www.webdeveloper.com
Results 1 to 13 of 13

Thread: Spam bot captha free form idea. Comments plz.

  1. #1
    Join Date
    Apr 2007
    Posts
    1,664

    Spam bot captha free form idea. Comments plz.

    We had a capture free an anti spam form idea recently, for a very long, mulit page form application that I thought I'd share and get any thoughts on.

    This particular form is a multi page application but starts with a simple email field and a next button. This creates a record in a database using that email as a reference to come back and complete the form at another time. All other data entered is of course also stored. The email address is stored to the session.

    We use passwords to validate the email account but they are only sent when a request to continue the form is made so we don't send emails to spam servers.

    We also have another column called human_flag set to a default of 0. Our theory is lots of bots will probably hit the first email entry form field and also submit to page 2. Most bots will think their work is done and not continue. At this point the human_flag is still set to 0.

    Page 2 has a document.onclick detector like this

    HTML Code:
    <html>
    <head>
    <script>
    function clicker(){
    	document.onclick = xajax_setHumanFlag('<?=$_SESSION['email']?>');
    }
    </script>
    </head>
    <body onClick="clicker()">
    
    <form>
    <input >...
    </form>
    </body>
    </html>

    When the page is clicked an xajax call will update the human flag to 1.

    Our theory is a bot can't click the page so will never be considered human.

    The down side is of course screen readers and non javascript users. However we hope bots don't continue to submit on page 2 but we'll have to wait and see on that one. We can be pretty sure though that email records with nothing else stored and a human_flag of 0 are bot records and cronjob them into history every night. If they're real people they haven't entered anything who cares if their record is nixed.

    The whole point is to not use captha, because captha sucks.

  2. #2
    Join Date
    Sep 2006
    Location
    Bucharest, RO
    Posts
    940
    Why does captcha suck? It works with non-javascript browsers. Plus, there are better ways, for e.g. asking questions like "how much is three by four?" or "how many wheels does a tricycle have?" or whatever.
    Honestly, I don't like your idea. It's innovative, yes, but I don't like it.

  3. #3
    Join Date
    Apr 2007
    Posts
    1,664
    Captha is an inconvienience to the user and if it can be avoided it should. You have to add so much noise and distortion these days there becoming barley useable. I have on a number of aoccaisions filled in a capture when entering form info and failed to do so correctly so in order to defeat bots, captchas are defeating humans and that sucks.

    I've had other ideas that work pretty well for anti-spam questions like a mix of colours in the captcha letters (without any distortion) and asking the human to enter the red letters, for example. I also have common expressions like 'Roses are ()red () blue' with radio choices. Both have prevented bots pretty well however I'd like to avoid the capthca and challenges completely while still defeating the bots.

    Also if you're going to rubbish my idea please say why, If you have a critisim of this idea please post it. That was my entire reason to post it here in the first place.
    Last edited by SyCo; 02-26-2008 at 02:44 PM.

  4. #4
    Join Date
    Jun 2007
    Location
    Tangerang, Banten
    Posts
    258
    My view is like this :
    i like to make a web applications especially in php because user only need browser to run my app.
    no need virtual machine.. no need to make my own windows gui or unix gui or for mobilephone gui...
    for this reason, i can truly consentrate to make a good web app...

    because of that point of view, i always avoid browser dependent script, like java script...
    not all browser can run it well....

    for user validation, bot or human, i prefer use captcha image contain some letters...
    No need to add distortion to the image.. No need to use unique font.. casual letter is enough, because my biggest concern is very difficult to make image recognition bot... i have tried to make one, but failed....
    question like znupi's say is also preferable for blind user...

    if you scare that captcha may defeat human, use optimization to your captha... you need to know how far you need to blurring the message... developers always try to comfort user.. not users always try adapt to developers need...

    Your idea is great.. but using javascript is the biggest weakness point..
    not all browser can run it well, and not all user activate their browser's java script capability.
    not all users like to use their mouse/pointer...
    you can not implement it to user that use mobile phone..
    you can not implement it to blind user...
    and not all users like to give their true email.. :P

  5. #5
    Join Date
    Mar 2005
    Location
    Sydney, Australia
    Posts
    7,974
    Whichever method you use to block the spambots will also block legitimate users. The trick is to come up with a combination approach which blocks spambots and hopefully still provides legitimate users with one means or another of being able to use the form. A combination of a CAPTCHA image and a simple question where answering either one correctly will get you through is the simplest method I can think of to achieve this since you need to allow those users who are visually, audiably or cognatively limited to pass validation while still blocking the blind, deaf, and stupid spambots.
    Stephen

  6. #6
    Join Date
    Jun 2006
    Location
    Down at the bottom of the garden
    Posts
    1,239
    Can you get an X / Y position from a submit button click, if so then maybe that is enough to say a human clicked it without needing to use javascript?

    Not very accessibility friendly ether way.
    Quote Originally Posted by temp.user123
    You know... You're not so smart. Do you need me to educate you?
    If you say, "please," (and do so, nicely) then I will show you where you're dead wrong.

  7. #7
    Join Date
    Sep 2006
    Location
    Bucharest, RO
    Posts
    940
    Quote Originally Posted by SyCo
    in order to defeat bots, captchas are defeating humans and that sucks.
    Your idea defeats humans, too.
    Quote Originally Posted by SyCo
    Also if you're going to rubbish my idea please say why, If you have a critisim of this idea please post it. That was my entire reason to post it here in the first place.
    Well, it defeats humans, maybe even more humans than a regular captcha. On top of that, if you're going to use Javascript, why use Ajax? Why not just fill in a hidden input with a value? Like this:
    Code:
    <script type="text/javascript">
    var myVar = <?php $_SESSION['rand'] = mt_rand(1, 100); echo $_SESSION['rand']; ?>
    function onpageload() {
       document.getElementById('myHiddenInput').value = myVar;
    }
    window.onload = onpageload;
    </script>
    ...
    <form ...
    <input type="hidden" name="someName" value="IAmABot">
    Don't you think that's a bit better?
    Still, it's javascript, and yes, there are still many users browsing the web without javascript.

    Another thing: if someone really wants to bash your site, they'll make a special bot that will make the ajax request, too, or fill the hidden input with the value it needs. With an image captcha, that's not possible, you have to develop OCR software which.. not many people are able to do.
    Last edited by Znupi; 02-27-2008 at 09:46 AM.

  8. #8
    Join Date
    Apr 2007
    Posts
    1,664
    Thanks for the responses, lots to think about here.

    My coloured letterers captcha is about to get pulled. I didn't consider coloured blind users, doh!, but I think the idea may yet evolve.

    MrCoder, You can only get x/y with Javascript so good idea but it would have the same problems.

    Andre4s, unfortunatly captcha ia too easy to break have a look at these examples
    http://www.neowin.net/forum/lofivers...p/t577656.html
    http://www.cs.sfu.ca/~mori/research/gimpy/

    If you're not adding noise and warping, you're wide open.

    Some of those examples are already tough to read. If it's necessary to make it harder than the examples in the links, then distorted captcha is done. I don't like to fail entering a captcha and I'm used to captcha. Non techy types find those distorted captchas almost impossible. Captcha is supposed to keep bots out while letting humans in, it's reached a point where it's keeping humans out too.

    Here's how it goes for users sometimes (myself included)

    Fill out form (including a password)
    enter captcha
    submit
    captcha failed
    enter new captcha
    submit
    passwords not re-filled in
    enter passwords again
    enter new captcha
    submit
    captcha fails
    enter passwords again
    enter new captcha
    hopefully make it this time!
    say out loud 'captcha sucks'

    If you turn javascript off because you worried about catching internet bugs then I have no sympathy for a crappy internet experience. If you're that paranoid, go use Linux. I'm very happy with Ubuntu, I have JS turned on with no anti virus, no anti spyware and no worries.

    I'm only concerned with those forced to use the net without javascript ie screen readers. We strive to be 508 compliant, therefore regular visual captcha is out.

    Honeypots and timestamp checks are ok too. As are challenge questions and multi stage forms. I've used them all and had sucess. I'm hoping to find the least obtrusive way to achive spam bot free forms.

    --

    So here's an evolution of the idea after thinking about your comments.

    I'm thinking the human_flag coupled with a timestamp 'page drawn to submit' comparision might work well. Then a probability of the user beng a spam bot could be calculated and if there is a suspicion then a captcha is displayed for human confirmation.

    The human_flag could be set anywhere (using javascript) in the website and written to the session with PHP. This way all javascript/sessions enabled users will not have to captcha (97% or so).

    Non javascript users or otherwise suspicous users (timed out session etc) will have to validate with a challenge question that can be optionally included in the form based on the state of the human_flag session var.

    How does that sound?

  9. #9
    Join Date
    May 2003
    Location
    Milwaukee
    Posts
    347
    I added a simple logic question to a phpbb board registration page and it stopped the spambots in their tracks. There have been zero new spam accounts since this was put in place nearly a year ago. The question: What is fourteen minus seven? Please answer using letters only, not a number.

    If it's ever needed, it's easy to change as well.

  10. #10
    Join Date
    Sep 2006
    Location
    Bucharest, RO
    Posts
    940
    That doesn't sound good to me, because from what I understand, there's still a way to get to the captcha, which you said can be defeated by bots. Another idea would be to use an animated captcha, here are a couple I've made:
    http://znupi.ath.cx/work2/captcha/index.php and http://znupi.ath.cx/work2/captcha/index2.php
    I prefer the second one because there is NO frame that would show all the letters. For a human it's easily solvable, but for a bot it's much harder. Also, if you don't like the way the text is written or you don't like the lines on the background, you can apply the same logic to another captcha. If you want I can post the code.

  11. #11
    Join Date
    Apr 2007
    Posts
    1,664
    508 compliance is about allowing blind people to access your website. Visual captchas can't be 508 compliant animated or otherwise.

    If you use visual captcha you're basically saying you don't care visually impared people can't use your site. I develop for a university so we are obligated (not yet by law in the US) to reach 508 compliance.

  12. #12
    Join Date
    Jun 2007
    Location
    Tangerang, Banten
    Posts
    258

    Thumbs up

    Quote Originally Posted by SyCo
    Andre4s, unfortunatly captcha ia too easy to break have a look at these examples
    http://www.neowin.net/forum/lofivers...p/t577656.html
    http://www.cs.sfu.ca/~mori/research/gimpy/
    Thanks to open my mind, SyCo...
    What a incredible spam program.. only cost $450.. whew...
    Are you still sure that future spam program will not detect protection using javascript??

  13. #13
    Join Date
    Apr 2007
    Posts
    1,664
    Crazy huh, $450 is pennies to a spammer, they pay tens of thousands to buy OS vulnerabilites.

    If your site is worth the effort, they'll just use people in India at $2 a day. Then we'll have to detect ips and rates for subbmission from them.

    I think I'm going to make my own internet and only let nice people in. Hey, I've got it. We can print out the form and have some guy bring it to my house... Sweet.. Maybe Wikipedia could come in book form too, split into nice leather bound volumes of course.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles