What is Digg?75 Comments
- Chewie67, on 10/12/2007, -7/+28I'll give you credit for thinking outside the box, but there's one fatal flaw in this theory: AutoFill.
I use an AutoFill extention in Firefox. Google Toolbar has one as well. Roboform has been popular for years.
When I come across a form that needs my info, I click the autofill button and it does the tedious form filling for me. I haven't tested this, but my overwhelming guess is that it would fill in the hidden email field as well -- making it look like I was a bot.
Close, but no cigar... - wrenchone, on 10/12/2007, -1/+12I thought this test involved a black box and a poisoned needle held to your neck?
- veracon, on 10/12/2007, -3/+13But... Then what about if one has CSS off? Or a CSS-incapable browser (such as on a cellphone)?
- idonthack, on 10/12/2007, -3/+12Site's already slow. Duggmirror has it.
http://duggmirror.com/programming/Negative_Captcha - yacoubean, on 10/12/2007, -0/+8I have an open source ColdFusion project that does this called CFFormProtect, but it's more complicated than an empty field. I check for mouse movement, keyboard usage, empty field that's supposed to be empty, and how long they took to fill out the form. I also threw Akismet in for good measure (http://www.akismet.com/). All of these tests have a score, and when one fails, the total spaminess of the form post goes up by that score. Then there is a failure threshold that is checked to see if I think it's spam. If only one or two tests fail, the comment is allowed in most cases. http://cfformprotect.riaforge.org/
- TenebrousX, on 10/12/2007, -2/+9Actual story:
http://damienkatz.net/2007/01/negative_captch.html - MCHampster, on 10/12/2007, -0/+7Only what is described in the article is absolutely nothing like you've described.
- merreborn, on 10/12/2007, -1/+7It's worth noting that this won't work on all bots, especially one crafted to work on your site specifically, *and* that this is trivially defeatable if it becomes common practice.
The only thing that makes this work now, is the fact that most people aren't using it yet. - Riv3r, on 10/12/2007, -1/+7Gom jabbar.
I must not fear.
Fear is the mind-killer. - spinchange, on 10/12/2007, -1/+6Captcha's primary function is not to confirm the identity of some registering for website- they're intended to prevent scripts from spamming a site, typically in comments or submissions. You're identity -or- account has has already been established/verified at that point.
Think: Digg Story Submission Process...Or a Blog Comment Board. - phjr, on 10/12/2007, -13/+18Nothing new, sorry.
- Vektuz, on 10/12/2007, -1/+6Haha, spam bots.
To be fair the real problem that captcha is trying to solve is to prevent automated account signing up.
Each bot has custom tailored code for each site it tries to generate millions of accounts for.
Therefore this system would not prevent that - the guy customizing the bot to fill out the forms would simply not tell it to fill in that field. - petercooper, on 10/12/2007, -3/+7I think we need to seriously look at why we're beginning to discriminate against robots. At this point in time they might only be crude, rudimentary automatons, but people thought that way about slaves once, and we eventually matured away from that. CAPTCHAs do nothing but discriminate against digital lifeforms, so how can they be a good thing?
- inactive, on 10/12/2007, -1/+4@veracon
Simply hide the captcha image with CSS and accept either. (If CSS is off the captcha will fail to be hidden so the user will type it).
@merreborn
It's not trivially defeatable for the spammers to start parsing complex CSS, javascript and random field names. - aaroncampbell, on 10/12/2007, -0/+3Consider hiding fields that you don't want. You can even have a user E-Mail field with the name "user_email" and a hidden one called "email" Then get your data from "user_email" and if "email" is filled in too, it's a bot.
- damber, on 10/12/2007, -0/+3 autocomplete="off" in your input tag will help with most auto-completers
- rfinn, on 10/12/2007, -0/+3@prelude
It's very trivial to get around. Spambots are coded now to try and solve captchas by looking at the image. That takes experimentation. Parsing CSS by comparison is a piece of cake (and if you're having trouble you can download the source code for any number of open source browsers).
It's a neat idea, but useless as soon as enough people use it to appear on the radar of spambot developers. - jkramlich, on 10/12/2007, -0/+2A decent idea, but admittedly doesn't help visually impaired users. HumanAuth is a better system and the code is open source. http://www.gigoit.org/humanauth/
- GrahamStw, on 10/12/2007, -2/+4Good idea though and worthy of coverage if it helps to slow down the proliferation of spambots.
- Haplo, on 10/12/2007, -0/+2Reporting spam bots works even better. Filtering does get us where we are now with email.
Some hosting providers /do/ take down sites that are spamvertized in comment spam
Some ISPs disconnect zombies and only reconnect the computer after it has been cleaned up by its owner. Effectively one email can take down one bot and several sites.
A captcha doesn't stop spammers. For each post that doesn't get through on your site, 20,000 do get through. You get skewed statistics (if you care about such things), get more traffic, and nothing in return, until they can programmatically solve the captcha. Which will happen eventually, just look at how hard email spam is getting to filter out.
As long as people do allow spam to propagate to their web pages comment spam will happen, and grow at a solid rate. Since they use hijacked computers it doesn't matter if it takes some computer power to solve one.
More: http://johnbokma.com/mexit/2006/01/16/zombie-comment-spam-referer-spam.html - Haplo, on 10/12/2007, -0/+2Yup, remember all those smart ideas 10 years ago to filter email spam. If you're lucky you're getting as much daily spam as I did get 10+ years ago: about 6. If you're not lucky, or you can't use too strict filtering, you'll get 10-100x as much.
Comment spam is going the same way. Only way to hurt them is by kicking them in the balls. Not by using Akismet and CAPTCHA's. - b05q, on 10/12/2007, -0/+1so it's OK to force them to do nothing but work for you and then kill them when you're done, but trying to prevent them from filling out HTML forms is "discrimination?"
- icexe, on 10/12/2007, -0/+1if the bots are only looking a your raw HTML and not your styled output, its unlikely it could detect that the field is in fact hidden, unless maybe you do something obvious like
- icexe, on 10/12/2007, -0/+1oops!! i guess digg doesn't like HTML in responses...
i meant to say, as long as you don't do something obvious like use class="hidden" in your input field - Chewie67, on 10/12/2007, -0/+1autocomplete="off" may work for the built in form fillers in IE or Firefox, but it doesn't work for things like the Google Toolbar or Roboform.
- polvero, on 10/12/2007, -0/+1I've already been doing this on my site for the last two years. It's worked wonders for me. Those who think this is a ridiculous idea just can't get past their "got religion" of web standards. This has nothing to do web accessibility. All you have to do is say "don't fill out this field." - and hide it with css... and when css is turned off... they see "don't fill out this field." Easy enough.
- inactive, on 10/12/2007, -2/+3what about Opera users? or FF/IE users using the google toolbar to fill in passwords?
(by this i mean when i hit the Magic Wand button, it fills in all fields that i have given it info to do, so won't it fill in this email field?) - inactive, on 10/12/2007, -0/+1Wow I wrote about this exact same method last week. It has been 100% successful on my site for the past 2 months.
http://www.rustylime.com/show_article.php?id=338 - Chewie67, on 10/12/2007, -0/+1Any form that REQUIRES JavaScript is a bad thing. You are immediately blocking about 5 - 10% of the world surfing population.
- szembek, on 10/12/2007, -0/+1They prove the same thing.
- geezusfreeek, on 10/12/2007, -0/+1This would be easy to counter by modifying the bot script to ignore hidden fields. What a load of bull crap.
- Chewie67, on 10/12/2007, -0/+1"Easy enough that any moron can get the answer right in short order..."
Unless, of course, they're a blind moron using a screen reader.
Maybe accessibility isn't something your interest in... - merreborn, on 10/12/2007, -0/+1"Bots need to know the names of the HTML fields to fill them in as they complete them remotely"
And they can find those by a simple HTTP GET of the HTML of the page. Randomizing only slows the bot down (and increases your bandwidth usage). If everyone starts using your technique, it will do nothing to stop spammers, as they will adapt. - echo2501, on 10/12/2007, -0/+1I dig how you did that. I'll have to mix your technique with mine and see what happens.
- Dujenwook, on 10/12/2007, -2/+3The spammers would just build a bot that searches the .CSS for a hidden field and leaves it blank.
- Sorcy, on 10/12/2007, -0/+1Then why is googlebot reading the CSS-File off my website?
- thailand1972, on 10/12/2007, -1/+1A better method: randomize the field name of the email field. Bots need to know the names of the HTML fields to fill them in as they complete them remotely. Have some code generate a random field name that gets checked when the form is posted. I've found this works with 100% success.
- thailand1972, on 10/12/2007, -0/+0merreborn, this method actually works on my sites - zero spam, and an increased number of actual humans using the forms because they're easier to complete without CAPTCHA. If a bot decides to screen scrape my page and get the field names that way, I'll know.....because I'll start receiving spam. Until that time, I'll continue to use a method that works.
- obsidianreq, on 10/12/2007, -0/+0Thanks for the advice! My website's spam seems to have ceased since using this trick!
http://www.obsidianprofile.com - mabhatter, on 10/12/2007, -2/+2and why would you turn it on its back?
That's unsettling... - ZeagleK, on 10/12/2007, -0/+0Good idea. Simple enough, and since most CMS track sessions and users, its not like there isn't already an SQL table (or equivalent) thats contains session information linked to a cookie/ip. Add another table tied to it, or more columns.
Another implementation would be to just concat the IP/session ID, a static string, and the field name, md5 hex it, and have your scripts create and look for data accordingly. - echo2501, on 10/12/2007, -3/+3Bots can't trigger mouse events, right? (onmouseover, onmouseout ...)
I use some Javascript and mouse events to hide email addresses. You can do something similar here. Like, disable a form field, but on mouseover, change the disable attribute, so it'll work for a person at a computer, but a bot can't focus to it.
Yeah, it requires Javascript, but you can do some other goofy thing with a css :hover or something.
Here's a page I was experimenting with it: http://akiyama.angaron.org/contact.php - BionicBeefpile, on 10/12/2007, -1/+1I've had a system like this installed for a couple of months now, and it really did eliminate probably 80 - 90% of spam registraions on my board. The only problem is that often now new users don't have all of their info in their profiles, since they never bother to go back and fill it in once they are actually registered.
- googli, on 06/13/2008, -0/+0I think the following link on that site was more interesting:
http://youtubuy.org/
http://tabletta.com/
http://tabletta.org/ - banderbe, on 10/12/2007, -4/+4DOGS DON'T KNOW IT'S NOT BACON!
- merreborn, on 10/12/2007, -2/+2"I think we need to seriously look at why we're beginning to discriminate against robots"
All they do is post "Buy cialis buy cialis buy cialis". It's discrimination based on merit. Kinda like when we digg you down for posting silly, unrealistic, speculative comments.
If a robot is intelligent enough to have something to add to the conversation, then it'll be intelligent enough to defeat captcha anyway. - mahdaeng, on 10/12/2007, -0/+0rather than operate on the premise, "prove you are human", wouldn't a negative captcha operate under "prove you are a robot"?
- sancho, on 10/12/2007, -0/+0A bot should be able to call any Javascript function on your page for any element, and it can generate events just fine, too.
Most of them won't, but if someone is intent on spamming your site, they will figure out how you're stopping them and work around it. Then it becomes a standard race to re-block them, and for them to get around it.
The advantage of captchas is that the 'race' is somewhat automated on your end. That is, unless they get an OCR that can successfully parse the image, a completely random captcha will do a good job of foiling them. - Jero, on 10/12/2007, -1/+1This truly is utterly ridiculous. Relying on CSS is just as stupid as relying on JavaScript. The only thing you'll achieve with this is making your website completely inaccessible.
- CPUGUy, on 10/12/2007, -0/+0Only problem I have with captcha is those times when you can't exactly make out what the heck the letters are.
-
Show 51 - 73 of 73 discussions
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is