How to Prevent Form Spam Without Captchas 272
UnderAttack writes "Spam submitted to web contact forms and forums continues to be a huge problem. The standard way out is the use of captchas. However, captchas can be hard to read even for humans. And if implemented wrong, they will be read by the bots. The SANS Internet Storm Center covers a nice set of alternatives to captchas. For example, the use of style sheets to hide certain form fields from humans, but make them 'attractive' to bots. The idea of these methods is to increase the work a spammer has to do to spam the form without inconveniencing regular users."
And how... (Score:5, Interesting)
Now, lets enter US law: American with Disabilities Act. Target [arstechnica.com] is currently being sued for NOT complying with this federal law. I can understand why businesses would be required for this, but where will the net-boundaries stop?
For example, I have a US corp. I hire an offshore datacenter to handle web processing. Is my website have the compulsory ADA lawss upon it, or do they not apply due to international boundaries? Yipe.
Javascript (Score:5, Interesting)
It's easy, you just have the javascript create all or part of the form. Or modify the form in some way. It would happen before the user even sees the form, and the spambot would have to implement a javascript parser to get it. (Or a parser, that's unique to your site.)
I would think AJAX would be a huge hamper to them as well.
field name encrypt (Score:2, Interesting)
Re:What is wrong with Captchas? (Score:4, Interesting)
instead of obfuscated images, just put in plain text questions.
What is 2+2?
What is the 3rd word in this sentance?
What is the name of my blog?
All of these can be answered by some one using a screen reader, and take less time then figguring out a captch. Sure it does not stop manual spamming, but what does?
Re:How Accessible though? (Score:2, Interesting)
Re:field name encrypt (Score:2, Interesting)
My Method (Score:3, Interesting)
Re:And how... (Score:2, Interesting)
Another trick (Score:1, Interesting)
To make it less obvious that the value is a timestamp, it's XORed with a random number (which is included in the form value) and eight random, meaningless bytes are thrown in for good measure. The end result is 32 seemingly-random hex digits--it looks just like a session ID.
This technique certainly isn't going to fool a determined attacker, but no spammer is going to waste their time trying to figure it out.
Re:What is wrong with Captchas? (Score:2, Interesting)
If the CAPTCHAs were being defeated by humans, there should have been no change. It had to have been spammers mass-OCR'ing images.
use dnsbls (Score:4, Interesting)
dnsbl_check rails plugin [spacebabies.nl]
Basically what the plugin does is check clients against one or more DNSBLs. You might know them from mail servers. You see, it turns out that the forms are almost always abused by bots. These bots are quite well known. sbl-xbl from spamhaus catches 80% in my setup, spamcop catches the rest. You enable the plugin for key controllers and it really does work.
(/end shameless self promotion) mod me down if you wish