Basically, our bad. We just did a horrible job on that form and left it abusable.

We made a business decision, too. We fixed the form. Took about 45 minutes or so. We used this: https://github.com/markets/invisible_captcha and it’s 100% fixed the problem ever since.

It is based on the honeypot strategy to provide a better user experience. It also provides a time-sensitive form submission.

Background

The strategy is about adding an input field into the form that:

shouldn’t be visible by the real users
should be left empty by the real users
will most be filled by spam bots

rfctr · January 15, 2017, 7:05pm

Some people are just crazy resourceful. I’m jealous.