How to Prevent Form Spam Without Captchas

UnderAttack writes "Spam submitted to web contact forms and forums continues to be a huge problem. The standard way out is the use of captchas. However, captchas can be hard to read even for humans. And if implemented wrong, they will be read by the bots. The SANS Internet Storm Center covers a nice set of alternatives to captchas. For example, the use of style sheets to hide certain form fields from humans, but make them 'attractive' to bots. The idea of these methods is to increase the work a spammer has to do to spam the form without inconveniencing regular users."

Re:What is wrong with Captchas?

[junglee_iitk]

Why is it so hard to make a captcha that a bot can't read but a human can?

Numerous times there is confusion between I and L. Since every site uses its own set of images and its own 'set of rules to obfuscate', the user has all the reasons to be confused. Then there is 3 coupled with something that makes it look like B etc.

Ofcourse, you will fail one time only, as on next reload you will get a new image to read, but as the article says, user response drops. People want to help you and you are making it, kind of, harder.

Re:What is wrong with Captchas?

[sugapablo]

What's worked surprisingly well for me is simple arithmetic. Adding a random math problem such as 2 + 5 = [ ] or 3 + 4 = [ ] has DRAMATICALLY decreased the amount of form spam two of my websites have received.

Re:What is wrong with Captchas?

[Pichu0102]

The slashdot captchas are among the easiest I have ever seen to read, however I still havn't seen any spam on slashdot.

You obviously don't browse the comments at -1.

Related Story

[Amazing Quantum Man]

Since the editors didn't see fit to put this in related links:

What Ways Can Sites Handle Spambot Attacks? [slashdot.org]

Re:And how...

[Captain Splendid]

Well, in all fairness, at we least we furriners just give you an earful, whereas typical American hubris is usually delivered via shock and awe.

Mods: go nuts! I have karma to burn, bitches.

Re:What is wrong with Captchas?

[nine-times]

These questions or pictures again need to be either automatically generated or generated by humans. If automatically generated, they would need to follow a pattern, and so the challenge would then be on the spammers to identify the pattern and train their bots to read the pattern and respond appropriately.

If, on the other hand, they're generated by humans, it would be expensive to generate each one, and so they'd be limited in number. Therefore the spammers simply go about collecting each one, identifying them, and they've broken the system.

Either way, it's like an arms race. The people blocking the spammers are just trying to stay one step ahead of the spammers.

Re:What is wrong with Captchas?

[JesseMcDonald]

instead of obfuscated images, just put in plain text questions.

That's been considered before. The problem with that approach is that, unlike image-based CAPTCHAs, there are a limited number of templates available for natural-language questions. The spammer just has to compile a list of the various patterns of questions and answers, a much easier task than designing an OCR program capable of extracting random, disconnected letters and numbers from a randomly distorted image. The problem is essentially one of hash functions -- plain-text questions can be solved as easily as they can be generated, whereas image-based CAPTCHAs are easy to generate but difficult (for computers) to decipher. Your last example ("What is the name of my blog?") is probably the best, since it's somewhat resistant to ordinary dictionary attacks, but there could be several reasonable answers (depending on the blog) and the correct answer(s) would have to be separately entered into each site. For many sites the answer may also be trivially derived from the title of the page, or some other element no less predictable than the form elements employed to enter the comment.

Re:What is wrong with Captchas?

[91degrees]

The main reason it works is probably because so few other sites use the same method.

Security through obscurity dogma be damned! When a breach isn't fatal, there are cases where obscurity works well enough.

Re:And how...

[lord aDam]

Im sure disability-discrimination laws exist in the European Union too

Yes, there are accessibility laws [w3.org] in countries all over the world.

Vbulletin forums?

[Shoeler]

I run two largish Vbulletin forums - and we get at least 1-2 spammers a day. I haven't found a way to prevent them yet, but I have found a way to stop em from getting any traffic or money for the unsuspecting idiot that clicks on them.

I use an anti-spam e-mail technique: blacklist.

Vbulletin has a censoring system where words you choose can be replaced with your choice of characters - by default it's an *. www.clickmeforspam.com, where I would use the "clickmeforspam.com" as the censored word, shows up as www.****************** .

It's quite hilarious to see the humans behind the spam, who have registered, gotten through a human image trap, clicked on a link e-mailed to them, logged in and posted their spam re-post it like 2-3 times only to realize they got owned by my filter. They get all pissed off, and by that time a user has reported the post or we've seen it and banned them. It's very fun to make fun of them in their spam posts filled with ***s. :)

Re:Javascript

[Anonymous Coward]

I used to get alot of spam postings on my site, so I made a few changes to how the form works and reduced the spam to almost nothing. Mainly I changed the form so that javascript submits it. The full details of how to do this with wordpress are here- http://www.hackslash.net/?p=69 [hackslash.net]

Blind users? Use proper CSS

[Shadowlore]

Use CSS' media types.

Aural, braille, and embossed are all media types that would hide the fields for blind users if done correctly (i.e. used and the reader supports it, which you'd think they would want to). This technique is not the only reason why blind user's tools need to work differently based on mediate type in CSS.

Re:My Method

[anshil]

I wrote my guestbook for a project page - php code myself... simply because I wanted to learn how to code PHP+MySQL.

Its now some years ago, in the beginning no problem... then got hit my massive spamming.
Cleaned it up.

I never wanted to do captchas or question, since it should be most easy and convenient for the human user to post, anonymously without much worries, the "entry barrier" has to be low.

First I blocked some IPs did not help much.

A great benefit was I gave the user a cookie when viewing the main side, and looked if the cookie is still there when viewing the guestbook, that got rid of the spam bots... but in the last time some seem to have learned that as well.

Now I block on server side just as you everything that containts "a href=" "[url]" or "[link]" and that stuff, just as you, this really blocks A LOT, since they all are out to post links to raise their side in google.

Now the few that get through 1-2 a week, I block special content strings, usually their URL like mycoolrippoffs.com or that stuff.

Re:Javascript

[masterzora]

The reason CSS doesn't cause the same issues is because the CSS method isn't dependent on the CSS working. If the CSS doesn't work, then, oh well, good thing we have this text telling the user not to use those forms. If the Javascript doesn't work, crap, the user can't even see the necessary forms. See the difference?

Re:Javascript

[Aladrin]

Please, read before you respond.

"I hadn't read the article yet," is NOT the same as "I haven't read the article yet,"

I've read it. You can stop posting the same 'rtfa' over and over. Jeez.