SitePoint Sponsor

User Tag List

Page 1 of 3 123 LastLast
Results 1 to 25 of 57

Hybrid View

  1. #1
    SitePoint Addict bimalpoudel's Avatar
    Join Date
    Feb 2009
    Location
    Kathmandu, Nepal
    Posts
    279
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Securing forms without CAPTCHA

    I want to keep the forms short, without the CAPTCHA. And, with some tricks, like checking server headers, I was able to control the spammers.

    Now a days, I find that spammers are researching my sites. Through several attempts, they have now specialized in cracking the systems. For example, the team at 213(.)5(.)71(.)86 is dedicated to crack my sites. I just don't like to black list their IP because, some day, it could be a legitimate user. And it is not possible to add all spammers IPs in the blacklist.

    I would like to discuss here some advanced ways to protect the pages without CAPTCHA and pick your ideas to come up with a really strong method.

    My latest model was using js/css/php/html for this.

    • pre-populate the "email" element with some dummy email address. Use a different name to collect the real email address.
    • Hide the element with css.
    • Using a javascript to remove it once the page is loaded.
    • Checking back if $_POST['email'] has some contents.
    • Checking Headers back (This was broken)


    I am safe at the moment now.

    If not they can break this automatically through their crawlers, I am sure any of the spammers team will be researching to crack my websites - because they know - if they are successful in doing so, they can send hundreds of emails within my networks, for free.

    I would like to know your ways.
    Thanks.
    Last edited by bimalpoudel; Jul 12, 2010 at 11:42. Reason: info on spammer's crawlers added
    Bimal Poudel @ Sanjaal Framework over Smarty Template Engine
    ASKING INTERESTING QUESTIONS ON SITEPOINT FOURM

    Hire for coding support - PHP/MySQL

  2. #2
    SitePoint Member
    Join Date
    Jun 2010
    Posts
    22
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What some sites do is add a simple question. For example, "what number comes after four?", if the user is a human, they will fill out "five"

  3. #3
    Follow: @AlexDawsonUK silver trophybronze trophy AlexDawson's Avatar
    Join Date
    Feb 2009
    Location
    England, UK
    Posts
    8,111
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    Exactly what I would recommend, it's basically a turning test, you ask a question that only a human would be able to answer (rather than providing a math expression like 4+1 or a "what is this text" CAPTCHA which can be recognised). You could have (for example) a picture of an animal (or several on rotation) and ask people to identify the animal (by writing it's name in a box), that's what many CAPTCHA's are leaning towards these days.

  4. #4
    SitePoint Addict bimalpoudel's Avatar
    Join Date
    Feb 2009
    Location
    Kathmandu, Nepal
    Posts
    279
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Guys, Thanks for your interesting matters.

    I would just like to avoid any kinds of captcha and security passes - so the page visitor does not fill answers to them. In fact, there will be no challenge question in any way. But yet, I want to secure the form filling process, if possible.

    I am working on this, and need to collect your ideas.
    Bimal Poudel @ Sanjaal Framework over Smarty Template Engine
    ASKING INTERESTING QUESTIONS ON SITEPOINT FOURM

    Hire for coding support - PHP/MySQL

  5. #5
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,044
    Mentioned
    187 Post(s)
    Tagged
    2 Thread(s)
    You could test the users IP against the spamhaus black list.

    No need to maintain a list of your own, and if the IP becomes "good" again it won't stay on the list.

    And you could block all open proxies.

    And you should look into flood control.

  6. #6
    SitePoint Zealot
    Join Date
    Jul 2010
    Posts
    100
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think the most secure method to not receive spam messages is to use some CAPTCHA characteristic. I think it shouldn't be deformed letters and numbers, this is two old and bothersome. The best way is to have to write a word that is given, but written clearly, or something like this. What day comes after Sunday, which is the first month of the year, what number comes after 5...

  7. #7
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,044
    Mentioned
    187 Post(s)
    Tagged
    2 Thread(s)
    I was thinking another thing you could do - if your site isn't "global" and if you dare to implement it - is to only have the form available within a limited time frame. eg. Monday through Friday, 10AM through 3 PM

    Kind of like "brick and mortar" reception desk hours. Find out when your legitimate users are most likely to use the form vs. when the SPAM bots are most likely to hit.

  8. #8
    SitePoint Addict bimalpoudel's Avatar
    Join Date
    Feb 2009
    Location
    Kathmandu, Nepal
    Posts
    279
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @Mittineague
    I can check that with Apache's log - and open the form for a particular time frame, Limited but good idea.

    @Alexa12345
    I want to assume, everything the user inputs is legal. Thia means he user has only one chance to fill up the form. So, if the form data is correct, and only captcha is incorrect, it is not good to ask for the captcha again.

    If I receive more attacks, I must activate captcha again.
    Bimal Poudel @ Sanjaal Framework over Smarty Template Engine
    ASKING INTERESTING QUESTIONS ON SITEPOINT FOURM

    Hire for coding support - PHP/MySQL

  9. #9
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,272
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    What some sites do is add a simple question. For example, "what number comes after four?", if the user is a human, they will fill out "five"
    Spammers who are so interested in a site that they research it will simply move over to a cheap mechanical Turk or the pr0n version (thus getting real humans to answer the questions for the spambots).

  10. #10
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I don't think there is any 'silver bullet' solution to this... I think any solution that is secure enough is going to have to involve interaction from the user somehow.

  11. #11
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,625
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    I'd ask why can unauthenticated users send emails within your networks in the hundreds to begin with?

  12. #12
    Keep Moving Forward gold trophysilver trophybronze trophy
    Shaun(OfTheDead)'s Avatar
    Join Date
    Nov 2005
    Location
    Trinidad
    Posts
    3,746
    Mentioned
    45 Post(s)
    Tagged
    0 Thread(s)
    There was an excellent Sitepoint article about this sometime ago;
    Beyond CAPTCHA: No Bots Allowed!

    I'm surprised no-one brought it up already. Some nice ideas in there to secure your form without inconveniencing your viewers, or giving them another step.

    I've used some of these ideas on my newer sites and no problems so far.

    Trying to fill the unforgiving minute
    with sixty seconds' worth of distance run.

    Update on Sitepoint's Migration to Discourse

  13. #13
    SitePoint Member
    Join Date
    Dec 2009
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Shaun(OfTheDead) View Post
    There was an excellent Sitepoint article about this sometime ago;
    Beyond CAPTCHA: No Bots Allowed!

    Yep, I also remember this article. It came pretty handy when I was building my first site Very accessible for both beginners and non-specialists.

  14. #14
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,023
    Mentioned
    62 Post(s)
    Tagged
    0 Thread(s)
    Spam solutions I've deployed in the past have been of the variety Spam Karma employs - timing how fast the form was filled out (you did the vbulletin user registration in .2 seconds -- yeah, right), bayesian filtering ( viagra, v1agra, v!agra). I've backed off of blacklisting since spammers sometimes don't use a domain name for more than a few days so it's ultimately pointless.

  15. #15
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Shaun(OfTheDead) View Post
    There was an excellent Sitepoint article about this sometime ago;
    Beyond CAPTCHA: No Bots Allowed!

    I'm surprised no-one brought it up already. Some nice ideas in there to secure your form without inconveniencing your viewers, or giving them another step.

    I've used some of these ideas on my newer sites and no problems so far.

    I also remember this article.

  16. #16
    SitePoint Member
    Join Date
    Apr 2010
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    http://nedbatchelder.com/text/stopbots.html good blog post and comments on how to stop spam without captchas.

  17. #17
    I meant that to happen silver trophybronze trophy Raffles's Avatar
    Join Date
    Sep 2005
    Location
    Tanzania
    Posts
    4,662
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    If it's using something like a comment form, I find Akismet works extremely well. Combined with a dummy "email" field (hidden with CSS, but not removed with JS), it catches 99.9% of the spam, with no false positives, in over 10,000 items.

  18. #18
    SitePoint Enthusiast
    Join Date
    Feb 2006
    Location
    Bel Air, Maryland.
    Posts
    60
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've had luck with simply asking an easy question that can be checked. Just ask users "What color is the sky?" and you could make a side note that the field is just to help prevent spam.
    ---
    Paul S. Smith
    technetic | design & code

  19. #19
    SitePoint Member
    Join Date
    Jul 2009
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I created a game and I had problems with people using auto clickers, I personally hate CAPTCHA so I created a stress level for the players, simply if they click too much, the stress level will make them pass out in the game, no being able to play for hours.

    This wont be annoying for normal players, but auto clickers will pass out

    What you could use, is maybe giving your users ability to mail 1 time a day, for new users. Once they been on your site for some time this limit could increase.

  20. #20
    SitePoint Member
    Join Date
    Jun 2010
    Posts
    9
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I used phpBB software to create a forum (the forum was with captcha).
    The (._x_.) spamming bot team still hacked it. Good luck.

  21. #21
    SitePoint Zealot FaridHadi's Avatar
    Join Date
    Nov 2008
    Posts
    170
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Interesting topic. I hate filling out captcha's would hate to force my visitors to do so. It would be great if there was a way to protect forms without forcing our users to suffer.

    Askimet works great for comments in WP.

  22. #22
    Follow: @AlexDawsonUK silver trophybronze trophy AlexDawson's Avatar
    Join Date
    Feb 2009
    Location
    England, UK
    Posts
    8,111
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by FaridHadi View Post
    It would be great if there was a way to protect forms without forcing our users to suffer.
    In a world where computers have become as able to understand content as humans (in the sense of reading it), it's impossible to be able to simply ask someone to identify what is provided on the screen. Unfortunately the only logical step is to ask something that requires genuine human intelligence (as machines cannot yet understand context) and hope that the end-user will also be able to make such a distinction and pass the test (though with increased difficulty comes more failure). What is unfortunate is that to get around this most spammers pay real people to fill in CAPTCHA challenges which eliminates the barrier to a large extent. As such I always recommend people never touch CAPTCHA as the only person it hurts is the legitimate user, the bad people always find a way around it - and do so because they have millions of dollars at their disposal from all the scams, illegal activities and paid-for spamming they are paid to undertake.

    CAPTCHA = Ineffective and bad accessibility, it's not worth the hassle.

  23. #23
    SitePoint Enthusiast Atle Iversen's Avatar
    Join Date
    Jul 2010
    Posts
    43
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    +1 to the "empty field" tip with explanation which works great (but not perfect).

    I also got a tip that you could check the comment itself for urls (http, www) and stop it if contains any urls (unless you NEED an url in your form).

    This should stop both machine and human spammers as much of the point of the spam is gone if they can't post an url ?

  24. #24
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,272
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    Sure but for example our forms do need urls.

  25. #25
    SitePoint Enthusiast VicToMeyeZr's Avatar
    Join Date
    Apr 2010
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by FaridHadi View Post
    Interesting topic. I hate filling out captcha's would hate to force my visitors to do so. It would be great if there was a way to protect forms without forcing our users to suffer.

    Askimet works great for comments in WP.

    I agree. I have left many sites, and never been back, because their "captcha", was So distorted, I couldn't even read it. Not to mention, some color blind people will never figure some of them out, so you end up alienating users..
    DarkForge Hosting - Honest Hosting
    Web Design - Web Design/Development
    My Blog - All things me


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •