SitePoint Sponsor

User Tag List

Page 2 of 3 FirstFirst 123 LastLast
Results 26 to 50 of 57
  1. #26
    SitePoint Evangelist elgumbo's Avatar
    Join Date
    Nov 2002
    Location
    North West, UK
    Posts
    545
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I add an extra field to the form called "surname" and hide it using css.

    I find that a bot will complete all the fields (including the hidden one). If my form processing script detects the surname field has been completed then the email is redirected to my spam mailbox which I only check a couple of times a month.

    In the 6 months I've been using this method I haven't had any false positives so I'm actually thinking of just deleting the message rather than spamming it.

  2. #27
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,269
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    In the 6 months I've been using this method I haven't had any false positives so I'm actually thinking of just deleting the message rather than spamming it.
    The blind using a screen reader and those using text browsers will likely fill in your bogus question. You've just been lucky so far.

    Instead, make it obvious that it's a spam question, and tell blind users not to fill it in.

    <label for="noanswer"> Do not fill this in: </label><input type="text" id="noanswer" name="skip">

    Then hide it.

    While display:none is known to hide text from screen readers, in forms it's a different set of rules. The Big Two readers for Windows will read out display: none labels.

  3. #28
    SitePoint Wizard
    Join Date
    Apr 2007
    Posts
    1,397
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    From your logic, there's an easy way to spam. I would use Selenium tool (http://seleniumhq.org/), make a script to create fake accounts and etc... This tool is meant to be used as automated testing tool for the browser. It will actually use a real browser like firefox and not simply scrapping HTML or crawling HTML. Because of these tools, you really have to put "unconvenient" human questions there. Possibly, another solution is to detect "spam" using various logics then banning the IP!

  4. #29
    SitePoint Member
    Join Date
    Jun 2007
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm one of those who use the hidden textbox method
    I place a label or a value to ensure those whose CSS is disabled or using screen readers know too leave it
    I've used this method since the concept first started floating around, many many many many years ago and not had one bot bypass it

    Of course, my sites are quite obscure, and I do keep upto date with talks about other methods
    But every method I've seen could easily be bypassed in a defeated, and quite frankly, I'm surprised they aren't already

    IMO, the ask a question method would probably be the most time consuming one since the different numbers of questions can run into the millions

  5. #30
    <?php while(!sleep()){code();} G.Schuster's Avatar
    Join Date
    Mar 2007
    Location
    Germany
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I had once developed a "click captcha", an image submit button with e.g. a filled circle or a rectangle that the user had to click.
    As most (all?) modern browsers send X and Y coordinates when an image button is clicked I was able to check if the clicked point was inside the given form.
    Worked well, only problem was you could try and send fake values for X/Y and have a good chance to have the right ones.

  6. #31
    Follow: @AlexDawsonUK silver trophybronze trophy AlexDawson's Avatar
    Join Date
    Feb 2009
    Location
    England, UK
    Posts
    8,111
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by FaridHadi View Post
    It would be great if there was a way to protect forms without forcing our users to suffer.
    In a world where computers have become as able to understand content as humans (in the sense of reading it), it's impossible to be able to simply ask someone to identify what is provided on the screen. Unfortunately the only logical step is to ask something that requires genuine human intelligence (as machines cannot yet understand context) and hope that the end-user will also be able to make such a distinction and pass the test (though with increased difficulty comes more failure). What is unfortunate is that to get around this most spammers pay real people to fill in CAPTCHA challenges which eliminates the barrier to a large extent. As such I always recommend people never touch CAPTCHA as the only person it hurts is the legitimate user, the bad people always find a way around it - and do so because they have millions of dollars at their disposal from all the scams, illegal activities and paid-for spamming they are paid to undertake.

    CAPTCHA = Ineffective and bad accessibility, it's not worth the hassle.

  7. #32
    SitePoint Enthusiast Atle Iversen's Avatar
    Join Date
    Jul 2010
    Posts
    43
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    +1 to the "empty field" tip with explanation which works great (but not perfect).

    I also got a tip that you could check the comment itself for urls (http, www) and stop it if contains any urls (unless you NEED an url in your form).

    This should stop both machine and human spammers as much of the point of the spam is gone if they can't post an url ?

  8. #33
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,269
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    Sure but for example our forms do need urls.

  9. #34
    SitePoint Enthusiast VicToMeyeZr's Avatar
    Join Date
    Apr 2010
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by FaridHadi View Post
    Interesting topic. I hate filling out captcha's would hate to force my visitors to do so. It would be great if there was a way to protect forms without forcing our users to suffer.

    Askimet works great for comments in WP.

    I agree. I have left many sites, and never been back, because their "captcha", was So distorted, I couldn't even read it. Not to mention, some color blind people will never figure some of them out, so you end up alienating users..
    DarkForge Hosting - Honest Hosting
    Web Design - Web Design/Development
    My Blog - All things me

  10. #35
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hi,use this link..regarding secure without captacha..
    http://garyhepting.com/2010/01/secur...thout-captcha/
    Last edited by DaveMaxwell; Jul 28, 2010 at 05:55. Reason: removed extraneous link

  11. #36
    SitePoint Zealot lutrov's Avatar
    Join Date
    Mar 2001
    Location
    Melbourne, Australia
    Posts
    159
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    The problem with captchas, as I'm sure most of us are aware, is that most "legitimate" people find them annoying. They tend to work for automated crapbots but here's some strong evidence which shows why they're becoming increasingly futile:

    http://www.nytimes.com/2010/04/26/te...tcha.html?_r=1

    As you can see, there's no shortage of people willing to work for $5/week to fill in contact forms all day long.

    I use a combination of a form "token", and a projecthoneypot.org blacklist to prevent automated "post" requests. Of course, this can't protect protect against the cheap slave labour approach mentioned above, but at least "legitimate" people don't have to put up with captchas.

    I'm not sure what you mean by "they can send hundreds of emails within my networks". Are you talking about using your online contact form to send messages to third parties? If so, that can easily be fixed with some server-side checking.
    Last edited by Mittineague; Jul 29, 2010 at 18:06. Reason: Please do not use "bit.ly" URLs.

  12. #37
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,269
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    As you can see, there's no shortage of people willing to work for $5/week to fill in contact forms all day long.
    As mentioned earlier, they'll do it for free if they're looking for pr0n. Mechanical Turks... humans doing whatever work machines can't.

    What is your form "token"? I'm not sure what that is.

  13. #38
    SitePoint Zealot lutrov's Avatar
    Join Date
    Mar 2001
    Location
    Melbourne, Australia
    Posts
    159
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    What is your form "token"? I'm not sure what that is.
    An automatically generated randomised string which is included when the form is first requested, and then compared to the saved copy in the server session. When a crapbot attempts to post data directly to the form, it will fail because the token will be missing.

  14. #39
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,269
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    Likely my lack of knowledge of servers, sessions and cookies... but is the client storing this token? Does the client need client-side scripting?

    I mean, a bot's a user agent like a browser is. Why wouldn't the bot also have a session and a generated token?

  15. #40
    SitePoint Zealot lutrov's Avatar
    Join Date
    Mar 2001
    Location
    Melbourne, Australia
    Posts
    159
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    Why wouldn't the bot also have a session and a generated token?
    It could, if it had a "GET" request, followed by a "POST" request, like a normal "human" browser would. But some bots only do a "POST", and that's where the token protects the site.

  16. #41
    SitePoint Addict
    Join Date
    Apr 2001
    Location
    Devon, UK
    Posts
    333
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This might provide a few ideas:
    http://www.sitepoint.com/blogs/2009/...-alternatives/

    I've successfully used timers, i.e. I ensure the form is submitted back to the server after a reasonable period. Automated systems tend to submit far faster than a human could type.

  17. #42
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by charleyhope View Post
    A good trick I found is to code in a simple question/answer Turing test using PHP.

    For a science fiction site I help run, the questions for the forums were things like, what was the name of C3PO's droid friend (R2D2).

    Any real fan will know this. Many spammers - even the human ones - won't!

    Charles

    Nice,but I don't see that going far,you will be deterring many legitimate users,the whole Turing thing is okay but not necessarily "Who is the grand father of Hitlers' cousin"

  18. #43
    SitePoint Member georgeshoemoney's Avatar
    Join Date
    Jul 2010
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Some CAPTCHA are not that secure, many spambots can get into the site and moderators merely not noticing it. They should enhance it.


    <snip />
    Last edited by SpacePhoenix; Aug 5, 2010 at 23:33. Reason: removed fake signature, please be patient, you need to wait 90 days to use a signature

  19. #44
    SitePoint Member
    Join Date
    Jul 2010
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've backed off of blacklisting since spammers sometimes don't use a domain name for more than a few days so it's ultimately pointless.
    <snip/>
    Last edited by Mittineague; Aug 8, 2010 at 23:27. Reason: Please wait until you get your signature for your links.

  20. #45
    SitePoint Wizard
    Join Date
    May 2002
    Posts
    1,370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As of yet, nobody's replied to my current post. Guess I can see why now.

    What is ninety thousand nine hundred and fourteen as a number?
    What I plan on doing is coming up with variables inserted into a challenge question to make them fairly unique based on day (monday thru sunday) and month check (jan thru december). While this may seem common, by taking each of these through their own calculations for different days, months, monthdays and even yeardays -- these combined to form a single statement may be unique enough when each variable is independently calculated before combining.

    ex: -if today is Mon an it is and even monthday number and the current day falls between 12 and 13, and the yearday number is between 0 and 30, figure the day today falls on 1670 days ago (this by its own calculation), if the current day is between 13 and 14, and falls between 31 and 60 yeardays, figure 3267 days ahead, and so on (assessed). Then further arrive at the finished sentence by checking agains different set(s) of variables for days of week($aMon, $bMon, $cMon, etc), and monthdays (same concept) , which are equivalendt to their own written numbers:

    This should take care of a change on a daily basis.

    "What is ($day + $monthday) as a number?"

    To make 5 min updates to sentence:
    Could you not, then add the current timestamp digits alone taken to the minute (adding 5 minutes for completion time, base the number on this maximum, and then check <= to it) to make the total written sentence unique to within 5 minutes? (of course take the timestamp total through ranging variables depending on its total, to help conceal).

    What is ($day + $monthday + $timestampresult) as a number?

    By combining all three, I'm thinking, it makes it less likely to dissassemble.

    A bit rough, but possibly close enough.

  21. #46
    SitePoint Zealot lutrov's Avatar
    Join Date
    Mar 2001
    Location
    Melbourne, Australia
    Posts
    159
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by datadriven View Post
    As of yet, nobody's replied to my current post. Guess I can see why now.
    I don't see any other post from you on this topic. Has it been deleted?

    I agree with what's already been said, namely that you will find there are lots of other people who will have trouble understanding this question:

    "What is ninety thousand nine hundred and fourteen as a number?"

    Even when I read that aloud now, it sounds confusing. Of course, I know what you mean, but I reckon there'll be plenty of people who'll go "huh?"

  22. #47
    SitePoint Wizard
    Join Date
    May 2002
    Posts
    1,370
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Relying on validations alone is the other post.

    And now I'm back to debating if to randomly selecting whole preset questions OR assembling such a number as "nine thousand..." with numeric equivalents to check against.

    I realize my last post was unnecessarily winded.

  23. #48
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,269
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    Your problem is that you assume robots are stupid (which they are) and that people aren't (which isn't true). A CAPTCHA isn't supposed to separate the stupid from the less-stupid, but to separate humans from robots.

    So long as there are robots smarter than us dumb people, you lose.

    I note the CAPTCHA-tan image has the captcha text "herp derp" in her book. Yup, how I feel with every captcha.

  24. #49
    Follow: @AlexDawsonUK silver trophybronze trophy AlexDawson's Avatar
    Join Date
    Feb 2009
    Location
    England, UK
    Posts
    8,111
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    So long as there are robots smarter than us dumb people, you lose.
    I know you didn't mean it like this, but I think it's worth saying that the people who most get affected (the disabled) are not stupid. The problem isn't just that robots are smarter than dumb people, it's that the robots are becoming increasingly more "aware" (in terms of recognition) than what a less abled person is capable.

  25. #50
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,269
    Mentioned
    50 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by me
    So long as there are robots smarter than us dumb people, you lose.
    Even without disabilities, I get hammered by many captchas. I just ain't smart enuff.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •