On Tuesday morning, September 1st, 2009, our site went down from being overloaded by spammers who ran multiple automated scripts against the site to add thousands of Twitter accounts and hundreds of thousands of spam tweets.
To prevent this from happening again, we implemented reCAPTCHA on the forms that add a new account and add a new scheduled tweet.
That is the only way to effectively block automated scripts from abusing those forms.
We have had requests from users to remove the CAPTCHA from those forms and implement it only on the login form. Unfortunately that will not help. With CAPTCHA only on the login form, spammers can still run their scripts. All they have to do is let the script present them with the CAPTCHA at login, and then they are off to the races and can let their script run against the other forms as before.
Blocking of IP addresses also does not work, because the spammers simply hop from one IP address to the next using proxy servers.
We realize this is an inconvenience. But, in the end it is just one additional form field that must be completed, and it adds a few seconds to the completion of the form. We trust that folks will understand the necessity.
The benefits are that the system performance and system uptime are better for everyone, and our service’s standing with Twitter is not jeopardized by the gazillion of spam tweets that the spammers want to push through our service to Twitter.
Professional users are not presented with the reCAPTCHA challenge on the new tweet form for two reasons, namely: a) spammers rarely want to reveal their true identities via PayPal payments, and b) Professional users have access to the bulk file upload feature that makes running scripts unnecessary for adding a lot of tweets.
Update – Wednesday, September 2nd, 2009 at 2:30 PM EST: We have listened to you and have now modified the CAPTCHA challenge on the new tweet form to appear only occasionally. We trust that this will bring balance between site security and usability.