So a visitor forgets that NumLock is off, presses 5 and gets blown out of your site?

I like to forward them to "spam.com". It has this great visual audio bit of a guy offering some spam to the viewer...

Seems to drive the point home to the spammer that they are not welcome... Most never come back after that... ;-)

If its a bot, its pointless doing anything over the top. Why bother anyway?

dc

I redirect to their own IP address.

Very nice LifeinAsia, I would have never thought of that!

DC- it is pointless accept that it makes me feel better without expending too much energy.

piatkow- I don't see that as an issue for the average user, they should see that the number they entered did not show up before submitting. I will watch for it though.

Isn't the problem with redirecting to 'their own' IP address is that it is more than likely not their IP address, but rather some zombie PC, or at the very least simply a dynamic address used by their ISP?

True, but while the process sits until it gets a timeout, it won't continue on to the next site it's trying to SPAM. So I'm hoping that I'm creating some sort of speed bump for the pests. In the grand scheme of things, it probably has little effect.

I've also thought of the possibility of passing back a 404 error, but I doubt that many (if any) bots are advanced enough to remove the page from its list of pages to SPAM.

A 404 error page with some rudimentary contact details might be useful for false positives though.

The proper response [w3.org] for a situation where you deny access is --not surprisingly-- a 403-Forbidden/Access Denied response. This should only be done after multiple consecutive captcha failures (my personal error rate is about 33% on these things, because they are usually too distorted for me to read with old eyes).

In most cases, malicious robots will not follow a redirect, so trying to redirect them is just a waste of your time and internet bandwidth. Just return a 403 response and be done with it.

I'd recommend a custom 403 error page, somewhat apologetic in tone, but factual, explaining that access has been denied, and telling a presumably-innocent reader what he/she can do about it. However, it is not good to provide any information that might actually help a malicious visitor, so do not gloat about how/why access was denied, or the technical basis for denial. Keep in mind that knowledge is power...

Ask them to note the time and their IP address (provide this info on the custom 403 page), and tell them what to do to get access (phone you, e-mail you at a 'special' super-filtered and often-changed e-mail address, send a postcard, etc. with the above information), and thank them for their cooperation and interest. Remember that you *will* catch a few people who just can't read or type.

Of course, the above assumes that your site is fairly unique, and that people are at least somewhat likely to go through the bother of contacting you to get access restored.

Jim

the site logs their ip for blocking and then

I use to block ip's but quit that as one day after blocking some fraud order ip's I got a call to place an order hit send payment and got the error IP has been blocked from purchasing from this domain.

I learned a valuable lesson most spammers are using a proxie IP address and blocking them is not effecting them at all and most likely causing you some good customers.

I am with jdMorgan just send them to a custom 404 page and be done with it without blocking the ip address as it is possible to block out your traffic to the point it causes you serious problems.

> I am with jdMorgan just send them to a custom 404 page...

Again, that's a 403 page, not a 404. :)

Jim