How to Prevent Form Spam Without Captchas 272
UnderAttack writes "Spam submitted to web contact forms and forums continues to be a huge problem. The standard way out is the use of captchas. However, captchas can be hard to read even for humans. And if implemented wrong, they will be read by the bots. The SANS Internet Storm Center covers a nice set of alternatives to captchas. For example, the use of style sheets to hide certain form fields from humans, but make them 'attractive' to bots. The idea of these methods is to increase the work a spammer has to do to spam the form without inconveniencing regular users."
Re:What is wrong with Captchas? (Score:2, Informative)
Numerous times there is confusion between I and L. Since every site uses its own set of images and its own 'set of rules to obfuscate', the user has all the reasons to be confused. Then there is 3 coupled with something that makes it look like B etc.
Ofcourse, you will fail one time only, as on next reload you will get a new image to read, but as the article says, user response drops. People want to help you and you are making it, kind of, harder.
Re:What is wrong with Captchas? (Score:3, Informative)
Re:What is wrong with Captchas? (Score:5, Informative)
You obviously don't browse the comments at -1.
Related Story (Score:4, Informative)
What Ways Can Sites Handle Spambot Attacks? [slashdot.org]
Re:And how... (Score:3, Informative)
Mods: go nuts! I have karma to burn, bitches.
Re:What is wrong with Captchas? (Score:3, Informative)
These questions or pictures again need to be either automatically generated or generated by humans. If automatically generated, they would need to follow a pattern, and so the challenge would then be on the spammers to identify the pattern and train their bots to read the pattern and respond appropriately.
If, on the other hand, they're generated by humans, it would be expensive to generate each one, and so they'd be limited in number. Therefore the spammers simply go about collecting each one, identifying them, and they've broken the system.
Either way, it's like an arms race. The people blocking the spammers are just trying to stay one step ahead of the spammers.
Re:What is wrong with Captchas? (Score:3, Informative)
That's been considered before. The problem with that approach is that, unlike image-based CAPTCHAs, there are a limited number of templates available for natural-language questions. The spammer just has to compile a list of the various patterns of questions and answers, a much easier task than designing an OCR program capable of extracting random, disconnected letters and numbers from a randomly distorted image. The problem is essentially one of hash functions -- plain-text questions can be solved as easily as they can be generated, whereas image-based CAPTCHAs are easy to generate but difficult (for computers) to decipher. Your last example ("What is the name of my blog?") is probably the best, since it's somewhat resistant to ordinary dictionary attacks, but there could be several reasonable answers (depending on the blog) and the correct answer(s) would have to be separately entered into each site. For many sites the answer may also be trivially derived from the title of the page, or some other element no less predictable than the form elements employed to enter the comment.
Re:What is wrong with Captchas? (Score:2, Informative)
Security through obscurity dogma be damned! When a breach isn't fatal, there are cases where obscurity works well enough.
Re:And how... (Score:2, Informative)
Yes, there are accessibility laws [w3.org] in countries all over the world.
Vbulletin forums? (Score:3, Informative)
I use an anti-spam e-mail technique: blacklist.
Vbulletin has a censoring system where words you choose can be replaced with your choice of characters - by default it's an *. www.clickmeforspam.com, where I would use the "clickmeforspam.com" as the censored word, shows up as www.******************
It's quite hilarious to see the humans behind the spam, who have registered, gotten through a human image trap, clicked on a link e-mailed to them, logged in and posted their spam re-post it like 2-3 times only to realize they got owned by my filter. They get all pissed off, and by that time a user has reported the post or we've seen it and banned them. It's very fun to make fun of them in their spam posts filled with ***s.
Re:Javascript (Score:1, Informative)
Blind users? Use proper CSS (Score:3, Informative)
Aural, braille, and embossed are all media types that would hide the fields for blind users if done correctly (i.e. used and the reader supports it, which you'd think they would want to). This technique is not the only reason why blind user's tools need to work differently based on mediate type in CSS.
Re:My Method (Score:2, Informative)
Its now some years ago, in the beginning no problem... then got hit my massive spamming.
Cleaned it up.
I never wanted to do captchas or question, since it should be most easy and convenient for the human user to post, anonymously without much worries, the "entry barrier" has to be low.
First I blocked some IPs did not help much.
A great benefit was I gave the user a cookie when viewing the main side, and looked if the cookie is still there when viewing the guestbook, that got rid of the spam bots... but in the last time some seem to have learned that as well.
Now I block on server side just as you everything that containts "a href=" "[url]" or "[link]" and that stuff, just as you, this really blocks A LOT, since they all are out to post links to raise their side in google.
Now the few that get through 1-2 a week, I block special content strings, usually their URL like mycoolrippoffs.com or that stuff.
Re:Javascript (Score:4, Informative)
Re:Javascript (Score:3, Informative)
"I hadn't read the article yet," is NOT the same as "I haven't read the article yet,"
I've read it. You can stop posting the same 'rtfa' over and over. Jeez.