We had a capture free an anti spam form idea recently, for a very long, mulit page form application that I thought I'd share and get any thoughts on.
This particular form is a multi page application but starts with a simple email field and a next button. This creates a record in a database using that email as a reference to come back and complete the form at another time. All other data entered is of course also stored. The email address is stored to the session.
We use passwords to validate the email account but they are only sent when a request to continue the form is made so we don't send emails to spam servers.
We also have another column called human_flag set to a default of 0. Our theory is lots of bots will probably hit the first email entry form field and also submit to page 2. Most bots will think their work is done and not continue. At this point the human_flag is still set to 0.
When the page is clicked an xajax call will update the human flag to 1.
Our theory is a bot can't click the page so will never be considered human.
The down side is of course screen readers and non javascript users. However we hope bots don't continue to submit on page 2 but we'll have to wait and see on that one. We can be pretty sure though that email records with nothing else stored and a human_flag of 0 are bot records and cronjob them into history every night. If they're real people they haven't entered anything who cares if their record is nixed.
The whole point is to not use captha, because captha sucks.
Why does captcha suck? It works with non-javascript browsers. Plus, there are better ways, for e.g. asking questions like "how much is three by four?" or "how many wheels does a tricycle have?" or whatever.
Honestly, I don't like your idea. It's innovative, yes, but I don't like it.
Captha is an inconvienience to the user and if it can be avoided it should. You have to add so much noise and distortion these days there becoming barley useable. I have on a number of aoccaisions filled in a capture when entering form info and failed to do so correctly so in order to defeat bots, captchas are defeating humans and that sucks.
I've had other ideas that work pretty well for anti-spam questions like a mix of colours in the captcha letters (without any distortion) and asking the human to enter the red letters, for example. I also have common expressions like 'Roses are ()red () blue' with radio choices. Both have prevented bots pretty well however I'd like to avoid the capthca and challenges completely while still defeating the bots.
Also if you're going to rubbish my idea please say why, If you have a critisim of this idea please post it. That was my entire reason to post it here in the first place.
My view is like this :
i like to make a web applications especially in php because user only need browser to run my app.
no need virtual machine.. no need to make my own windows gui or unix gui or for mobilephone gui...
for this reason, i can truly consentrate to make a good web app...
because of that point of view, i always avoid browser dependent script, like java script...
not all browser can run it well....
for user validation, bot or human, i prefer use captcha image contain some letters...
No need to add distortion to the image.. No need to use unique font.. casual letter is enough, because my biggest concern is very difficult to make image recognition bot... i have tried to make one, but failed....
question like znupi's say is also preferable for blind user...
if you scare that captcha may defeat human, use optimization to your captha... you need to know how far you need to blurring the message... developers always try to comfort user.. not users always try adapt to developers need...
Your idea is great.. but using javascript is the biggest weakness point..
not all browser can run it well, and not all user activate their browser's java script capability.
not all users like to use their mouse/pointer...
you can not implement it to user that use mobile phone..
you can not implement it to blind user...
and not all users like to give their true email.. :P
Whichever method you use to block the spambots will also block legitimate users. The trick is to come up with a combination approach which blocks spambots and hopefully still provides legitimate users with one means or another of being able to use the form. A combination of a CAPTCHA image and a simple question where answering either one correctly will get you through is the simplest method I can think of to achieve this since you need to allow those users who are visually, audiably or cognatively limited to pass validation while still blocking the blind, deaf, and stupid spambots.
Can you get an X / Y position from a submit button click, if so then maybe that is enough to say a human clicked it without needing to use javascript?
Not very accessibility friendly ether way.
Originally Posted by temp.user123
You know... You're not so smart. Do you need me to educate you?
If you say, "please," (and do so, nicely) then I will show you where you're dead wrong.
in order to defeat bots, captchas are defeating humans and that sucks.
Your idea defeats humans, too.
Originally Posted by SyCo
Also if you're going to rubbish my idea please say why, If you have a critisim of this idea please post it. That was my entire reason to post it here in the first place.
Well, it defeats humans, maybe even more humans than a regular captcha. On top of that, if you're going to use Javascript, why use Ajax? Why not just fill in a hidden input with a value? Like this:
Don't you think that's a bit better?
Still, it's javascript, and yes, there are still many users browsing the web without javascript.
Another thing: if someone really wants to bash your site, they'll make a special bot that will make the ajax request, too, or fill the hidden input with the value it needs. With an image captcha, that's not possible, you have to develop OCR software which.. not many people are able to do.
If you're not adding noise and warping, you're wide open.
Some of those examples are already tough to read. If it's necessary to make it harder than the examples in the links, then distorted captcha is done. I don't like to fail entering a captcha and I'm used to captcha. Non techy types find those distorted captchas almost impossible. Captcha is supposed to keep bots out while letting humans in, it's reached a point where it's keeping humans out too.
Here's how it goes for users sometimes (myself included)
Fill out form (including a password)
enter captcha
submit
captcha failed
enter new captcha
submit
passwords not re-filled in
enter passwords again
enter new captcha
submit
captcha fails
enter passwords again
enter new captcha
hopefully make it this time!
say out loud 'captcha sucks'
If you turn javascript off because you worried about catching internet bugs then I have no sympathy for a crappy internet experience. If you're that paranoid, go use Linux. I'm very happy with Ubuntu, I have JS turned on with no anti virus, no anti spyware and no worries.
I'm only concerned with those forced to use the net without javascript ie screen readers. We strive to be 508 compliant, therefore regular visual captcha is out.
Honeypots and timestamp checks are ok too. As are challenge questions and multi stage forms. I've used them all and had sucess. I'm hoping to find the least obtrusive way to achive spam bot free forms.
--
So here's an evolution of the idea after thinking about your comments.
I'm thinking the human_flag coupled with a timestamp 'page drawn to submit' comparision might work well. Then a probability of the user beng a spam bot could be calculated and if there is a suspicion then a captcha is displayed for human confirmation.
The human_flag could be set anywhere (using javascript) in the website and written to the session with PHP. This way all javascript/sessions enabled users will not have to captcha (97% or so).
Non javascript users or otherwise suspicous users (timed out session etc) will have to validate with a challenge question that can be optionally included in the form based on the state of the human_flag session var.
I added a simple logic question to a phpbb board registration page and it stopped the spambots in their tracks. There have been zero new spam accounts since this was put in place nearly a year ago. The question: What is fourteen minus seven? Please answer using letters only, not a number.
That doesn't sound good to me, because from what I understand, there's still a way to get to the captcha, which you said can be defeated by bots. Another idea would be to use an animated captcha, here are a couple I've made: http://znupi.ath.cx/work2/captcha/index.php and http://znupi.ath.cx/work2/captcha/index2.php
I prefer the second one because there is NO frame that would show all the letters. For a human it's easily solvable, but for a bot it's much harder. Also, if you don't like the way the text is written or you don't like the lines on the background, you can apply the same logic to another captcha. If you want I can post the code.
508 compliance is about allowing blind people to access your website. Visual captchas can't be 508 compliant animated or otherwise.
If you use visual captcha you're basically saying you don't care visually impared people can't use your site. I develop for a university so we are obligated (not yet by law in the US) to reach 508 compliance.
Thanks to open my mind, SyCo...
What a incredible spam program.. only cost $450.. whew...
Are you still sure that future spam program will not detect protection using javascript??
Crazy huh, $450 is pennies to a spammer, they pay tens of thousands to buy OS vulnerabilites.
If your site is worth the effort, they'll just use people in India at $2 a day. Then we'll have to detect ips and rates for subbmission from them.
I think I'm going to make my own internet and only let nice people in. Hey, I've got it. We can print out the form and have some guy bring it to my house... Sweet.. Maybe Wikipedia could come in book form too, split into nice leather bound volumes of course.
Reply With Quote
Originally Posted by temp.user123
Bookmarks