Stopping bots from abusing webmail

One of the problems of bots is that they sign up for free webmail accounts (like Hotmail, Yahoo or Gmail) and then use them to send out spam.  These services will throttle their outbound mail, that is, cut off the sender if they exceed a certain amount of messages per day.  Unfortunately, spammers have discovered that they can create piles of throwaway accounts and send out 50 messages per account before ditching it.  Such a small threshold makes throttling difficult.

I remember about a year ago (slightly less) we had a meeting with the folks who run the CAPTCHA on Hotmail.  Indeed, bots are signing up for these accounts.  They don't break the CAPTCHA 100% of the time, but they do it enough such that if you do it over and over again, you've pretty much succeeded in breaking the security.

But here is the thing -- what's odd about these types of bots is how far they can "stretch".  You might be tempted to think that bots are coming in from all over the Internet, signing up for these accounts.  But in fact, that's not quite true.  The majority of the bots exist in a couple of IP ranges.  Knocking out these ones would knock out most of the automated processes.

The problem, of course, is that of false positives.  If you ban the bad guys, you run the risk of banning the good guys as well.  So how do we stop the bots?  Maybe some secondary form of human verification is required after the initial success of completing the CAPTCHA if your IP is within these narrow ranges.  An example is sending a unique link for every new email address, asking them to click on it to confirm their identity.  The link would time out and would not be forgeable.

To be sure, targeted additional enforcement is probably the strategy that ought to be employed.  We may not be able to block all of the bots, but at least we can narrow it down and make it more difficult for them.  By requiring additional proof if your IP is suspicious, it makes the bots' job that much more difficult.