How to block spammers from using my public email api

Question

I am working on a web application which allows users to share stuff on a web-page by clicking on an 'email to friend' link; similar to what extole is doing here http://www.american-giant.com/mens-heavyweight-full-zip-hooded-sweatshirt-product.html

on this page if you click on the email icon near "REFER & GET $15", you will see a pop-up where you can enter your own email and a friends email and can edit the subject of the email. When you click send the data is sent to the backend as json. They are using a plain simple url to do this i.e. http://refer.american-giant.com/v2/share.

The problem for me is that somehow spammers got hold of my url (can't mention here) and now they are using it to spam others by using some sort of a script. What I did is I placed a check in the backend api to block an ip if more than 5 share requests originate from it, but it seems that the spammers have a lots of ips (more than 30,000 from what I counted in my logs) so they are still able to send lots of email. One possible solution is to use a captcha to thwart the spamming script. But I am curious that how extole is doing it. They aren't using any captchas; and they are famous too, so it is unlikely that spammers don't know about their publicly accessible api. Can any one shed some light on this?

Note: 1. I am using a third party email service to send the emails. 2. Users are not required to sign in as this defeats the purpose of sharing on a simple website 3. Users can edit the subject and body, thus these are sent to the api call and this is what allows the spammers to abuse the api with their own stuff.

Answer 1

This is commonly known as a replay attack, when the attacker repeatedly transmits a legitimate message using a script. In this case, there are minor modifications to the message since the spammers change the email parameters in each message.

What you could do to prevent that is to implement a nonce. A nonce is a random string that is unique for every single request. The nonce should be generated in the back end and stored in a database. The nonce can then be embedded in a hidden field in the form. When the form is submitted, you check the nonce against the database. If it is valid, you process the request and remove the nonce from the database. By doing so, any future request using that some nonce will be invalid and thus you would prevent spammers from repeatedly re-issuing the same request.

However, a more sophisticated bot can bypass this system by reloading the page to obtain a new nonce for every replay.

Another method which is more intrusive is to implement a captcha. It will stop most spammers, but as usual, the most determined ones will theoretically still be able to write a script to bypass that as well.

Answer 2

You should react fast before your sending IP/domain gets blacklisted. Additionally all those mails hurt your brand.

Some first steps:

• Look in your server log for the user agent of the abusive senders. A simple spam bot might always use the same one so you could assign a higher likelihood of being spam to "user" with such agents and limit the number of "shares" they can invoke. If you are lucky their user agent is unique and you can block it.
• You can add a hidden form field which gets a value from your server via a javascript request. You have to check it before sending (has it been used before, has this been generated in the last 5 minutes, ...) and this might block simple bots which do not render your page / execute the script. (However, this blocks only script kids)
• Filter the send messages! Do not allow links to any domain, which is not controlled by you. Filter mails and blacklist the IP if it contains typical spam features (names of pharmaceuticals, gambling, ...)
• Captchas are not that bad anymore or at least Google claims that. Have a look at their redisgned re:captcha system. I have not tested it yet, but if it works it is no nuisance for the user.