Some say banning IP Address is bad. I say it’s not. If the user did indeed do an attack, they most likely will feel guilty and probably won’t attempt to contact you. They’ll most likely try to find other ways of bypassing. If the user hasn’t done anything, they can simply request an IP unban. Otherwise, they could be the attacker. It’s logic common sense. The guilty person won’t contact you because you’ll know who they are, but a regular person who knows nothing that contacts you will most likely not be the attacker. Site admins aren’t as bad as people put them out to be.
EDIT: Also, this let’s admins interact with their users which is probably the best thing you can do on a “service” like the web. No matter what, you still have to interact with people whether you like it or not. The #1 thing every user hates the most is being left in the dark or not being able to talk with the admins. This allows them to talk to you directly and privately. Why choose web programming if you don’t have the urge to talk with your users? If you don’t like talking with people, your best bet is to find a profession that doesn’t deal with people at all. That way you don’t have to deal with people anymore.
spammers can then use that address to spam you very easily as an email address added to the page in any way whatsoever is far less secure from spammers than even a basic contact form. At least with the form they don’t get an email address to use to send spam from anywhere other than the form.
I was referring about the bots. For human spammers, you can make a flood protection via PHP. Let them submit once. On the first submission, set a session using a timestamp. Next, wrap the form and the form submission around an if statement. If the time has passed x amount of minutes or seconds, they can submit again. If not, don’t give them a form to submit with until the time has passed.
Once the bots get an email address they don’t need to visit your site again to use it. Similarly with human spammers.The email address you provide for those where you have blocked the IP address for the form is the weak point in that setup as it means the spammers don’t need the form.
Don’t ever put an email address in a web page - always use a contact form instead. Use a series of different CAPTCHA techniques with the form so that most real visitors don’t even realise that there is a CAPTCHA there (a minimum time for filling out the form is perhaps a good one to start with as real people will take at least that long unless they copy/paste. If they fail the first one you give a more obvious CAPTCHA and so on.
The problem with IPv4 is that the same address can be shared between tens of thousands of people. The problem with IPv6 is that one spammer can have tens of thousands of addresses.
I see. As I have said before, Captchas won’t stop bots at all. This actually will give your users the burden. So instead of stopping bots as an admin, you have put a burden on your users trying to stop bots. Most users are sick of Captchas and most big sites like Facebook don’t use Captchas anymore. There are some pages they use Captchas, but it is rarely seen now a days. Only websites that still use Captchas are old websites from the 90’s and the main problem, Google. I don’t even think Twitter uses Captchas. Here, I’ll just give you a search on them.
There’s a long long list of why Captchas won’t simply work. If anything, it would be much easier to just stop a flood for x amount of time. If they keep spamming the form, then it is best to find out the Mac address of the computer that is spamming the form and find a way to force them to stop. That is the only best thing to do because Captchas won’t work and banning IP Addresses won’t work.
Well, I guess there can be an exception. I’ve seen this in a few websites, but never really seen them implemented on a lot of websites.
What you could do is use a honeypot first. Once a bot or a user triggers that honeypot, give them a Captcha. For the users who like to spam, my answer still remains. There needs to be some sort of flood protection because giving a user some sort of form to submit makes no different then letting them submit the original form.
I mean this can still change in theory. If the spammer is really smart. They would use Firefox’s Inspect Element tool. Re-create the form and keep spamming. That’s only if they copy&paste the old form to a notepad or something.
However, you can actually stop this spam using PHP because the form isn’t supposed to be there. So inside the flood protection, you need to make another validation to make sure that the form doesn’t exist.
Yes. The main objective is to bore the person out. Make them think there is no possible way of bypassing the protection. With regular users, they’ll probably get bored after the first attempt. With a determined user, they could try for hours.
Yes that’s another effective CAPTCHA that most legit users will not see.
If you combine a honeypot and a time based CAPTCHA as a first step then you would trap most bots and let most real people through without them even realising that the CAPTCHA was there.
Only those legitimate users or real people spammers who are pasting everything into the form rather than typing it and those bots clever enough to avoid the honeypot would land in the third option requiring an additional CAPTCHA to try to distinguish between real people and bots. The “click on all the road signs/food/whatevers” providing a number of images where some contain the asked for item and some don’t seems to be a popular choice for this on sites I have seen switch from the blurry almost unreadable ones in recent months.
Flood control using a session is probably best for blocking the real people spammers. The most important thing to make this effective is to make sure that there is no way for them to obrtain an email address to allow them to bypass the form.