Securing forms without CAPTCHA

[bimalpoudel]

I want to keep the forms short, without the CAPTCHA. And, with some tricks, like checking server headers, I was able to control the spammers.

Now a days, I find that spammers are researching my sites. Through several attempts, they have now specialized in cracking the systems. For example, the team at 213(.)5(.)71(.)86 is dedicated to crack my sites. I just don't like to black list their IP because, some day, it could be a legitimate user. And it is not possible to add all spammers IPs in the blacklist.

I would like to discuss here some advanced ways to protect the pages without CAPTCHA and pick your ideas to come up with a really strong method.

My latest model was using js/css/php/html for this.

• pre-populate the "email" element with some dummy email address. Use a different name to collect the real email address.
• Hide the element with css.
• Using a javascript to remove it once the page is loaded.
• Checking back if $_POST['email'] has some contents.
• Checking Headers back (This was broken)

I am safe at the moment now.

If not they can break this automatically through their crawlers, I am sure any of the spammers team will be researching to crack my websites - because they know - if they are successful in doing so, they can send hundreds of emails within my networks, for free.

I would like to know your ways.
Thanks.

[samb0057]

What some sites do is add a simple question. For example, "what number comes after four?", if the user is a human, they will fill out "five"

[AlexDawson]

Exactly what I would recommend, it's basically a turning test, you ask a question that only a human would be able to answer (rather than providing a math expression like 4+1 or a "what is this text" CAPTCHA which can be recognised). You could have (for example) a picture of an animal (or several on rotation) and ask people to identify the animal (by writing it's name in a box), that's what many CAPTCHA's are leaning towards these days.

[bimalpoudel]

Guys, Thanks for your interesting matters.

I would just like to avoid any kinds of captcha and security passes - so the page visitor does not fill answers to them. In fact, there will be no challenge question in any way. But yet, I want to secure the form filling process, if possible.

I am working on this, and need to collect your ideas.

[Mittineague]

You could test the users IP against the spamhaus black list.

No need to maintain a list of your own, and if the IP becomes "good" again it won't stay on the list.

And you could block all open proxies.

And you should look into flood control.

[Alexa12345]

I think the most secure method to not receive spam messages is to use some CAPTCHA characteristic. I think it shouldn't be deformed letters and numbers, this is two old and bothersome. The best way is to have to write a word that is given, but written clearly, or something like this. What day comes after Sunday, which is the first month of the year, what number comes after 5...

[Mittineague]

I was thinking another thing you could do - if your site isn't "global" and if you dare to implement it - is to only have the form available within a limited time frame. eg. Monday through Friday, 10AM through 3 PM

Kind of like "brick and mortar" reception desk hours. Find out when your legitimate users are most likely to use the form vs. when the SPAM bots are most likely to hit.

[bimalpoudel]

@Mittineague
I can check that with Apache's log - and open the form for a particular time frame, Limited but good idea.

@Alexa12345
I want to assume, everything the user inputs is legal. Thia means he user has only one chance to fill up the form. So, if the form data is correct, and only captcha is incorrect, it is not good to ask for the captcha again.

If I receive more attacks, I must activate captcha again.

[Stormrider]

I don't think there is any 'silver bullet' solution to this... I think any solution that is secure enough is going to have to involve interaction from the user somehow.

[Stomme poes]

What some sites do is add a simple question. For example, "what number comes after four?", if the user is a human, they will fill out "five"

Spammers who are so interested in a site that they research it will simply move over to a cheap mechanical Turk or the pr0n version (thus getting real humans to answer the questions for the spambots).

[wwb_99]

I'd ask why can unauthenticated users send emails within your networks in the hundreds to begin with?

[Shaun(OfTheDead)]

There was an excellent Sitepoint article about this sometime ago;
Beyond CAPTCHA: No Bots Allowed!

I'm surprised no-one brought it up already. Some nice ideas in there to secure your form without inconveniencing your viewers, or giving them another step.

I've used some of these ideas on my newer sites and no problems so far.

[joey88]

There was an excellent Sitepoint article about this sometime ago;
Beyond CAPTCHA: No Bots Allowed!

Yep, I also remember this article. It came pretty handy when I was building my first site Very accessible for both beginners and non-specialists.

[Michael Morris]

Spam solutions I've deployed in the past have been of the variety Spam Karma employs - timing how fast the form was filled out (you did the vbulletin user registration in .2 seconds -- yeah, right), bayesian filtering ( viagra, v1agra, v!agra). I've backed off of blacklisting since spammers sometimes don't use a domain name for more than a few days so it's ultimately pointless.

[Raffles]

If it's using something like a comment form, I find Akismet works extremely well. Combined with a dummy "email" field (hidden with CSS, but not removed with JS), it catches 99.9% of the spam, with no false positives, in over 10,000 items.

[androidpedia]

There was an excellent Sitepoint article about this sometime ago;
Beyond CAPTCHA: No Bots Allowed!

I'm surprised no-one brought it up already. Some nice ideas in there to secure your form without inconveniencing your viewers, or giving them another step.

I've used some of these ideas on my newer sites and no problems so far.

I also remember this article.

[technetic]

I've had luck with simply asking an easy question that can be checked. Just ask users "What color is the sky?" and you could make a side note that the field is just to help prevent spam.

[woodydrn]

I created a game and I had problems with people using auto clickers, I personally hate CAPTCHA so I created a stress level for the players, simply if they click too much, the stress level will make them pass out in the game, no being able to play for hours.

This wont be annoying for normal players, but auto clickers will pass out

What you could use, is maybe giving your users ability to mail 1 time a day, for new users. Once they been on your site for some time this limit could increase.

[john43]

I used phpBB software to create a forum (the forum was with captcha).
The (._x_.) spamming bot team still hacked it. Good luck.

[pgrous]

http://nedbatchelder.com/text/stopbots.html good blog post and comments on how to stop spam without captchas.

[oikram]

Not sure if someone as already mention it but,
Could, some sort of "Honeypot" be a solution for you?


Regards,
Márcio


update: I see that others have offered this solution, but not used this buzz word, so I keep it.

[charleyhope]

A good trick I found is to code in a simple question/answer Turing test using PHP.

For a science fiction site I help run, the questions for the forums were things like, what was the name of C3PO's droid friend (R2D2).

Any real fan will know this. Many spammers - even the human ones - won't!

Charles

[FaridHadi]

Interesting topic. I hate filling out captcha's would hate to force my visitors to do so. It would be great if there was a way to protect forms without forcing our users to suffer.

Askimet works great for comments in WP.

[Busch]

If you have a hard time coming up with the questions to ask, try http://textcaptcha.com/ .

[Stomme poes]

Busch, thanks for that link!

I would have trouble with this one:

What is ninety thousand nine hundred and fourteen as a number?

I have to slowly say it out loud, because when I read, letters have colours that help me know what the word means... and numbers are completely different. I can solve it though, just not as quickly as the other ones.

Mike Cherim has been using "is fire hot or cold" for years now on his blog... but he also uses Askimet (which occasionally eats valid comments).