26
« on: February 11, 2016, 10:01:52 AM »
I think I've seen maybe one bot sign up (had a name like vuittonhandbags or something, I can't remember), but I'm pretty sure we just left it because it never posted anything. So far, I have yet to see a spam review. I believe they may be able to find the registration page if they're lucky, but since the website is completely built from scratch, there's no "how to hock your wares on delfruit" tutorial available for bot writers. So, the bots don't know how to work the site, they fail and they give up.
Bots work by crawling the web, attacking any IP they can get a response from. As soon as they figure out there's a server there, they start checking to see if there's a phpbb or smf forum installed, or a wordpress blog, or any of the other common web applications you can put on a server. They also scan for pages that look like registration pages, maybe like "/register.php". The goal for the bot owners isn't to break into every site out there, but rather to find as many vulnerable sites as possible - it's a bit like throwing spaghetti at the wall, and waiting to see if any sticks.
This isn't unique to webpages either - on the new server I'm moving delfruit to, I see tens of malicious login attempts over SSH (the server admin interface) on the server every hour. Bots, just scanning the internet for any server that will answer them, and then spamming common passwords hoping one of the thousands of servers they're scanning will open up for them. However I stopped using passwords and switched to a cryptographic key, and auto ban any machine that tries to log in to the default admin account instantly, or that fails 3 times to log into a standard admin account. It's a bit like watching moths fly into a bug zapper - pretty amusing!
Anyway, I got sidetracked on a rant, but the point of my post is that delfruit is pretty safe against bots simply because it doesn't fit the website pattern the bots expect. But that doesn't mean it's safe forever - it's only safe because the bot writers don't consider it a high enough profile target to write a custom bot for!