Like what? When I last tried to DIY it, weeks of work resulted in maybe a 20% decrease in spam traffic. Then we tried Cloudflare and overnight it pretty much went to zero.
That was like ten years ago though. What are some good alternatives?
You should design your site to be resilient to spam traffic, not try to filter until it's gone. By filtering, you've become unreachable by much of the world, spammers or not.
Well, that sounds easier said than done. Do you have any advice or tutorials on how to do that effectively?
We did try, casually at first over the years, then intensely as a focused effort over several weeks, to little effect. We tried blocklists, fail2ban, firewall rules, heuristics, CDNs, other non-Cloudflare services, etc. It cost us dozens of hours of labor and thousands of dollars of other service provider fees, but the spam didn't abate much. It was causing excessive server load, many credit card authorization attempts (they didn't go through, thankfully), sometimes fake PO orders, screwing up our analytics, etc.
Then out of desperation, we found Cloudflare. It took maybe half an hour to set up, cost $20/mo at the time, and overnight all our spam problems stopped. For a small business, it was a godsend, freeing up our devs to work on actual features instead of fighting bots all the time, and saving us thousands of dollars in hosting fees.
> By filtering, you've become unreachable by much of the world, spammers or not.
But... that's the whole point! We weren't some huge enterprise SaaS trying to advertise to the whole world, just a small US-only business. We had no business in China, Russia, India, etc., where most of the spam was from. We tried in vain to block that traffic on purpose, but couldn't easily do it until Cloudflare.
Then Cloudflare let us flip a toggle... and it all magically worked. Our staff was much happier, our actual customers never noticed (they were all US/Canada based, or rarely Europe), nobody ever complained, and we saved thousands of dollars a year.
It's not just about DDoS (which we did get on occasion, and our host did help us with) but the consistent drive-by bot scraping, pen testing, port scanning, etc.
Cloudflare sometimes gets a lot of hate here, but for small website operators, they are a HUGE lifesaver. I've never actually heard a complaint from a real customer about this, but even if we hypothetically lost a handful, the time and money saved not dealing with spammers is worth it to many businesses.
The internet has long since stopped being the open wonderland where everyone is nice and contributes positively. The overwhelming majority of it is worthless bot traffic, and you could make an entire career out of trying to prevent it... or just give Cloudflare a few dollars and a few minutes. Sorry, I don't see them as evil, just... practical? Useful?
That was like ten years ago though. What are some good alternatives?