Ask HN: How to stop leachers abusing our site

9 points by colin-de-vries ↗ HN
Hello,

I run a service called BlueMailCentral.com. That allows you to send a letter (snail mail) from your PC to any country in the world. As a marketing instrument the first letter is free of charge, no questions asked, no payment needed. The problem I have now is that a group of people are abusing my system to send out the famous Nigerian scam mail. (I can't believe people still fall for that.)

Besides the fact that it is actually costing me money it also damages BlueMail’s reputation because my logo/url is on the back of the envelope containing the scam letter.

My problem is that I want to stop them while maintaining the low threshold for the real customers.

As far as I can tell they handle the registration process manually, that makes solutions like (re)capcha etc useless.

Any ideas/tips/suggestions ?

9 comments

[ 3.4 ms ] story [ 29.1 ms ] thread
Run a spam filter on the incoming messages, if the filter tags them suspicios, require manual review before postage.

Another option would be to check whether the abusers are coming from a specific IP range, and simply deny access to them.

+1 if they are sending regular SPAM that you get on the internet, then regular SPAM filters (like askimet) will be perfect.
If they use a bayesian filter (for example SpamBayes) they can train it to filter exactly the kind of SPAM they are receiving.

And with a little more of work, it should be possible to filter the words differently if they are in the address of the letter, the submitter or in the main text.

(And they should warn the users that if they use the free try, they might read it.)

Interesting idea. What about the expectation of privacy that a submitter might have though? Sort of creeps me out a bit to think that humans might be reading (and judging) my letters.
Someone, somewhere will read it anyway.

With a carefully calibrated spam filter, one could even make it so that no human interaction is needed: when the filter tags the message as spam, it tells that to the user. He can then contact the site administrator if he feels the software is at fault.

Privacy preserved.

Notify the user of a change in privacy policy and offer a link to a page explaining why.
Ideas:

* One idea is to use the classic "Give us your credit card details first" approach. You allow people to create accounts but, once they go to send their first free letter, you explain that "To protect against spam, we require that you confirm your credit card details. Your card will not be charged for this letter."

It isn't optimal if what you want are signups but it would definitely decrease fraud.

* What about using an IP address filter that prevents people using proxies or IPs from certain countries (Nigeria for example) from using the free service?

* What about pretending to send the letters from Nigerian/certain IPs but not actually doing it? This way would allow you to see patterns: which IPs or IP blocks were abusing the service, which search terms you could automate for blocking, etc. Basically you send back a "Your letter has been sent!" response to the user but you don't actually do it.

* What about requiring telephone confirmation of address info?

Those are actually very good ideas. We tried credit card details but we ended up with a nice database of stolen cards. We have regular customers from Nigeria, blocking the Nigerian ISP's will also block our good customers. But the spam filter approach might work. I'll run the data we have trough askimet to see what the hit ratio is.

Thanks a lot for the suggestions. I really appreciate all your input.