I think there is a bug in your program. First of all, you need to check where the problem lies. 1. Change the verification code to a more difficult-to-distinguish one with mixed English and numbers. Only send a text message after the graphic verification code is correct and the verification code is detected. Immediately refresh the verification code after entering an error 2. Check in the background whether the number of interfaces triggered by each IP segment every day is consistent with the limit 3. Also limit the number of messages sent per mobile phone number per day
The verification code should be able to prevent a large number of people from losing their money. Could it be that others spend money specifically for image recognition
Since your company has set a limit on the number of text messages sent from the same IP within a certain period of time, then this has already met the basic limit. Coupled with the verification code, there is basically no problem.
Here is a suggestion, you can try changing the restriction rules to: To the same mobile phone number, a maximum of 5 text messages can be sent within half an hour. Of course, this 30-minute, 5-item session is flexible.
This purely numerical verification code is indeed too simple. I have written a crawler in python before and can recognize this kind of verification code. It is recommended to add English letters. In addition, think about whether your website has loopholes and whether there is a method You can bypass the verification code and directly access the SMS interface. You can also deny access based on the other party's request header information, for example, when the User-Agent does not come from a browser, but most crawlers can disguise themselves as browsers through this.
In terms of malicious brushing, there are only a few thousand messages, which is not too much. It doesn’t feel like the level of malicious brushing
But the verification code is really too simple, and it’s all numbers. However, it doesn't make much sense to change to a more complicated verification code. Nowadays, the accuracy of software that recognizes verification codes is very high. Too complex will affect the user experience. The scariest thing is that they can choose to manually identify the verification code. . . Just write a script and create an interface that only displays the verification code and an input box, and then adds some buttons for quick input. All the person has to do is recognize the verification code, and the script does the rest.
Thousands should not be considered a lot. First of all, how did you know that it was maliciously brushed? Does the website have other vulnerabilities (this is more likely)
I don’t know what kind of system you have, but here’s what we do: 1: Only when the username and password are entered correctly will the SMS verification code be sent 2: The same user is limited to the number of times in a day. After exceeding the limit, whether the account will be locked or the SMS verification code will no longer be verified depends on business requirements.
In short, the SMS verification code will not be sent if you can...
The first priority is to determine the problem. You need to determine whether it is a malicious brush, a program error, or a normal situation. The best way to tell is through logs.
The short message service provider should have a log. If not, you need to write a log yourself. Determine the nature of your problem so that you can find a solution.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
I think there is a bug in your program. First of all, you need to check where the problem lies. 1. Change the verification code to a more difficult-to-distinguish one with mixed English and numbers. Only send a text message after the graphic verification code is correct and the verification code is detected. Immediately refresh the verification code after entering an error
2. Check in the background whether the number of interfaces triggered by each IP segment every day is consistent with the limit
3. Also limit the number of messages sent per mobile phone number per day
The verification code should be able to prevent a large number of people from losing their money. Could it be that others spend money specifically for image recognition
Since your company has set a limit on the number of text messages sent from the same IP within a certain period of time, then this has already met the basic limit. Coupled with the verification code, there is basically no problem.
Here is a suggestion, you can try changing the restriction rules to: To the same mobile phone number, a maximum of 5 text messages can be sent within half an hour. Of course, this 30-minute, 5-item session is flexible.
This purely numerical verification code is indeed too simple. I have written a crawler in python before and can recognize this kind of verification code. It is recommended to add English letters.
In addition, think about whether your website has loopholes and whether there is a method You can bypass the verification code and directly access the SMS interface.
You can also deny access based on the other party's request header information, for example, when the User-Agent does not come from a browser, but most crawlers can disguise themselves as browsers through this.
In terms of malicious brushing, there are only a few thousand messages, which is not too much. It doesn’t feel like the level of malicious brushing
But the verification code is really too simple, and it’s all numbers. However, it doesn't make much sense to change to a more complicated verification code. Nowadays, the accuracy of software that recognizes verification codes is very high. Too complex will affect the user experience. The scariest thing is that they can choose to manually identify the verification code. . . Just write a script and create an interface that only displays the verification code and an input box, and then adds some buttons for quick input. All the person has to do is recognize the verification code, and the script does the rest.
Thousands should not be considered a lot.
First of all, how did you know that it was maliciously brushed? Does the website have other vulnerabilities (this is more likely)
I don’t know what kind of system you have, but here’s what we do:
1: Only when the username and password are entered correctly will the SMS verification code be sent
2: The same user is limited to the number of times in a day. After exceeding the limit, whether the account will be locked or the SMS verification code will no longer be verified depends on business requirements.
In short, the SMS verification code will not be sent if you can...
Try Alibaba’s JAQ, risk identification, specially designed to block robots
The first priority is to determine the problem. You need to determine whether it is a malicious brush, a program error, or a normal situation. The best way to tell is through logs.
The short message service provider should have a log. If not, you need to write a log yourself. Determine the nature of your problem so that you can find a solution.
If the targets are not repeated and the IP addresses are not repeated, thousands of them cannot be said to be malicious.