zlacker

Just FYI, I'm one of the maintainers of a mid-size forum regarding opensource virtualization/containers and thus spam is a daily occurrence.

While the fight against it is rather dire and no end will ever be in sight, I'll nonetheless never stop (tool assisted) fighting.

Anyway, @zoho.com addresses used by spammers started to pop up circa a month ago and increased rapidly in occurrence. As we use stopforumspam to report and track spammer info (and surely are not the single forum seeing those @zoho.com domains) you may got a few flags raised somewhere.

Not sure what caused this sudden (from our POV) attraction of spammers using zoho, you may want to look into some defense against this. While a full solution may not be achievable it's often enough to be faster than other providers, aka the tiger defense ;-)

>>tlampo+(OP)
It sounds like the spammers found a way to automatically create new @zoho.com email accounts, and the single way to stop them might be using a CAPTCHA service from the direct competitor, Google. At least that was the unfortunate case for the privacy focused German email provider Mailbox.org[1]:

> We recently detected activities on our servers where bot nets were used to create hundreds of thousands of e-mail accounts for the sending of spam e-mail. Although we take this as a compliment – somebody out there must be convinced our infrastructure is up for the job – we needed to find a solution to stop this abuse of our service, of course. We subsequently deployed a number of different CAPTCHA systems to help our servers identify bots during registration. However, spammers were able to circumvent all these solutions shortly after they were put in place. [...] We therefore decided to use Google’s CAPTCHA for the time being, because out of the set of solutions we tried thus far, this one seems to work best.

[1] https://userforum-en.mailbox.org/knowledge-base/article/goog...

>>krn+og
I suppose due to the increasing risk of being broken by competing neural networks, recaptcha appears to be moving towards a model based on usage heuristics in v3. This is something that is more easily achievable by a small startup, so I hope to see competition for this type of solution if there isn't some already.

>>tlampo+(OP)
Hi Sorry for the issue caused to you. Can you provide few email address to abuse at zoho.com, so we would take appropriate action after investigations. Regards. Rajasekar Zoho Abuse Monitoring Desk.

>>lwansb+7l
> recaptcha appears to be moving towards a model based on usage heuristics in v3

I always thought that Google has a huge competitive advantage here, because most people browse the web being logged into their Gmail accounts, and, therefore, as with Google Analytics and Google Adsense, Google knows that it's you who is viewing that page. It can then present extremely time-consuming CAPTCHAs to anonymous visitors, most of whom are likely to be bots or the spammers themselves.

>>lwansb+7l
I am working on exactly this at hcaptcha.com

>>krn+og
If you’d like to use a strong captcha approach without using a competitor you might want to check out http://funcaptcha.com (I have no affiliation, have heard good things and been presented it on a couple of sites)

>>amirhi+tq
This is really neat!

>>krn+ym
...or running a logged off browser with cookied restricted to the browser session. I spend my time solving captchas which I am getting sick of. My immediate reaction now when presented a captcha is to browse away.

>>cm2187+Nr
That is pretty terrible if the web is being split into "google knows who you are and approves of you visiting this website" vs not being tracked by google and being treated as a second class user.

>>ldarby+Kt
I can relate to what the previous poster said. The worst thing is that this happens even for services I pay for. Some of them even do that for logging in.

>>cm2187+Nr
Thank you Cloudflare for contributing to that nonsense.

>>tlampo+(OP)
As a network engineer for an ISP, I can tell you that StopForumSpam reports generally don't make it on our radar. Cisco Talos IP reputation, SpamHaus, SpamCop and various other DNSBLs do make it on our radar and are proactively monitored by most responsible ISPs.

That being said, the proper way to report abuse to an ISP is to email the official point of contact for abuse associated with their IP netblock. In the case of Zoho, that contact info can be found here: https://bgp.he.net/AS2639#_whois

ARIN rules require that all IP netblock owners provide a valid point of contact for abuse issues. ARIN validates the points of contact annually. I believe that RIPE, APNIC and LACNIC have similar rules.

If an ISP doesn't act on the abuse after it has been reported to their abuse point of contact, then you have a legitimate complaint against them.

>>ldarby+Kt
Using google with a vpn (PIA) was a non-starter. I usually had to solve 3 or 4 puzzles before I could get to results. Privacy is important to me and it is just as important for them to deny me it.

>>cm2187+Nr
Yeah I'm with you. I like to browse with everything logged out, and I clear all content on browser close.

I'm so bloody sick of helping Google train their self driving cars. I swear I'm going to have PTSD about stop signs and store fronts for the rest of my life.

>>cm2187+Nr
While I too leave sites that are too annoying to use, as a dev, what are other less annoying ways to slow down bots on one's site?

>>tlampo+(OP)
Second that as we’ve started to see fraud related registration activity from zoho.com around the end of August.

>>partis+Bz
Well said

>>Obsole+RF
I've started deliberately getting them wrong - probably won't make a difference, but makes me feel a little better about it (I drew the line when I started getting CAPTCHAs on services I have paid for).

>>stordo+NN
>> I'm so bloody sick of helping Google train their self driving cars. I swear I'm going to have PTSD about stop signs and store fronts for the rest of my life.

> I've started deliberately getting them wrong - probably won't make a difference, but makes me feel a little better about it

I don't even have to try anymore to get them wrong on a regular basis. Now, I think it's now more like training Google users to make the same recognition errors as its self-driving cars than training the cars to do a better job.

>>cm2187+Nr
Ditto here. And some of the worst offenders are retailers! You're trying to get someone to spend real money, and you think it's a good idea to make them screw around with 20 picture puzzles in a row before they're able to do that?!

I can only fathom these shops, both management and the webdevs, have no idea how unprofessional their site looks to anyone that isn't using a vanilla ISP connection. And my experience is coming from using a single longstanding VPS address, not even a shared VPN.

A sensible scheme would allow a certain rate of login attempts per any IP before hassling a user, but Google is obviously more interested in getting their training data than making sure you don't lose customers!

>>glenng+wq
The "Book Demo" button and "read white paper" button seem to be broken, which does not inspire much confidence. The first button just takes me to the bottom of the page while the second button does nothing.

Not sure if this is the same, but I once came across a website with a captcha where you had to rotate a dog so it stood upright, but it was lagging so bad that it would skip several frames, making it impossible to time the angle correctly. After several minutes of trying I gave up and went to a different website with an inferior service, but which did not waste my time.

>>krn+og
hCaptcha definitely a way to go - strong product, not working with competition, etc.

>>slv77+3L
Dear Siv,

Thank you for your notification, will check on this and block those who spam using our system. However please put up an email to abuse at zoho.com so it would help us provide clue to our investigations. Reg Rajasekar Zoho Abuse Monitoring Desk.

>>johndo+NV
Both buttons work for me on mobile. Can't be sure, but that page looks like a JavaScript heavy "single page app" type situation, so if your JS is turned off that might explain things.

Incidentally, both links just pop up a sign-up form.

>>glenng+wq
The link redirects to some other site now.

>>johndo+NV
The site requires you to whitelist marketo.com which is blocked on uMatrix as it's a marketing company.

>>johndo+NV

  a captcha where you had to rotate a dog so it stood upright

Ticketmaster uses one like this, with various animals.

>>amirhi+tq
Not sure why, but when I try to load your site in Safari or Chrome on iOS, the page displays for a second and then the tab crashes.

>>ldarby+Kt
They are not treating you as second class citizen, they are saying they haven't trust you to be human yet. Which is the whole point of capcha.

You want Google to not know about you. You want to be a stranger to them. And you are complaining that they don't trust stranger, which you want to be, as much as someone they know?

>>ldarby+Kt
s/Google/China

>>Rajase+801
Did you see this comment? Just passing it along in case it is helpful.

https://news.ycombinator.com/item?id=18064197

>>joesb+y91
If it's about using only Google's services, then yes I agree, but the point is if lots of random sites all decide to use Google for captchas.

This has already happened with tor and Cloudflare, but at least that changed for the better recently (see https://www.zdnet.com/article/cloudflare-ends-captcha-challe...). In that case it was just one CDN using captchas to discriminate against a group of users, so that one change by the CDN could fix the issue. If too many random sites are independently blocking or slowing down anyone not logged into Google, then that'll turn the web into Google's web.

>>partis+Bz
Interesting--I'm trying Nord right now and while Google has been fine, Amazon blocks me regardless of what I do and I ended up having to add some static routes for Craigslist.