Spambots can easily be stopped with a line or two of javascript in your registration form that counts key presses and sends that count to the server. Spambots don;t press keys, problem solved. The actual key count doesn't matter, just the fact that a key was pressed.

Also, block the ISPs IPs in .htaccess, another simple solution

Thanks. I'm already trapping and blocking them well.

What I'm wondering is how can they be effectively stopped from trying at all, especially from ISPs, as when I do a block, even if temporarily, it can trigger false positives with real human users.

Ideally, I would like for the ISP to quickly see the problem and stop it on their end, so I won't ever have to consider blocking them. What I want is for Comcast especially to wake up and start taking these spambots seriously.

Blocking data centers doesn't block humans unless they're using some proxy hosted there

Blocking and actual ISP serving idential traffic is problematic because you'll always have mized usage and there's no way to presort it, and you'll never find an easy solution for ISPs like Comcast

Here's a thread that might help: [webmasterworld.com...]

On phpBB the first timezone in the drop down list is UTC-12 which conveniently is uninhabitable. The default board timezone is pre-selected for new registrants. Many bots will submit -12, a little bit of modification stops them.

I use layers of tests, you just have to identify what you can do. You might be able to incorporate that into any registration where the first selection in a drop down list no one would pick and pre-select something in the middle of the list.

It's not the stopping them that's the problem. I use various techniques and they work nearly 100% of the time.

I'll try to state the issue again.

On top of stopping them, I block the IP the attack comes from, as many times bots keep trying to break in if you don't block them. From my logs, I know they just keep trying.

However, if a blocked IP belongs to an ISP, I may be blocking a real human user occasionally.

What I'd ideally like to see happen is for ISPs to be more responsive in shutting down such bots in the first place. If ISPs could adopt some kind of SpamCop-like reporting facility that they took seriously, or if they took the reports at StopForumSpam seriously, we wouldn't have to risk having false positives.

I have considered creating a spambot report generator that pulls data from the access log and my tracking table to convince the ISP that my site was attacked from their server, but I wonder also if they would take these seriously. Most of them currently don't seem to take my manually created reports seriously, especially Comcast.

Overall, this isn't really a huge dilemma, but I would like to see some kind of solution at some point.

What I'd ideally like to see happen is for ISPs to be more responsive in shutting down such bots in the first place.

The trouble there is they would have to actively monitor and act on what their clients are doing. Privacy issues creep in as well as false positives where an ISP could potentially fault their customer for something they have not done. I'm sure things have changed considerably and you may see action today but I remember reading an article years ago from Gibson Research about a DOS attack someone launched on their site. They sent the IP addresses of some of the offending machines to the ISP's and they were reluctant to do anything about it.

The place for ISPs to stop spam or spambots is the origin... and that's not going to happen unless really CREEPY invasions of data stream is undertaken. And if any ISP does that, they lose SAFE HARBOR protections, which doubly guarantees they won't do a thing.

On our end (receiving) there will be either a nuke it all, a nuke all but, a nuke only by UA/IP, or no nuke at all.

Most will have to make that decision based on their incoming as to how they respond. In my little world I don't worry about the 8-10% that slip through (too much) because the other 88-90% are not.

The actual key count doesn't matter, just the fact that a key was pressed.

Do mouse-clicks count? For example, I use software to keep track of my passwords, and will generally just copy a particular password from the software and paste it into the login form without pressing a single key (unless I use Ctrl+V, but I don't always do that).