Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How to Prevent Form Spam Without Captchas

ScuttleMonkey posted more than 7 years ago | from the can't-beat-the-curte-power-of-kittenauth dept.

272

UnderAttack writes "Spam submitted to web contact forms and forums continues to be a huge problem. The standard way out is the use of captchas. However, captchas can be hard to read even for humans. And if implemented wrong, they will be read by the bots. The SANS Internet Storm Center covers a nice set of alternatives to captchas. For example, the use of style sheets to hide certain form fields from humans, but make them 'attractive' to bots. The idea of these methods is to increase the work a spammer has to do to spam the form without inconveniencing regular users."

cancel ×

272 comments

Sorry! There are no comments related to the filter you selected.

And how... (4, Interesting)

Creepy Crawler (680178) | more than 7 years ago | (#16770691)

Ok, so captchas and other email obfuscation mechanisms are used a lot. Fine, a web designer can choose to do this.

Now, lets enter US law: American with Disabilities Act. Target [arstechnica.com] is currently being sued for NOT complying with this federal law. I can understand why businesses would be required for this, but where will the net-boundaries stop?

For example, I have a US corp. I hire an offshore datacenter to handle web processing. Is my website have the compulsory ADA lawss upon it, or do they not apply due to international boundaries? Yipe.

Re:And how... (-1, Offtopic)

mfh (56) | more than 7 years ago | (#16770775)

Can we not discuss some technology without involving the egocentric laws of the United States -- FOR ONCE?

Re:And how... (0, Flamebait)

Professor_UNIX (867045) | more than 7 years ago | (#16770931)

Can we not discuss some technology without involving the egocentric laws of the United States -- FOR ONCE?
Pardon me, but I think you may be looking for http://it.slashdot.ca./ [it.slashdot.ca] This is the US-based web site of Slashdot.

Re:And how... (0)

Anonymous Coward | more than 7 years ago | (#16771071)

You got me all excited there for a second, but it seems there isn't much content over at slashdot.ca [slashdot.ca] .

Re:And how... (4, Insightful)

tomstdenis (446163) | more than 7 years ago | (#16771147)

I think you'd find Slashdot very much more trivial and redundant if all non-Americans left.

That said, ADA's can go fuck themselves. I can see making exceptions for EMPLOYEES but why would I have to go out of my way to help customers? What if it's simply not cost effective? If it costs millions to placate the handful of noisemakers is it worth the effort?

Being blind really has to suck. And *I DO* wish that companies would help them out. I don't think we should force them though as it can lead to smaller companies who can't afford to deal with it going out of business.

Sure, our websites would then be ADA compliant, but there would only be a handful of mega-corp websites at that point. So you're trading what little free market economy we have left to placate special interest groups.

Frankly, if I were blind I'd make due and where I couldn't I'd rely on friends or family. No shame in asking a family member to order something from a website for you. Granted "disabled" folk want their independence, they also have to be practical about it....

Tom

Re:And how... (5, Funny)

heinousjay (683506) | more than 7 years ago | (#16771271)

I think you'd find Slashdot very much more trivial and redundant if all non-Americans left.

Indeed. I would miss the self-righteous off-the-mark diatribes about how we should run our country. I wouldn't be able to get my daily fill of hubris from people who think they are superior in every way. I don't know what I would do.

Re:And how... (0)

Anonymous Coward | more than 7 years ago | (#16771485)

I am with you brother!

Us americans would miss the rest of the world acting like that!

(Hi, please remember that there are assholes everywhere, nationality really does not change it that much)

Re:And how... (2, Informative)

Captain Splendid (673276) | more than 7 years ago | (#16771495)

Well, in all fairness, at we least we furriners just give you an earful, whereas typical American hubris is usually delivered via shock and awe.

Mods: go nuts! I have karma to burn, bitches.

Re:And how... (1, Insightful)

tomstdenis (446163) | more than 7 years ago | (#16771591)

Funny, you guys don't seem to have problems telling others how they should live...

This isn't an America vs. the world issue. All I was saying is that non-Americans bring a different point of view to the table.

If you can't tolerate another point of view, then you can just go on being a xenophobic, ignorant, sheltered, small minded individual. e.g., the typical american. :-) [kiddin about that last bit].

Tom

Re:And how... (1)

Creepy Crawler (680178) | more than 7 years ago | (#16771141)

Erm, Slashdot started in the US, and is predominately visited by USians. Im a USian, so it matters to me.

And about the US laws... Im sure disability-discrimination laws exist in the European Union too. ADA is what law Im familiar with.

Re:And how... (1)

operagost (62405) | more than 7 years ago | (#16771529)

Please don't continue the "USian" meme. It's confusing the citizens of the United States of Mexico. Thanks!

Re:And how... (1)

Creepy Crawler (680178) | more than 7 years ago | (#16771811)

USian goes with MEian and THEYun.

If I dont get inside, MOMun and POPun will kick my ASSun.

(true, i concede that --un is stupid)

Re:And how... (1)

vertinox (846076) | more than 7 years ago | (#16770883)

Perhaps the vision impaired could get audio captchas?

Click this button, listen to the sound, and then choose the selection what the sound was.

Like birds chirping, babies crying, piano playing and maybe other familiar sound effects that you would choose from a multiple choice list.

Of course if the user is deaf and blind, I'm not sure how they are using a computer to begin with.

Re:And how... (1)

mrchaotica (681592) | more than 7 years ago | (#16771335)

Of course if the user is deaf and blind, I'm not sure how they are using a computer to begin with.

braille display [deafblind.com]

Re:And how... (1)

Firehed (942385) | more than 7 years ago | (#16771761)

How well do they render all of these fancy new Web 2.0 sites? Instinct tells me that the rounded corners and glossy icons might be lost...

Re:And how... (1, Flamebait)

Lord Apathy (584315) | more than 7 years ago | (#16771463)

Perhaps the vision impaired should just learn to live withing their disabilites and accept the fact that not everything is going to be availiable to them. Harsh, yes but its life. Making resonable requests to accomidate them is one thing but making people liable under law for not is something else.

Re:And how... (2)

GigsVT (208848) | more than 7 years ago | (#16771579)

The ADA wasn't passed by disabled people, it was passed by able bodied legislators who, on the left, wanted some bullshit feelgood legislation, and on the right, wanted to play up how supportive they were of disabled veterans.

Most disabled people accept thier limitations and aren't imposing about it.

Re:And how... (2, Interesting)

fprintf (82740) | more than 7 years ago | (#16771687)

Just try taking their reserved parking spaces closest to the mall entrance and you will see just how "imposing" disabled people can be about it.

Let them handle the spammers first! (1)

MrBoombasticfantasti (593721) | more than 7 years ago | (#16771107)

So the government will get you when you don't completely comply with a regulation that affects a small group of people, but at the same time doesn't do anything to rid the world of the constant barrage of spam that annoy *everyone*, including the disabled?

Well, that's nice then...

Re:Let them handle the spammers first! (1)

Thansal (999464) | more than 7 years ago | (#16771351)

I just realized how confuzing spam must be to some one ussing a screen reader.

Sally zimbabwe google mark ford fish tot bing gong down
*Insert GIF telling you to BUY BUY BUY xyz corp stock*


Or actualy listening to the horibly mangled english that is a 419 email.

Captchas for the blind (0)

Esteanil (710082) | more than 7 years ago | (#16771257)

Well, I for one think that blind people should be allowed to participate on the web, so why not make "captchas" that'll work for the blind?

For instance:
"Please enter the second word of the following sentence to continue: The dog had a long tail".

Re:And how... (1)

johneee (626549) | more than 7 years ago | (#16771769)

While I can't comment on your specific question, I do know that with the (now defunct?) COPPA you would indeed have to comply. In fact, even if you had a non-US company with an offshore datacentre, you would have to comply.

I did some research on COPPA at the time because I worked on a kid's web site, and I called the agency that administrated it. They told me that any time I was collecting information from people within the US, no matter where I, the website, or my company was set up, the law affected me.

What is wrong with Captchas? (4, Insightful)

Thansal (999464) | more than 7 years ago | (#16770695)

Why is it so hard to make a captcha that a bot can't read but a human can?

The slashdot captchas are among the easiest I have ever seen to read, however I still havn't seen any spam on slashdot. Is there something else goign on here? It can't be anything like IP banning or flood controlls as those don't stop botnets. Is it that spammers just don't target slashdot? or is it that captcha reading bots are not nearly that good at breaking them and we could tone down the level of those horrible tiwsted-doted-lined Captchas?

Re:What is wrong with Captchas? (1)

ari_j (90255) | more than 7 years ago | (#16770813)

Try running the Slashdot front page through crm114 sometime and see if it really is better than a human (specifically, better than you) at distinguishing spam from legitimate content. ;)

Luxury gifts for both sexes (5, Funny)

Anonymous Coward | more than 7 years ago | (#16770829)

Men's and Ladies Prestige Watches For all occasions! Perfect Christmas gifts!

These replicas have all the presence and poise of the originals after whome they were designed at a fraction of the cost. The attention to detail is paramount and they are comparable to the originals in every way.

To view our huge inventory visit our website now at:

http://pwned31337.ku/ [pwned31337.ku]

: Replicated to the smallest detail
: 98% A+ Accuracy
: Includes all Proper Markings
: Wide selection and fast worldwide shipping
: Authentic Weight
: True-to-original self winding and quartz mechanisms
: Guaranteed worldwide Christmas delivery

Probably because /. isn't prime real estate (3, Funny)

everphilski (877346) | more than 7 years ago | (#16770851)

Think about it ... the slashdot crowd is technical and informed and "knows better" ... why would someone spambot slashdot? It surely would not be effective...

Re:Probably because /. isn't prime real estate (4, Funny)

geoffspear (692508) | more than 7 years ago | (#16771045)

Think about it ... the slashdot crowd is technical and informed and "knows better"

You must be new here.

Re:Probably because /. isn't prime real estate (1)

everphilski (877346) | more than 7 years ago | (#16771791)

unfortunately I'm not :(

Re:What is wrong with Captchas? (2, Insightful)

Agent00Wang (146185) | more than 7 years ago | (#16770891)

I've always wondered why designers don't use something simpler such as showing a picture of an easily identifiable object and requiring the user to identify it. This would work in 99.9% of cases. Alternatively, for the screen reader crowd, the check could something like, "What is the fifth word in this sentence?" There's probably some obvious flaw with this technique that I'm not thinking of, or I imagine it would have been done already.

Re:What is wrong with Captchas? (1)

gol (635335) | more than 7 years ago | (#16770973)

somebody is trying it over at the KittenAuth project
http://www.thepcspy.com/kittenauth [thepcspy.com]

Re:What is wrong with Captchas? (2, Funny)

Agent00Wang (146185) | more than 7 years ago | (#16771159)

Awesome, I'm sitting here during my lunch break at work, checking out that page, and what do I see under some of the sample captchas? Goatse, barely distorted.

Re:What is wrong with Captchas? (3, Insightful)

Lanoitarus (732808) | more than 7 years ago | (#16770985)

The obvious flaw is that you need to create each one, and they therefore are inherently more limited in number. Text-based chaptchas are generated by a computer- pictures of pandas and their associated word would have to be done by hand.

Re:What is wrong with Captchas? (1)

operagost (62405) | more than 7 years ago | (#16771559)

Obviously, that's the flaw with captchas. If it can be generated by a computer, it can be interpreted by a computer.

Re:What is wrong with Captchas? (3, Interesting)

Thansal (999464) | more than 7 years ago | (#16771063)

I actualy like the ones like that.

instead of obfuscated images, just put in plain text questions.
What is 2+2?
What is the 3rd word in this sentance?
What is the name of my blog?

All of these can be answered by some one using a screen reader, and take less time then figguring out a captch. Sure it does not stop manual spamming, but what does?

Re:What is wrong with Captchas? (2, Informative)

JesseMcDonald (536341) | more than 7 years ago | (#16771649)

instead of obfuscated images, just put in plain text questions.

That's been considered before. The problem with that approach is that, unlike image-based CAPTCHAs, there are a limited number of templates available for natural-language questions. The spammer just has to compile a list of the various patterns of questions and answers, a much easier task than designing an OCR program capable of extracting random, disconnected letters and numbers from a randomly distorted image. The problem is essentially one of hash functions -- plain-text questions can be solved as easily as they can be generated, whereas image-based CAPTCHAs are easy to generate but difficult (for computers) to decipher. Your last example ("What is the name of my blog?") is probably the best, since it's somewhat resistant to ordinary dictionary attacks, but there could be several reasonable answers (depending on the blog) and the correct answer(s) would have to be separately entered into each site. For many sites the answer may also be trivially derived from the title of the page, or some other element no less predictable than the form elements employed to enter the comment.

Re:What is wrong with Captchas? (2, Informative)

nine-times (778537) | more than 7 years ago | (#16771521)

These questions or pictures again need to be either automatically generated or generated by humans. If automatically generated, they would need to follow a pattern, and so the challenge would then be on the spammers to identify the pattern and train their bots to read the pattern and respond appropriately.

If, on the other hand, they're generated by humans, it would be expensive to generate each one, and so they'd be limited in number. Therefore the spammers simply go about collecting each one, identifying them, and they've broken the system.

Either way, it's like an arms race. The people blocking the spammers are just trying to stay one step ahead of the spammers.

Re:What is wrong with Captchas? (2, Informative)

junglee_iitk (651040) | more than 7 years ago | (#16770905)

Why is it so hard to make a captcha that a bot can't read but a human can?


Numerous times there is confusion between I and L. Since every site uses its own set of images and its own 'set of rules to obfuscate', the user has all the reasons to be confused. Then there is 3 coupled with something that makes it look like B etc.

Ofcourse, you will fail one time only, as on next reload you will get a new image to read, but as the article says, user response drops. People want to help you and you are making it, kind of, harder.

Re:What is wrong with Captchas? (1)

SoapDish (971052) | more than 7 years ago | (#16771039)

It's not just a problem with I and L. There are also upper, and lowercase issues, and as you mentioned the mess on top can make letters look like others.

I have certainly failed more than one time when posting on digg. I've actually just given up at taimes, because it didn't seem to accept my captcha entries.

Re:What is wrong with Captchas? (1)

Thansal (999464) | more than 7 years ago | (#16771125)

zero and "o" are my 2 problems genneraly.

However, as I said, I have never failed a slashdot captcha, probably because they are all words....

Re:What is wrong with Captchas? (1)

Alistar (900738) | more than 7 years ago | (#16771897)

Im confused by the Slashdot captchas.
Mainly because I don't get any Captchas when I sign in or post a comment to Slashdot, yet I hear people mention anytime a related article pops up.

I have Javascript turned off on the page, is this causing it?

Re:What is wrong with Captchas? (1)

MerlynEmrys67 (583469) | more than 7 years ago | (#16771325)

How effective can captcha's be anyway. A nice "man in the middle" style attack. You want to hack some web forum - put up a porn site with a "read this captcha to get your porn" link on it. As your bot encounters captcha's it posts them out to your porn "clients" to hack for you with the correct brain power.

I've wondered why the big spam services haven't setup this kind of scheme. I fear that I am just ahead of the times on this particular vulnerability

Re:What is wrong with Captchas? (1)

morgan_greywolf (835522) | more than 7 years ago | (#16770911)

In a word: accessibility. Blind readers can't see graphic-based captchas and screen readers won't read them. Audio-based captchas have been used, but they can be difficult for some people with disabilities as well, are often difficult even for abled people and may be easier to process by bots in many cases.

Re:What is wrong with Captchas? (2, Informative)

sugapablo (600023) | more than 7 years ago | (#16771001)

What's worked surprisingly well for me is simple arithmetic. Adding a random math problem such as 2 + 5 = [ ] or 3 + 4 = [ ] has DRAMATICALLY decreased the amount of form spam two of my websites have received.

Re:What is wrong with Captchas? (4, Funny)

antifoidulus (807088) | more than 7 years ago | (#16771185)

Yes, but then you exclude southern Republicans from using your site!

Re:What is wrong with Captchas? (2, Informative)

91degrees (207121) | more than 7 years ago | (#16771653)

The main reason it works is probably because so few other sites use the same method.

Security through obscurity dogma be damned! When a breach isn't fatal, there are cases where obscurity works well enough.

Re:What is wrong with Captchas? (4, Informative)

Pichu0102 (916292) | more than 7 years ago | (#16771029)

The slashdot captchas are among the easiest I have ever seen to read, however I still havn't seen any spam on slashdot.

You obviously don't browse the comments at -1.

Re:What is wrong with Captchas? (0)

Anonymous Coward | more than 7 years ago | (#16771741)

I always read at -1 and my informed opinion is that none of the -1 posts are automated. When you see a troll post there was an actual troll behind the keyboard, not a script.

Re:What is wrong with Captchas? (1)

Vexorian (959249) | more than 7 years ago | (#16771909)

My opinion is that there ARE some bots. Sometimes in linux topics some bot post a huge post about how linux sucks and it is always the same, maybe it is actually a human being retarded and repetitive, but who knows?

Re:What is wrong with Captchas? (1)

jfengel (409917) | more than 7 years ago | (#16771051)

Slashdot has a couple of extra things going for it:

* A "lameness filter" which excludes certain posts (ill-defined and probably continually changing to keep up)

* A 20-second rule which prevents you from blasting the board

* Moderation, which puts anonymous posts in a place most people don't read anyway. They may be there and you don't see them.

That's still not sufficient for some jackass not to at least try, especially since the audience is so large. It may not be worth the trouble, since Slashdotters are rather sensitive to spam and have even lower response rates than the rest of the world.

Re:What is wrong with Captchas? (2, Insightful)

Thansal (999464) | more than 7 years ago | (#16771265)

actualy, I browse at 0, as alot of ACs have some rather good posts. (infact I brwse at 0 Nested, so I see even more of these posts)

I still have yet to see anything that was an ad, I have seen pleanty of trolls, but those are not bots. I forgot about the lameness filter, and I admit to being curious if that is catchign things....

Re:What is wrong with Captchas? (1)

liquidpele (663430) | more than 7 years ago | (#16771297)

Not only that, but slashdot tries to find the http://slashdot/ok.txt [slashdot] file through your IP address to see if the IP posting is an open proxy. Who knows what else they do behind the scenes.

Re:What is wrong with Captchas? (0)

Anonymous Coward | more than 7 years ago | (#16771263)

That's because the /. capthas use real words. For us who's native tounge is not English, the /. captchas are very difficult to read.

  http://lyricslist.com/lyrics/biography/334/mckenni tt_loreena.php/ [lyricslist.com]

Re:What is wrong with Captchas? (1)

Amazing Quantum Man (458715) | more than 7 years ago | (#16771695)

May I ask a really dumb question?

What SlashDot captchas are these? Are they subscribers only?

How Accessible though? (1)

DittoBox (978894) | more than 7 years ago | (#16770705)

How accessible is this though? Won't it hinder those who use screen readers?

If it doesn't, this honestly isn't a solution in my opinion.

Re:How Accessible though? (1)

jcern (247616) | more than 7 years ago | (#16770953)

That is true, but a captcha is already impossible for a screen reader. The hidden field is nice because if you explain that a certain field needs to be left blank, then the user will just not fill it it - whether you read it, or it is read to you. And, you could use the same stylesheet rule to hide that text from the user only if the field is also hidden.

Re:How Accessible though? (2, Interesting)

DittoBox (978894) | more than 7 years ago | (#16771127)

Many that I've seen recently actually have an audio key to listen too if you can't read the image.

design a web form not susceptible to spam .. (-1, Offtopic)

rs232 (849320) | more than 7 years ago | (#16770713)

first post ?

Javascript (4, Interesting)

Aladrin (926209) | more than 7 years ago | (#16770757)

I hadn't read the article yet, and just the summary, and as soon as they said 'hidden fields' that are attractive to spambots, I thought "Why not hide the fields from the spambot instead?"

It's easy, you just have the javascript create all or part of the form. Or modify the form in some way. It would happen before the user even sees the form, and the spambot would have to implement a javascript parser to get it. (Or a parser, that's unique to your site.)

I would think AJAX would be a huge hamper to them as well.

Re:Javascript (1)

Nos. (179609) | more than 7 years ago | (#16770803)

Well, if you RTFA, they talk about not wanting to use javascript because it can create compatibility issues for some users.

Re:Javascript (0)

Anonymous Coward | more than 7 years ago | (#16770833)

I hadn't read the article yet, and just the summary ... I thought "Why not ...

Gee, why not read the article, and you'd see they discuss that very topic.

Re:Javascript (1)

clear_thought_05 (915350) | more than 7 years ago | (#16770949)

"I hadn't read the article yet ... you just have the javascript create all or part of the form"

Why don't you please go and read the article?

First the method that doesn't work for us: Encrypted forms in Javascript.

Re:Javascript (1)

kfg (145172) | more than 7 years ago | (#16770969)

Amazon was pushing Crocs sandals at me the other day and they looked interesting, but I wanted more information; so I went to the company website.

It required that I have Flash installed and Javascript enabled to enter:

So I went to Teva.

KFG

Re:Javascript (0)

Anonymous Coward | more than 7 years ago | (#16771017)

Javascript required to contact a computer security organizaton?

Are you for fucking real?

Re:Javascript (1)

Meatloaf Surprise (1017210) | more than 7 years ago | (#16771399)

If they were to remove captchas and instead use this method, I don't think it would be long before spammers would use other tools. I use QTP at work which includes a browser plugin for web-based regression. I could easily see this being used to spam forums as it attaches itself to the browser--and it wouldn't matter whether or not the fields were generated through the plain ol' html or javascript.

That still fails ADA requirements (1)

bigtrike (904535) | more than 7 years ago | (#16771659)

I guess you'd better hope that brail terminals have a javascript parser.

Re:Javascript (1)

_xeno_ (155264) | more than 7 years ago | (#16771685)

It would amaze me if the bot writers weren't already using JavaScript-capable bots. Internet Explorer is an ActiveX control that bots can use. Firefox offers plenty of ways to access its browser programmatically. (Imagine a SpamBot extension.) Firefox's JavaScript engine is open source, and I think Internet Explorer exports their via the Windows Scripting... thingy. (You'll have to forgive me for being more knowledgeable of how Firefox works than Internet Explorer.) In any case, the JS engines can also be accessed programmatically without using the full browser.

The added benefit of using available browsers that allow programmatic access is that it becomes nearly impossible to tell a bot from a normal user. Not only are the user-agents the same, but all other performance characteristics are as well, since it's directly using the browser. Plus it removes the need to implement HTTP, an HTML parsers, an image renderer, and, as mentioned, a JavaScript engine. Most bots are run on hacked[1] machines. Wasting processor power and memory is not a concern to the bot writer - they're not running them on their machines, anyway.

So, in any case, I expect that most bots are already using a JavaScript interpretor. And I expect it won't be long until they adapt to the CSS hacks suggested. After all, they already have access to a CSS parser...

[1] Give it up. Cracked suggests someone dropped it on the floor. Language evolves.

Re:Javascript (1)

Reziac (43301) | more than 7 years ago | (#16771907)

I did RTFA, and it mentioned problems with javascript and why they discarded that notion.

TFA page has an example of the "hidden form", and it is indeed invisible -- so one less thing to confuse the user. Confused users were part of the issue they wished to resolve, so...

I suppose spambots will evolve to check for how a form is set up, but meanwhile, I like this idea much better than the alternatives.

2 weeks on this approach (0)

Anonymous Coward | more than 7 years ago | (#16770785)

I'm already using the "identify this" / "identify that" approach. I went from 75+ spams a day to zero. Seems no hand-fed spam for my site. I'm very happy.

  http://lyricslist.com/lyrics/artist_albums/663/ram mstein.php/ [lyricslist.com]

Re:2 weeks on this approach (1)

cortana (588495) | more than 7 years ago | (#16771727)

Interesting. Has it affected your site's ham rate (or the derivative thereof)?

Blind users (3, Insightful)

awtbfb (586638) | more than 7 years ago | (#16770817)

This is still somewhat problematic for blind users. If decoy field names are picked up when CSS is turned off, then there will be a lot of users exposed to the bogus fields.

Foiling spammers without a captcha (2, Funny)

kfg (145172) | more than 7 years ago | (#16770827)

Just shoot 'em on sight.

KFG

Re:Foiling spammers without a captcha (1)

Thansal (999464) | more than 7 years ago | (#16771569)

Just like everyone else this is highely discriminitory against the visualy impared.

You are a horrible horrible person!

field name encrypt (2, Interesting)

Inmatarian (814090) | more than 7 years ago | (#16770835)

Private Key encrypt the randomized field names and have a hidden Public Key field. That way, the fields foo, bar, and abacab have no sense of meaning to the bots, but will decrypt to subject, body, and spammer catcher.

Re:field name encrypt (2, Interesting)

thejrwr (1024073) | more than 7 years ago | (#16771131)

Mxing the Form order up would help too, as the bot maker could just look at the order of the fields,

Browser compatability? (0)

Anonymous Coward | more than 7 years ago | (#16770841)

How well do these 'invisible forms' work on browsers that don't make the greatest effort to comply with W3C guidelines concerning style sheets? They might stop spammers, but it might make the contact form difficult to navigate for users of everyone's favorite browser...

Re:Browser compatability? (1)

Inner_Child (946194) | more than 7 years ago | (#16771343)

They might stop spammers, but it might make the contact form difficult to navigate for users of everyone's favorite browser...
Agreed, I hate it when forms are difficult to navigate in Lynx.

./ ways (1)

thejrwr (1024073) | more than 7 years ago | (#16770989)

I like Slashdots, it uses real words, also google's approach is good too

If CSS being off reveals a hidden field... (4, Insightful)

gorckat (960852) | more than 7 years ago | (#16771057)

...can it be clearly labeld as bogus? Something like:

Subject: _______{-enter your spam topic here if you want me to disregard your email

Can the label/tag telling someone to leave a field blank be hidden form a bot but clearly visible to a live person?

Search engines? (1)

Control-Z (321144) | more than 7 years ago | (#16771101)

Hiding things seems like a good way to get search engines to not like you.

Re:Search engines? (1)

lexarius (560925) | more than 7 years ago | (#16771625)

Search engines do not need to index or analyze forms, only content and links. These techniques are not for hiding content or links, just making it more difficult for spambots to figure out how to use submission forms like the one I'm typing in right now.

My Method (2, Interesting)

CastrTroy (595695) | more than 7 years ago | (#16771211)

My Method is to just disallow posting of html. I have a simple blog, and if they try to do anything like post too many HREFs or or something, then I just deny the post. That seemed to work for the most part. The bots usually tried to post URLs on my site, so if they posted something like <a href=.... then I would just display an error message, since html doesn't show up properly anyway, because I encode the < and > with &lt; and &gt;. They also try posting [link]...[/link] which also doesn't work on my blog, so I just display an error message and let the user fix it. You can still post straight URLs, but that's not too good for spammers, because they usually want a link. I also stop people from trying to post more than 5 URLs in a single post, since I noticed the bots like to do that. I recently upgraded by blog to use AJAX to submit the comments. Adds an extra layer of protection against the bots, but I really haven't needed any since I added in the filters mentioned above.

Re:My Method (0)

Anonymous Coward | more than 7 years ago | (#16771363)

Your blog doesn't work without javascript. HTH [htmlgoodies.com]

Re:My Method (1)

CastrTroy (595695) | more than 7 years ago | (#16771397)

You seem to think that I care.

Re:My Method (0)

Anonymous Coward | more than 7 years ago | (#16771853)

You're from Canada...I see. Your arrogance has been excused and dismissed as...well...just being Canadian. I'd be pissed too if I were you. Thank you, drive through.

slashdot's slower.. (0, Redundant)

bodom_lx (899346) | more than 7 years ago | (#16771237)

This page took me 7 seconds.. ..oh damn aMule is active.. -.-

Here's an alternative. (1)

zymano (581466) | more than 7 years ago | (#16771259)

Warn them before they post that they can't post spam.

Make it a contract to post there.

If someone posts spam then make them a 1 or 2 bucks. Money$$

Or even organize other blogs and websites to sue them.

Re:Here's an alternative. (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16771387)

what fantasy world do you live in? sue spammers? good luck with that. Good luck even finding out what country they are in, much less their identity.

javascript and dynamic forms (1)

rtt (770388) | more than 7 years ago | (#16771443)

one method I use to avoid use of captchas is to require javascript (yes, this sucks somewhat) to use my forms. when the form is 'submitted', i dynamically add a new form element into the form and then submit the form. server side, i check for the additional form element. it works pretty well - it seems that bots don't run javascript. i've received very few complaints (2 or so in as many years) from non JS enabled people.

Bots are really annoying (1)

Deagol (323173) | more than 7 years ago | (#16771449)

I maintain a small site that uses the Gossamer Threads Links 2.x package (any decent, free PHP/database packages to replace this cruft with?). It's one of those apps that allows related sites to submit links to be added to our 'partner links' page.

I quickly eyeball the 100+ bot submissions daily for the few *real* submissions. The rest are for "Laboratory Equipment", Viagra, mail-order brides, porn, and other crap.

And before anyone asks, I *have* looked into modding the scripts to add a simple barrier for these bots, but the scripts are in the ugliest perl code I've ever seen in my life (sorry Gossamer, but the code makes my eyes bleed), and while I have written/tweaked perl in the past, I don't have the patience to tackle Links.

I have noticed in the logs that the submission POST is the the only hit from the bot, so this package must be well-known to these bots, and not customized for *my* site (or so I assume). Would this be thwarted by generating random form field names each time the page is loaded and processed? If the same CGI page does the initial form *and* processes the POST, this should be feasible, no? Or do these bots actually process the human-readable rendered form to do their work?

Standard Forms (1)

L7_ (645377) | more than 7 years ago | (#16771509)

I have 2 blogs set up on Blogger [blogger.com] , one with a customized stylesheet and another using one of the standard CSS templates. I am not sure how good Blogger 1.0 does to prevent bot spam on blogs that allow anonymous posting, but there seems to be a lot of it around.

However, the one with the customized style sheet receives no bot spam! The 'Comment' link is actually called 'Talk about this', and the whole section of the Blogger posting is set up differently (i.e. left to right rather than top to bottom). The one that uses a standard CSS template has lots and lots of botspam. I think that the bots are programmed to see which template the page has (its right there in the source) and then they know which links will be the links to the comment area.

So the person that suggested even moving the form field around, well I know this is not dynamic movement, but it sure seemed to have worked. Now if my customized blog was popular enough... that would be a different story.

15 second delay... (1)

b0s0z0ku (752509) | more than 7 years ago | (#16771545)

Unregistered users have to wait 15 seconds between previewing their comment and posting it. This should make it slow enough to spam that spammers will go elsewhere. Registered users that spam should be subject to moderation. If more than n of their posts get modded 'spam', they get booted. Permanently. Sure, they could create another account. But more likely, they'd just move on to easier targets.

-b.

This is news? (1)

IO ERROR (128968) | more than 7 years ago | (#16771615)

It seems like people rediscover the same techniques over and over and over without even bothering to do a simple Google search to find out if things have been done before. I block about 90% of submitted spam using Bad Behavior. I'm working on the other 10%...

Still Doesn't Stop Humans (1)

hondo77 (324058) | more than 7 years ago | (#16771617)

I have a small-ish website that allows people to submit sites that they want listed in my directory (think old Yahoo). I review the sites submitted before adding them so I can make sure the sites are relevant. Robo-spam submission was getting pretty horrible so I switched to a simple captcha script and it stopped all the robo-spam. Problem is, spam is still getting through because humans are still submitting things by hand. Somebody in India, for example, is getting paid to manually submit irrelevant sites to my little weight training site. Wish I could stop it but at least it's better than robo-spam.

Sesame Street method (1)

denis-The-menace (471988) | more than 7 years ago | (#16771619)

One of these things not like the others:
Cat dog fish *car*

Black *stapler* white red

car truck *J-lo* SUV

*Madonna* J-lo K-fed Ja-rule

HTTP_REFERER (1, Insightful)

panda (10044) | more than 7 years ago | (#16771707)

I can't read the article because it appears to be /.'d, but I have a technique that has foiled a spammer from using my web mail form and it would probably work with discussion forums, too.

In the program run to process form input, I check the HTTP_REFERER header sent by the client. It should exactly match the URL of the form that was being posted, if it doesn't, then you know that someone is accessing the input program illegally, i.e. they aren't using your form. It seems that the spambots out there send a referer that matches my site's main domain, but doesn't include the full URL of the form.

Of course, now that this has been posted, it is only a matter of time before the bots are fixed to send the whole form URL. 'Course, I have a couple of other tricks to separate the bots from the humans.

What does my program do when it detects a bot? It returns a 403 Forbidden error and adds the ip address of the client to .htaccess with a "Deny from" directive.

I'll have to actually RTFA when it becomes available again later.

Re:HTTP_REFERER (0)

Anonymous Coward | more than 7 years ago | (#16771821)

I agree, but this still seems a fairly silly way of doing things.

I use an encrypted version of the time on the first form, and decrypt it on the page it posts to. If the time is out by more than half an hour or whatever, then its rejected. Simple. Spam bot tries my form? They only get to use it for a while. Most spam bots don't seem to download the whole page each time they want to send.

Being as my form only sends mail to me as a contact form its not really a concern, but it seems trivial to implement random form field names for each user, maybe even storing a match-up code in the querystring. Problem (almost) solved. For most spam bots anyway.

Just my two bits.

Its inev... inev... inevitable... (1)

Salamanders (323277) | more than 7 years ago | (#16771845)

Spam is (and has been) a simple cost/benefit analysis - if it is worth it to spam, taking into account
  • the crappy response rate
  • advantages of google bombing
  • Widely varying laws and chances of being caught
  • botnets to distribute the spam
  • human-powered captcha breaking
  • ease of writing scripts
  • Etc...
...you are left with an undeniable fact - all forms of electronic communication have such an amazingly low transaction cost that the equation, once consumer levels grow to a certain amount, will come out in favor of spamming. [wikipedia.org] Captchas are raising the transaction costs, but not for long.

how is this for an idea (1)

backdoc (416006) | more than 7 years ago | (#16771861)

What if there were instructions on the web page that only a human could interpret? I know that sounds like the captcha. But, I mean something like "What is three times two"? Or, have a drop down list box of colors or patterns (like checked, striped or solid. Then tell the people to choose the color that matches closest something you present randomly. Make it easy by only offering black, white or red.

Where? (1)

edmicman (830206) | more than 7 years ago | (#16771885)

Sorry for the ignorance, but where are the /. captchas? I don't run into any when submitting comments...are they somewhere else?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>