Register - Login
Views: 99802709
Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users
Ranks - Rules/FAQ - Stats - Latest Posts - Color Chart - Smilies
05-03-22 07:11:10 AM
Jul - Computers and Technology - Best method to fight spam bots? New poll - New thread - New reply
Next newer thread | Next older thread
Deleted User
Collection of nobodies
Posted on 01-08-08 08:44:41 PM (last edited by Jelly Beanie at 01-08-08 05:45 PM) Link | Quote
So I'm working on a message board (still not even halfway there) and I came across the question, how would I fight the spam bots? (in terms of making sure they don't register) I got a few method thought up already:

Email verification (probably the best, but it wont be useful in servers with emailing disabled so it can't be the main method)
Captcha (Hmmm, I'm not exactly very good in working with images, so it'll probably end up half-baked)
Question-Answer system (Ask a random question to the user and validate answer)

Any other methods I haven't think of? And what could be the best way...

Probably irrelevant but I'm working on PHP.

____________________


===================
[Posted by Jelly Beanie]
Post 102/1311 (41 days), online 1 day ago
Posted on 01-08-08 09:46:08 PM Link | Quote
There's Xkeeper's method, add a hidden field on the Register page then make it IP ban when filled ("Homepage" here, with even a warning) ... it's been proven to work great, since those bots are really dumb enough to fill it

____________________



#72
Darkdata
Ruins!? ♥
Level: 103


Posts: 401/2892
EXP: 11446059
For next: 25347

Since: 07-04-07


Since last post: 202 days
Last activity: 10 days

Posted on 01-08-08 09:54:26 PM Link | Quote
A combination works best.
Xkeepers Hidden field: Some bots might stop posting in hidden fields.

Captchas can be broken quite easily, you can use one, but don't depend on it.

The use of cookies and javascript on register.php -- as much as I hate to say it, doing this the right way would kill most bots in their tracks, however it might annoy your userbase, and makes it harder to provide a accessibility feature to those who may have problems using a computer.

____________________
Joe
Common spammer
🍬
Level: 111


Posts: 226/3392
EXP: 14501167
For next: 367193

Since: 08-02-07

From: Pororoca

Since last post: 12 days
Last activity: 8 hours

Posted on 01-08-08 10:10:58 PM (last edited by Joe at 01-08-08 07:11 PM) Link | Quote
Originally posted by Darkdata
Xkeepers Hidden field: Some bots might stop posting in hidden fields.
I don't think that will be too much of a problem, since it uses CSS to hide the box instead of type=hidden.
<div style='visibility: hidden;'><b>Homepage:</b><small> DO NOT FILL IN THIS FIELD. DOING SO WILL RESULT IN INSTANT IP-BAN.</small> - <INPUT TYPE=TEXT NAME=homepage SIZE=25 MAXLENGTH=255></div>
Edit: Stupid HTML...

____________________
Blearrgh...

My site is mostly links to free software. Guides on using said software will be put there eventually. Sooner if you bug me about it.
Darkdata
Ruins!? ♥
Level: 103


Posts: 402/2892
EXP: 11446059
For next: 25347

Since: 07-04-07


Since last post: 202 days
Last activity: 10 days

Posted on 01-08-08 10:18:00 PM Link | Quote
Originally posted by Joe
Originally posted by Darkdata
Xkeepers Hidden field: Some bots might stop posting in hidden fields.
I don't think that will be too much of a problem, since it uses CSS to hide the box instead of type=hidden.
Homepage: DO NOT FILL IN THIS FIELD. DOING SO WILL RESULT IN INSTANT IP-BAN. -

Edit: Stupid HTML...

Yes, I did mean that. I was thinking ahead, where the bot would look up the style, in the sheet, or the style tag.




____________________
Post 104/1311 (41 days), online 1 day ago
Posted on 01-09-08 03:24:05 AM (last edited by Acmlm at 01-09-08 12:24 AM) Link | Quote
It'd still fail pretty damn bad if you use an external .css for it:

.css
div.lol{visibility:hidden}

page
<div class=lol>Homepage: (fill and WIN A **FREE** IP BAN!!)</div>


Or if they ever get smart enough to avoid that, you can try:
- display:none
- font-size:0px
- position:absolute;left:-10000px

Unless, of course, they finally realize they could just look at the damn page themselves and see the Register page only asks for an username and password, nothing more

____________________



#72
GuyPerfect
Catgirl
Level: 68


Posts: 226/1096
EXP: 2665673
For next: 63127

Since: 07-23-07


Since last post: 1.7 years
Last activity: 219 days

Posted on 01-09-08 04:03:22 AM Link | Quote
I saw one today that was pretty clever. There were two questions.


1. Are you human? Yes No
2. Answer this random textual question: 5 - 3 = ?
Xkeeper

Level: 263


Posts: 4324/25353
EXP: 297141184
For next: 1819269

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 3 days
Last activity: 10 min.

Posted on 01-09-08 05:08:38 AM Link | Quote
The idea behind all of my anti-moron/spambot/whatever: Provide the least intrusion into normal use.

The register method hides the field, so normal users will not even know it's there, or just require skipping if it's found.

The hacker method checked several things to determine if it was an automated spam message. If it was, it was just removed and the user was banned temporarily; normal users encountered no "Fill this in" or other stupid things, and there were only one or two false positives.

I prefer to take the burden of proof upon myself rather than force it upon the users.

____________________
chungy
Member
Level: 31


Posts: 119/174
EXP: 168443
For next: 16920

Since: 08-04-07


Since last post: 14.1 years
Last activity: 13.9 years

Posted on 01-09-08 05:14:21 AM Link | Quote
There's nothing that can't be broken by bots... at least if you still expect normal people to use the service. (If you have a seemingly random image made by some formula and expect to have a solution to be entered... you'll probably both avoid normal users and bots).

I like the idea of CAPTCHAs, even if they're not perfect. The general idea is that the image is too difficult to read by a bot, but not too difficult to read by a human. It is a very hard line to walk on, especially if your current CAPTCHA has been broken by someone and implemented into bots (remember that the software doesn't operate on magic, somebody has to actually code them).
Xkeeper

Level: 263


Posts: 4326/25353
EXP: 297141184
For next: 1819269

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 3 days
Last activity: 10 min.

Posted on 01-09-08 05:18:22 AM Link | Quote
Also, there is always the option of porn sites taking captchas from a site and using them on their own, using the answers to gain access to the original site.

The problem with captchas is that, on several occasions, they're so "hard to read" that it's impossible for even a human.

And while you can't make an unbreakable site, bots and normal users have distinct patterns they follow. A determined programmer could defeat bots with some ease.

Although this takes into account bots with a purpose (spamming, advertising, whatever)... otherwise, it would be pointless to have a bot in the first place.

____________________
chungy
Member
Level: 31


Posts: 120/174
EXP: 168443
For next: 16920

Since: 08-04-07


Since last post: 14.1 years
Last activity: 13.9 years

Posted on 01-09-08 05:28:15 AM Link | Quote
Didn't I already say most of that?

You also seem to forget that bots != magic. If someone were determined enough, it wouldn't be hard to have them operate specially for this site. Don't fill in the hidden homepage field, etc.
Rena
I had one (1) message in Discord deleted and proceeded to make a huge, huge mess about how it was a violation of free speech and how moderators are supposed to be spam janitors and nobody should have the right to tell me not to talk about school shootings
Level: 135


Posts: 2111/5390
EXP: 29075569
For next: 259436

Since: 07-22-07

Pronouns: he/him/whatever
From: RSP Segment 6

Since last post: 342 days
Last activity: 342 days

Posted on 01-09-08 08:38:02 AM Link | Quote
Jul - Post #2111 - 01-09-08 03:38:02am
Making your own CAPTCHA is known to work better than using a popular existing one that's likely already broken, especially if you do something different than just the standard "enter the word" system. For example, count the letters or name the colour.
Originally posted by Xkeeper
Also, there is always the option of porn sites taking captchas from a site and using them on their own, using the answers to gain access to the original site.
A simple solution to that is to add a message to the image explaining that if you aren't at [whatever site], you're being fooled and should leave before you get a virus. You can then use CSS to crop or cover the image so that message isn't visible on your own page.

I saw one too that used HTML tables instead of images. Several tiny cells, with background colours near white or black, arranged to form an image. Of course, it wouldn't be difficult to write a bot that can beat this, but the important part is someone would have to actually do so. Existing bots wouldn't be able to beat it, and with all the Interweb out there to spam, the spammers aren't likely to bother adding checks for some crazy new type of CAPTCHA on a couple sites.

I haven't seen any spambots get through mine yet, but it doesn't keep any record of failed attempts, so maybe they're just not trying.

____________________
Aerakin
Ye Olde Layout
Level: 98


Posts: 870/2550
EXP: 9475901
For next: 178452

Since: 07-06-07

From: From the future

Since last post: 8.0 years
Last activity: 1.2 years

Posted on 01-09-08 02:06:48 PM (last edited by Etna at 01-09-08 11:11 AM) Link | Quote
Originally posted by chungy
I like the idea of CAPTCHAs, even if they're not perfect. The general idea is that the image is too difficult to read by a bot, but not too difficult to read by a human. It is a very hard line to walk on, especially if your current CAPTCHA has been broken by someone and implemented into bots (remember that the software doesn't operate on magic, somebody has to actually code them).


I do not like them, as some like this one are becoming frequent (and there were some harder to read, too).



If someone were determined enough, it wouldn't be hard to have them operate specially for this site. Don't fill in the hidden homepage field, etc.


Well, that's obvious. However (now, keep in mind I don't know how those people think), if I were to put lots of efforts on a bot, I'd want it to be worth it (big site with lots of hits). And there's obviously some harder to break/unbreakable thing for a bot. As mentioned, bots are not magic or human.

____________________

Deleted User
Collection of nobodies
Posted on 01-09-08 03:58:38 PM Link | Quote
Hmm, well, I guess I can code a simple captcha. And I like that thing of hiding a homepage field that would IP Ban the person filling it. Maybe I should try both.

____________________


===================
[Posted by Jelly Beanie]
chungy
Member
Level: 31


Posts: 121/174
EXP: 168443
For next: 16920

Since: 08-04-07


Since last post: 14.1 years
Last activity: 13.9 years

Posted on 01-09-08 09:18:26 PM Link | Quote
Originally posted by HyperHacker
Existing bots wouldn't be able to beat it, and with all the Interweb out there to spam, the spammers aren't likely to bother adding checks for some crazy new type of CAPTCHA on a couple sites.

I've got a surprise for you. As reasonable as it might seem to assume, it's entirely wrong.
Xkeeper

Level: 263


Posts: 4336/25353
EXP: 297141184
For next: 1819269

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 3 days
Last activity: 10 min.

Posted on 01-09-08 10:02:38 PM Link | Quote
Originally posted by chungy
Didn't I already say most of that?

You also seem to forget that bots != magic. If someone were determined enough, it wouldn't be hard to have them operate specially for this site. Don't fill in the hidden homepage field, etc.

Yes, but assuming that the bot developer has a brain, this will never happen.

There is no point in spamming here. Not enough users to bother, when there are literally thousands of forums running the same code with thousands more users.

The joys of being small, I guess.

____________________
Rachel Mae

Creature of Chaos
Level: 141


Posts: 443/5929
EXP: 33603966
For next: 516048

Since: 07-03-07

Pronouns: she/her
From: Foxglen

Since last post: 21 days
Last activity: 26 min.

Posted on 01-10-08 07:09:16 AM Link | Quote

Originally posted by Etna
I do not like them, as some like this one are becoming frequent (and there were some harder to read, too).

Eww...I've seen a few like that. The last really bad one I encountered had a super-skewered letter that could have been either a 2 or a Z...or maybe neither. I couldn't tell.

____________________

mreeew!
Lyskar
12210
-The Chaos within trumps the Chaos without-
Level: 192


Posts: 1120/12211
EXP: 99321175
For next: 552396

Since: 07-03-07

From: 52-2-88-7

Since last post: 7.4 years
Last activity: 7.3 years

Posted on 01-10-08 08:28:34 AM Link | Quote

Time/Date

01-10-08 02:28:34am

Posts

1120

Days Here

190

Level

42
Metal_Man88
Local Moderator
Ideally, one would check for a 'normal' useragent, then a 'normal' filled in form (I.E. the hidden fields of death would not be filled in), and then if you're really afraid perhaps ask the user a confusing, single question that a robot would find hard to answer, accompanied by some freakish css/javascript to throw robots for a loop.

More importantly, if somebody targets you and you're small, odds are you can reverse-engineer what they're doing and then program against it. Then it becomes an arms race, and rarely do spambot makers take the time to try to win one of those if their opponent is determined.

Usually they're more interested in 'soft' targets, anyway.

____________________
Original Layout © Tobias Kelmandia
Xkeeper

Level: 263


Posts: 4340/25353
EXP: 297141184
For next: 1819269

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 3 days
Last activity: 10 min.

Posted on 01-11-08 07:13:54 AM Link | Quote
Originally posted by Metal_Man88
Ideally, one would check for a 'normal' useragent, then a 'normal' filled in form (I.E. the hidden fields of death would not be filled in), and then if you're really afraid perhaps ask the user a confusing, single question that a robot would find hard to answer, accompanied by some freakish css/javascript to throw robots for a loop.

More importantly, if somebody targets you and you're small, odds are you can reverse-engineer what they're doing and then program against it. Then it becomes an arms race, and rarely do spambot makers take the time to try to win one of those if their opponent is determined.

Usually they're more interested in 'soft' targets, anyway.

Yeah, pattern recognition is a spambot's worst enemy (which is exactly what I use) ...

The user-agent check doesn't always work, though:
- Some users block theirs or use other ones (I mask as Firefox, for example)
- Spambots that mask as random systems (I've seen "Commodore 64" )
- Spambots masking as normal useragents

It's usually just easier to figure out other ways to win...

____________________
Next newer thread | Next older thread
Jul - Computers and Technology - Best method to fight spam bots? New poll - New thread - New reply


Rusted Logic

Acmlmboard - commit 47be4dc [2021-08-23]
©2000-2022 Acmlm, Xkeeper, Kaito Sinclaire, et al.

31 database queries, 3 query cache hits.
Query execution time: 0.093504 seconds
Script execution time: 0.045241 seconds
Total render time: 0.138745 seconds