How would you tackle bot nets?

Huge networks of fake accounts used for nefarious reasons!

The following article inspired this thread:

For twitter, I would just charge $100 for verified accounts and give end users the tools to filter our non-verified users. That would just destroy the reach of this botnet, no?

Just by reading “How would you tackle bot nets?” I though about how I’d implement one in Elixir and not about countering one, hat to read the first answer few times to finally “switch”. There is definitely something wrong with that thinking

The only possible way to diminish this problem, as far as I know, is to make accounts valuable. This cost can be added by doing something like what @nerdyworm suggests; having ‘verified’/‘premium’ accounts that cost money and therefore are not lucrative to bot builders.
An alternative way is to introduce CAPTCHAs: These (if made correctly) are impossible to solve by a computer. And thus the only way to solve them is to hire a human being to solve them for the computer.
However, CAPTCHAs are also very annoying for non-computers to have to do regularly.
Another way to do this that many large companies including Twitter do nowadays, is to link an account to a unique phone number, with the reasoning that acquiring a phone number costs money. However, it seems that there are ways to (temporarily?) create large batches of phone numbers, as these large groups of bot accounts still exist.

In cases where someone is not looking to create as many accounts as possible, but to create a single account with a certain property, it makes sense to make it computationally hard to create new identities (i.e. to find out the properties of potential new identities). This is the only way to mitigate a Sybil attack (I’ve written about this in more detail in my work-in-progress paper about the Distributed Hash Tree).

Linking to the phonenumber has nothing to do with verification or something, it is just another channel to retrieve the “I lost my password and want to reset it” link. Linking the phone to twitter or vice versa is purely optional and no one can see if I have “verified” my phone or not not.

Some great ideas guys!

I’m surprised nobody has mentioned things like checking user-agent or IP addresses. IPs in particular are a great indicator of suspicious activity, particularly when combined with location and who-is information. I would definitely think about looking at such data and creating lists based on those.

Phone numbers are actually a good way to weigh up the legitimacy of a member - they are too expensive for everyday spammers and also help against multiple personalities. Also great for two factor auth

You (all) are totally right about the value. But the fact that I have or have not linked my account to a phone number is only known to me and twitter. So this phonenumber thing is not used to recognise spammers.

If I were twitter, I’d probably add some badge for verified and up to date phone numbers in the profile (perhaps re-verify every 3 months?).

Instrument any input methods at the javascript client level and look for the timing differences/errors between humans and bots.

It will only work for a while, but it’s a constant arms race.

Robot beats “I am not a Robot” Captcha

VoiP numbers can be had very cheap. Set up a SIP account and create 10k extensions.

Generally you’d use a mobile phone number for verification (as opposed to a landline one). I’ve never used a VoIP but I guess you get a normal landline number? Can VoIPs accept text messages as well?

Depending on where you are in the world, there may be no way of telling whether a number is mobile or landline.

Not all of them but in general: yes.