digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

Preventing SPAM without using a CAPTCHA

freecodesnippet.com — I hate CAPTCHAs because it discourages lots of users(specially in impulsive mood) if they make a single mistake on first try. Here is how I tackle SPAM attacks on the comment form of my blog without using a CAPTCHA. You can use this technique for any kind of form on your website.

Bury
show profanity settings
expand all
  • diggpandit, on 10/17/2007, -36/+7gr8 way....... i will also ask my friends to digg it :)
  • MASTERPL, on 10/16/2007, -11/+15What a great way to prevent spam. I would have never thought of this myself. Thanks for hours saved sifting through garbage.
    • roosterjm2k2, on 10/16/2007, -8/+2http://www.omgpotato.com/2007/07/12/transparent-ef ...
    • spamzor, on 10/22/2007, -5/+18If you wrote a script for that site it would do absolutely nothing to stop a spam bot, so on a blog like that where no one goes it's useful, for a site like youtube useless because people will make the effort to hard code specific scripts to get around little things like this.
      • roosterjm2k2, on 10/22/2007, -1/+14Correct, if you're one of the big sites, then there is nothing you can really do to stop it.

        However, if you're part of the other 99.9999999999 percent of the internet, then it can be quite useful. There are tons of sites which get great deals of traffic and are still very much "undiscovered" ...

        Will this solution stop ALL spam, probably not, but neither does captcha systems, however, this way is much more user friendly, so it takes the win in most circumstances.
    • neoform, on 10/17/2007, -3/+7Any spammer that has any knowledge at all will be able to overcome this "spam blocking" technique *very* easily.

      Captchas are far more difficult to beat.
      • spyrochaete, on 10/17/2007, -3/+4But they're obnoxious. The method described in this article is a favour to your valuable users.
        • neoform, on 10/17/2007, -2/+4Yep, and you're going to get spam too. Which makes it pretty much useless. You might as not use any spam blocking technique at all.
        • mtekk, on 10/17/2007, -0/+1Or run an actual anti-spam suite like Spam Karma 2, Akismet, or Bad Behavior, they are all pretty effective, especially the first two.
    • gropo, on 10/16/2007, -4/+3This method has been around for a while. You'd think the smarter spamsters out there have already built workarounds.
      A better plan would be the simple "name me a basic color" or "name a common housepet" pseudo-captcha field. Something a short dictionary list could verify but no spambot on earth could anticipate.
      • credence, on 10/16/2007, -1/+7Sure, but even that could be hard coded if a spammer takes the time to answer the random questions that are offered. He just saves those values, checks to see what the current question is and returns that exact answer.
        • neoform, on 10/17/2007, -0/+5There's no real point in explaining this to digg users. Almost none of them are web programmers, those that are should (if they're any good) already know all this.
        • resplence, on 10/16/2007, -0/+2The "specific script hard coded to circumvent this single method" also applies to CAPTCHA as well. If you don't think so, just search for it.

          So, since ANY of the available solutions can be hacked if someone really wants to, I think the deciding factor should be usability, and in that aspect CAPTCHAs lose big points.
        • rompom7, on 12/03/2007, -0/+1The best solution is one that has not been implemented elsewhere widely, so that the worth of the spammer attacking your particular site is low compared to its advertising throughput. Once a technique is popular, there will be more attacks to get around it.

          Come up with your own specific solution for your site, keep usability in mind, and you can have a very user friendly spam protection system.

          Unfortunately, too many people will just put in some generic CAPTCHA script or use a widely used technique. CAPTCHAs have a time and a place, but I don't think posting a comment is one of them.
      • djlosch, on 10/17/2007, -0/+2this is called honepotting: http://en.wikipedia.org/wiki/Honeypot_%28computing ...

        every few weeks another blogger's site goes down as they post this diggbait. definitely no digg.
    • brundlefly76, on 10/16/2007, -0/+1Yeah this is just arbitrary its not a Turing test.
      I was disappointed because I was really hoping it was indeed a truly more usable Turing test!
    • EXreaction, on 10/16/2007, -1/+2You guys are idiots. You tell the spam bot makers your secrets, and their next version will not have the same flaw. Tricks like this only work when you are the only one using it, when others know and use it, the trick will not last for long.

      And I do know what I am talking about. I was the author of a quite popular modification for phpBB2, named Anti-Spam ACP (over 9,500 downloads, and brings up about 1.5M results in a google search for "Anti-Spam ACP"):
      http://www.lithiumstudios.org/phpBB3/viewtopic.php ...

      Silly tricks like you mentioned do not work for long, the only way to stop spam is to deny posting with spam words (with a filter), or to stop registration spam, which my mod is designed to do, do not let them fill in any of the fields, and do it legitimately, that way they do not have any way around it. There is a reason why my mod still works for the far majority after being released for 8 months, and all the mods that made little tricks like this stopped working after a few weeks.
      • bruenig, on 10/17/2007, -0/+2I bet I could throw a football over them mountains.
    • rejoined, on 10/17/2007, -2/+1This article talks about preventing spammers. But going by the first few comments on this very page, it seems the submitter employed a few ass kissers to dugg up and comment on his story.

      "You can use this technique for any kind of form on your website."
      Only if your site is still alive, that is.
      http://duggmirror.com//programming/Preventing_SPAM ...
  • ripstuntz, on 10/16/2007, -13/+7This is absolutely genius! Thanks!
  • swordedge, on 10/20/2007, -2/+50This probably works slightly better than captcha but neither method really works well. What spammers are doing with Captcha is very clever. They own porn sites. When they have their members log in, they display a yahoo captcha to the member. They use the response to create a spam email account.
    The method used does involve text and anything involving text, can be seen by the spam bot. It is only a matter of time before they get wise to this trick.... assuming they haven't done so already.
    • weebit, on 10/16/2007, -7/+1Would it be better to switch to a pic? I noticed a few websites that do use pics instead. Not sure if this is a better method though.
    • JayTaph, on 10/16/2007, -2/+4You can incorporate the user's IP address into the initial seed when displaying (and validating) the Captcha. This would make that the captcha shown at my computer is different then yours while still using the same captcha random seed. So as long as they don't use the same IP address to post their spam (highly unlikely) you would be fine..
      • GreenAlien, on 10/16/2007, -0/+1While I would also like Captcha to factor in client-side info such as the IP address of the visitor I'm not totally sure how this would solve the problem. Because when the spammer displays it on their own website they will not require the IP validation, then once solved by an unsuspecting visitor they turn around and submit it to the legitimate site using the spammer's IP address which never changed during this whole process as far as the legitimate website is concerned.

        The only way this workaround would work from what I can see is if the browser gave a helping hand by specifically supporting validation like Captcha and ReCaptcha using public/private crypto. Could achieve something similar client-side using Javascript but probably wouldn't take long to hack around. And even then it would need to know it's publically visible IP address which would require an external service AFAIK, otherwise if behind a LAN it just gives the local IP.
    • RichGC, on 10/17/2007, -2/+9I keep hearing this, but im wondering if its just a hoax or pure speculation...

      Have you seen this in reality ? If so please provide a link to the site where this is happening.
  • wilhel1812, on 10/16/2007, -9/+2that's smart!
    • phibit, on 10/16/2007, -0/+4Yeah, Diggnial Of Service is a great way to protect against spam!
  • neokoenig, on 10/31/2007, -1/+49This is quite an old idea now, but if used in conjunction with a few other techniques can be good;

    I set the time NOW() in a form field and check that the form when submitted is older than 3 seconds, but younger than say 8 hours; that way Spammers can't Cache the form; I also check for the server name being submitted in the Post request; if it's not what I expect, throws an error; again, stops spammers caching the form and submitting the post request from another machine; Add the above technique, and it does help.
    • willemmulder, on 10/19/2007, -5/+2Also, create an as above with a very complicated Captcha next to it, but after the page loads, let JavaScript hide it all and fill the input with the Captcha text. Spammers don't have JavaScript, so the input will not be hided and the captcha text is not automatically entered. Because the captcha is complex, the spammer will have a hard time dealing with it, if he finds out altogether.
      People using 'normal' browsers won't see the captcha and don't need to enter the captcha value, only the people that have Javascript turned off have to enter it.
      • neokoenig, on 10/16/2007, -1/+5But the ultimate problem with Captcha is still that it's inaccessible to assisted technologies; I don't think a braille reader uses javascript, so by using that technique, you're still ultimately saying "blind people can't use this form"...
        • willemmulder, on 10/16/2007, -2/+2braillereaders just read the screen, right? So it should work for them as long as the browser they use supports javascript...
        • neokoenig, on 10/16/2007, -2/+5Yep, you may well be right; but a braille reader can't read a graphic
        • DewKnight, on 10/16/2007, -12/+3blind people don't need to be on the internet anyways

          Just saying what everybody is thinking
          • rabidbob, on 10/17/2007, -0/+1Yes they do; they can still listen to porn.
        • wesd, on 10/16/2007, -2/+0@ DewKnight

          I laughed and agreed but then I slapped my own wrist... will I still go to heaven? :D
        • GreenAlien, on 10/16/2007, -0/+6"Just saying what everybody is thinking"
          No, just you and a select few. Anyone with half a brain isn't thinking this because it's utter *****.
        • pseudononymist, on 10/17/2007, -1/+1GreenAlien, come on, it did at least slip through our consciousnesses, even if only to be almost immediately rejected as cruel and immature (but funny).
    • foobr, on 10/16/2007, -1/+5ok so Javascript a CLIENT side language fills in the captcha for the user. So in order for it to do that you must supply it with the answer. As it is CLIENT side you must then send the answer CLIENT side in order for it to be available to Javascript. This defeats the entire purpose of the captcha. Rather than beating the captcha the spammer can just write a script to grab the solution from the same place as your Javascript does.

      Your solution has much fail am afraid....
      • jackyyll, on 10/16/2007, -0/+1No. You have much fail in your reading and comprehension skills. The captcha that is HIDDEN by the said javascript code is a fake. If the captha field contains ANYTHING it errors and let's the server know the person is a bot.
        • uncoolcentral, on 10/19/2007, -1/+1ha... No... YOU have much fail.
          I know, b/c your MAMA told me so.
          All of your fail are belong to us.
          ugh.
  • icexe, on 10/16/2007, -10/+4site's dead already... *sigh*
  • crgnetworks, on 10/16/2007, -8/+9http://www.duggmirror.com
    • antdude, on 10/16/2007, -2/+6http://duggmirror.com/programming/Preventing_SPAM_ ... for referrer blockers.
      • rejoined, on 10/16/2007, -1/+1Thanks for that whole link. My firewall blocks referrers...and it doesn't have a specific site-oriented setting for me to allow certain sites like Digg to be exempted. I can disable the feature, but I think it provides more value, than the minor hassle I have to put up with.
  • DarkPrincess74, on 10/23/2007, -2/+13So of the 5 people that saw it, what was it?
    • bovilexia, on 10/16/2007, -3/+11 1. Add an input field to your form, with some interesting name
      2. Hide the input box using css so that users(genuine) cannot see it directly.
      3. While processing the form check if the “url” contains any value. If it does, reject the post or put it for moderation.
      4. Didn’t get it? Why this works? Well, it works simply because geniune users cannot see a hidden input box on your form and therefore, they won’t fill it, while robots can.
      • koweja, on 10/16/2007, -0/+6That is, genuine users who are using a browser that uses CSS. Those without CSS or who have it disabled for whatever reason will still see it, so you have to make it clear that they should leave it alone. That way it'll just make the page look odd (with a box you shouldn't touch), but not cause accessibility problems.
    • jokerthief, on 10/16/2007, -2/+2Nevermind
    • MellerTime, on 10/16/2007, -1/+2Basically: Put a text box on the page. Hide the textbox with CSS so "real" users don't ever see it (for bonus points, put something like 'Don't ever fill this out' in hidden CSS as well, just so users browsing without CSS support still know not to fill it in). Finally, when the form is submitted, make sure that field has nothing in it - ever. If it does, it's probably a SPAM bot that's too stupid to know it's not supposed to put anything in your special spam-protection field, because it'll try to spam any text box on the page.

      For best results, you'd probably want to combine this with some other type of spam protection. It's not like it's difficult to overcome, it's just relying on the fact that no one will care about spamming you the individual blog owner enough to figure it out.
  • bovilexia, on 10/16/2007, -3/+4now why didn't i think of that
  • Dynamoo, on 10/29/2007, -2/+121One way to prevent spam.. have your site fall over at the first sign of any traffic.
    • Ignotus, on 10/16/2007, -1/+5"This Account Has Been Suspended. Please contact the billing/support department as soon as possible."
      Yep, that works too.
  • B0SS, on 10/17/2007, -2/+8what if someone wants to launch a direct spam attack to your website?
    • koweja, on 10/16/2007, -2/+4That's not a problem for your typical blog or whatever, who are most likely just going to be victims of drive by spam bots. For sites that are big enough to be targeted (myspace, wikipedia, etc), it won't work because it'll worth the spammer's time to design a specific bot for the site. However, personal websites and even most commercial ones aren't going to be worth the time.

      Obviously no solution is going to work for everyone everytime, but this at least provides an alternative for a lot of people.
  • CMiYC, on 10/16/2007, -3/+7This will only work until the robots get smart enough to check the CSS... until then though, it is a nice solution.
    • GreenAlien, on 10/16/2007, -0/+1Let's be honest, it's really not that hard to see references to CSS files in a HTML file, download and read the CSS text file, and look up a value. If a spammer is making hundreds of thousands of dollars, I dare say they can afford a couple of hours to code this feature in to their bot.
    • Dustin00, on 10/16/2007, -0/+3So move it out of the CSS.

      Create an onload event that sets a value that then trips the visibility of that field later in the page.
  • SomeImagination, on 10/17/2007, -10/+11Not much good if the user is using a CLI browser such as Lynx that doesn't support CSS :/
    • ixxy, on 10/23/2007, -5/+12And captchas are?
    • jchrome, on 10/17/2007, -6/+18Only a complete doofus would surf the web with a cli browser. Never speak of this again.
      • liaml, on 10/17/2007, -1/+4How about a disabled user with a screen reader?

        Unless the form input was labelled appropriately, people using screen readers might fall foul of this method.
    • DominicNeagle, on 10/18/2007, -0/+8http://www.omgpotato.com/2007/07/12/transparent-ef ...

      That method isn't bad. If the browser doesn't support CSS, and the form is displayed, the user will simply see the words "Leave this field blank". If that confuses you, you probably shouldn't be on the internet.

      ;)
  • dcbebop, on 10/17/2007, -4/+23Smart but only a matter of time before spam bots start to parse html/css docs more intelligently. Any decent coder could have a patch workaround for this in a week or less.
    • isntreal, on 10/17/2007, -2/+6more like 15 minutes
    • xYike, on 10/16/2007, -1/+3Of course ... but a coder isn't going to notice this is a problem for a long time because most will not use it. It is all about staying a step ahead - you don't just throw your arms up and say there is no use because there is a possible workaround.
    • exomni, on 10/16/2007, -2/+2Even if they patched this you could still get rid of 50% of spam:

      You could have your website generat two boxes: the real input box, and the hidden false input box.

      Every time the page loads, you could make the real input and the hidden false input box change places.
    • frazw, on 10/17/2007, -1/+3True but the basic idea is very good and there is plenty of room to experiment.
      You could for example make it "visible" but place another filled div over it using the z index. That would make it harder for a bot to detect but could cause other issues such as browser incompatibility.
      Or you could give the user instructions not to fill it, or place it further away from the rest so it looks to the user like it isn't part of the form but to a bot it would look like it is.
  • shockingbird, on 10/30/2007, -3/+35If it goes down again:

    This article is based on a simple fact that spam-robots are so dumb they usually put their grand father (their developers) to a shame.
    FTA:

    Concept:
    For people who don’t know this trick already, here is how you do it:
    1. Add an input field to your form, with some interesting name, for example ‘URL’.
    2. Hide the input box using css so that users(genuine) cannot see it directly.
    .style1 {
    display: none;
    }
    3. While processing the form check if the “url” contains any value. If it does, reject the post or put it for moderation.
    if (strlen(trim($_POST['url'])) > 0){
    //It is a spam, reject this post here
    }
    4. Didn’t get it? Why this works? Well, it works simply because geniune users cannot see a hidden input box on your form and therefore, they won’t fill it, while robots can.

    • vat0r, on 10/16/2007, -3/+4How bout a bot that can read the class of said input and if display:none; is present not fill it out? Wouldn't be incredibly complicated to circumvent this method. Captcha is a time proven method and used web wide for a reason.
      • MellerTime, on 10/16/2007, -0/+4That's kinda the point. No, it's not hard to get around this, but the vast majority of spam bots running are just trying to hammer as much stuff into as many sites as possible. Given that goal, it wouldn't be worth the bot owner's time to specialize his bot to any individual site in most cases.

        As with anything else, you're playing the odds. Odds are this is going to cut out 99+% of your spam, but it's not a 100% cure, as with anything.
      • Otto, on 10/16/2007, -2/+5Time-honored method? Jesus, people, CAPTCHAS DON'T WORK. They're incredibly easy to circumvent. Sure, if you're trying to block a registration form, then yes, they work fine. But if you're allowing anonymous comments, then CAPTCHAs will prevent spam, but they also prevent REAL people from commenting. Your comment level drops *way* down when you implement a CAPTCHA, or even the simple math problems.

        You don't want to stop comments. You want to stop SPAM. Use a proven method, like Akismet or some other spam filtering solution. These work virtually 100% and don't require users to learn your tricky nonsensical system, so you don't lose comments.
    • bluesnowmonkey, on 10/16/2007, -0/+6It could get pretty complicated. You would have to implement practically the entire CSS spec just to know if the field is visible. It might have a "display:none" or "left:-1000px" or anoher element obscuring it or any number of trick to hide it. Don't forget to parse all tags, linked stylesheets, and inline styles. Now implement Javascript because the form could be modified on the fly or even generated from scratch with document.write(). There are so many tricks to stop bots that a normal user would not even notice. I don't know why anyone bothers with captchas.
      • RCourtney, on 10/16/2007, -0/+1For every person who comes up with a nifty trick to thwart spam there is a spammer with time and a financial incentive to circumvent it.
    • dubbleenerd, on 10/16/2007, -0/+2Also, some people use automated form populating tools (I think the Google toolbar does this too). My guess is that these tools won't be smart enough to check the css script either, causing this method to fail.
      • liaml, on 10/16/2007, -1/+0Presumably, the automated form filling tools are smart enough not to auto-populate every form field...
    • Skeuomorph, on 10/16/2007, -0/+1Thanks for the description. Unfortunately, a lot of blog / comment spam is now by (very low) paid humans.
    • freecodesnippet, on 10/16/2007, -0/+2Thanks for posting this here, I'm having a huge problem with the bandwidth of my site :(
  • yokes, on 10/17/2007, -5/+46A crashed server is an ingenious method to defeat spam comments.
  • exomni, on 10/23/2007, -3/+34I just wish that CAPTCHA was slightly more lenient. I mean, if I mess up just one of the letters in a five letter CAPTCHA, I've still proved well enough that I'm not a robot.
    • h4ppydotcom, on 10/16/2007, -0/+5I don't think so... a robot with image recognition should be able to get an 80% hit rate without too much effort. It's getting to 100% that's difficult.
    • amphoterous, on 10/17/2007, -0/+5Or... have you proved that you're not enough human?
    • darksyde, on 10/17/2007, -0/+1Websites should just start using the Voight-Kampff empathy test.
  • jokerthief, on 10/16/2007, -9/+4This article is based on a simple fact that spam-robots are so dumb they usually put their grand father (their developers) to a shame.
    Concept:
    For people who don’t know this trick already, here is how you do it:
    1. Add an input field to your form, with some interesting name, for example ‘URL’.
    2. Hide the input box using css so that users(genuine) cannot see it directly.

    .style1 {
    display: none;
    }
    3. While processing the form check if the “url” contains any value. If it does, reject the post or put it for moderation.
    if (strlen(trim($_POST['url'])) > 0){
    //It is a spam, reject this post here
    }
    4. Didn’t get it? Why this works? Well, it works simply because geniune users cannot see a hidden input box on your form and therefore, they won’t fill it, while robots can.
    Applying it on Wordpress:
    I was having a rough time dealing with some spams on this blog itself, but since I applied this trick I’ve not had any spam at all so far.
    I’ve applied this on the comment form, you can see the source of my page if you like (right-click> viewsource on this page),
    Here my code on server side (wp-comments-post.php):
  • karipatila, on 10/16/2007, -2/+14This is nothing new, and it works only if the spammer isn't industrious enough to actually take a look at the form himself.
    • VenTatsu, on 10/16/2007, -0/+2But that's the whole point, 90+% of comment spam is from bots that spider sites looking for forms that look like comment, feedback, contact us, etc. forms. The list of forms is used for each campaign by submitting the forms based on a predefined set of field values or rules for filling out fields. In the time a spammer would take to look at the form him self he could just let his computer (or a dozen zombies) find a few hundred other forms to submit. If you were evil what would you do?
  • pezholio, on 10/16/2007, -1/+3I've used a similar technique for a while now, it's pretty effective. Another method is to ask a simple maths question with two randomly generated numbers (between 1 and 99), which (so far) has kept most spammers out. I still fail to understand why they do this though, surely the amount of traffic generated is negligible?
    • NJank, on 10/16/2007, -1/+3and the number of people responding to V1AgRA ads is negligible, too. BUT, it's non-zero. and cost is minimal. so there's profit.
    • MellerTime, on 10/16/2007, -1/+2What I really don't understand is the SPAM that links to totally legit sites... Like the ones I've been getting containing links to universities like Purdue... I mean, wtf? If you're going to try and poison search rankings, why would you give a crap about a university? At least dedicate yourself to something useful, like a competing product maker...
    • AaronCo, on 10/16/2007, -1/+1The reason is SEO. The links don't need to pull any kind of direct traffic, once the SEs find them they'll index the link and any KWs in the anchor text. That will help them rank higher for their chosen KWs, thus pulling in more traffic from searchers.

      As for .edu and .gov domains, 2 reasons. Direct linking to their own domain risks getting it pulled, but link spamming to a domain that has their link on it boosts the SE power of that link... meaning that more "link juice" passes on to their spam on that page without risking as many direct spam complaints.

      There's a very good reason for spam, and unfortunately "no follow" links still get followed, thus we all have to put up with garbage.
  • exomni, on 10/23/2007, -1/+12It is a good idea, until you spread it around.

    If I came up with this I'd keep it absolutely secret, or copyright it and sell it to some big website behind closed doors.

    The fact is, once many people are using this and it's all around, spammers will catch on and work their way around it.
  • writh3n, on 10/17/2007, -4/+28speaking of which, I did use it and has been working as close to perfect as one could want for almost a year. Thanks a lot for putting this on digg dick.
    • EXreaction, on 10/16/2007, -0/+1Don't expect it to continue working for long now that all of digg has seen it.
    • rdog99, on 10/17/2007, -1/+0I agree with writh3n, we've been using this method for over a year and it is as close to flawless as we could have ever hoped for given the amount of time it takes to implement. Time to add display:none to the code: 5 minutes, time to add a captcha: >> 5 minutes
  • polaris878, on 10/16/2007, -3/+1This is quite old, been posted on here before etc. Only works if the crawler is dumb. Good idea, simple, and easy to implement, but only takes you so far.
  • mindzero, on 10/16/2007, -7/+1Concept:
    For people who don’t know this trick already, here is how you do it:
    1. Add an input field to your form, with some interesting name, for example ‘URL’.
    input name="url" type="text" value=""/
    2. Hide the input box using css so that users(genuine) cannot see it directly.
    .style1 {
    display: none;
    }
    3. While processing the form check if the “url” contains any value. If it does, reject the post or put it for moderation.
    if (strlen(trim($_POST['url'])) > 0){
    //It is a spam, reject this post here
    }
    4. Didn’t get it? Why this works? Well, it works simply because geniune users cannot see a hidden input box on your form and therefore, they won’t fill it, while robots can.
  • floatingpoints, on 10/23/2007, -4/+16Captchas are annoying.

    Especially the ones that really morph the letters and numbers to the point where you can't tell what the ***** it is.

    Then the idiots who implement it have the gall to say, "4 more tries!"
    • Eccles, on 10/16/2007, -1/+0Heck, half the time Digg complains I didn't get it right, and I look carefully, and it still looks like what I entered.
      At times, I've copied my comment and redone the whole reply.
  • Adamus76, on 10/16/2007, -7/+1Site down. Can't even handle a little bit of Digg traffic.
  • theficus, on 10/17/2007, -16/+4Dugg down because of the improper use of "SPAM" in all capital letters. Inexcusable. SPAM == meat product, spam == unsolicited e-mail.
    • pezholio, on 10/16/2007, -1/+1SPAM isn't a meat product, Spam is. I always thought people spelt it SPAM because they mistakenly thought it was an acronym.
    • sclifford, on 10/17/2007, -0/+1And dugg you down for being a dick.
  • wiihuck, on 10/16/2007, -8/+2woops, wrong story. what the heck just happened?
  • bigteebo, on 10/16/2007, -2/+1What about having dynamic input fields? Instead of having a static form for input, have it randomly ask you in different ways? Instead of "enter username:", change it occasionally to "Hey, what is your name?", or something to the like.

    Captchas nowadays are getting hard to figure out for people. Some of the letters are so distorted, you can't tell the Us from the Vs.
  • jayssite, on 10/16/2007, -2/+1Nice. I used to use this:

    [input type=hidden name=this_is_spam value='0'][!-- warning: submitting any value for 'this_is_spam' will label your IP address as a spammer and ban it. --]
    It only caught some spammers, not all. I never thought to hide it with CSS instead of using a hidden field. Dugg.
    • aquadoctorbob, on 10/16/2007, -1/+0That doesn't really make sense to me. It's not like spam scripts go through your page supplying values for every form element they see.
  • stomachache, on 10/16/2007, -1/+4Instead of using CSS, wouldn't JavaScript be a safer approach? I mean, JavaScript is not declarative and writing a bot to interpret code would be, I would say, a bit more complex than parsing CSS declarations.
    • pezholio, on 10/16/2007, -3/+3What about people who have JavaScript disabled or can't use it for whatever reason? Fair enough if the form isn't an essential function, such as an 'email to friend' feature, but JS should only be used for enhancements, not core functionality. Sorry, but I'm a hardliner
      • floatingpoints, on 10/17/2007, -2/+1Enable javascript then.

        No reason to have it disabled.
    • h4ppydotcom, on 10/16/2007, -0/+1The label for the field says "Leave this box blank" so JS is just making it better for those with JS, whilst non-JS people can still use the form.
  • mwny, on 10/17/2007, -10/+1"This Account Has Been Suspended
    Please contact the billing/support department as soon as possible." Please pay your bill before posting an article to digg.
  • theclashrocker, on 10/26/2007, -21/+1You have won a free trip to Maui
    http://www.dobhran.com/greetings/GOmaui1.htm
    http://www.dobhran.com/greetings/GOmaui1.htm
    http://www.dobhran.com/greetings/GOmaui1.htm
    http://www.dobhran.com/greetings/GOmaui1.htm
    http://www.dobhran.com/greetings/GOmaui1.htm

    Captcha doesn't stop spam = P
  • funkytaco, on 10/23/2007, -1/+30Ah, I see. The old suspended.page trick.
  • jakash, on 10/16/2007, -3/+3http://duggmirror.com/programming/Preventing_SPAM_ ...
  • h00j, on 10/16/2007, -1/+2Provided you post back to the same page the easiest method is to check the HTTP Referrer and if it's not the correct page or blank then don't allow it, or flag it to be checked. I do this on my main site and it stops 100% of the SPAM, you occasionally get a false positive where a user is blocking the Referrer but this doesn't happen very often
    • nthitz, on 10/16/2007, -0/+1The HTTP Referrer header can be spoofed easily by many browsers and by anyone who knows how to construct an HTTP request. Trusting the Referrer is not all the secure.
      • h00j, on 10/18/2007, -0/+1But from the research I've done none of the spam bots ever do this, at the present time using this method I get 0 spam posts
  • Jacob3d, on 10/17/2007, -2/+2Same thing can be accomplished by simply adding the style value inside the input tag, or giving the input box a class. No need for the extra markup and using the p tag.

    [input name="spamAttempt" style="display: none;" type="text" value=""]
    [input name="spamAttempt" class="hide" type="text" value=""]
    • megaversal, on 10/20/2007, -1/+3That seems much easier to scan for if you're a bot since it's inline. The extra style (maybe in an external file) forces the spam bots to do a lot more parsing work.
    • NSXROX, on 10/16/2007, -0/+1The whole point of using the p tag is to put the style outside of the input tag. Most bots would detect it if its inline.
  • postingbh, on 10/16/2007, -4/+0This works b/c downloading, then parsing CSS and JS is bandwidth and processor expensive. Take a sample ThinkProgress blog post: HTML = 16KB. CSS = 5KB. JS = 15KB. Just downloading the CSS and JS increases bandwidth 125%. 21KB is pretty light for CSS and JS; that could easily double or triple.

    Even if spammers are smart enough to ignore standard filenames like lightbox.js and urchin.js, the bandwidth is still too high. Even before parsing the JS and CSS, it's just too costly. It makes much more sense for spammers to just download the HTML, send a response quickly and cheaply, then hope for the best.
    • indicas, on 10/16/2007, -0/+3Bandwidth is extremely cheap. One dedicated box could handle 1500+gb a month of transfer, which is plenty.

      If this catches on more, it will be broken without a doubt.
    • sl9sl9, on 10/16/2007, -0/+5Since most spammers are using huge botnets of hijacked machines, bandwidth isn't really a problem for them.
      • postingbh, on 10/18/2007, -1/+0My point wasn't really bandwidth per se, but rather the time spent downloading the additional data. If just downloading the JS and CSS increases processing time 125%, doing so needs to increase effectiveness 125% to be worth it. That doesn't include increased processing time for parsing or decreased accuracy b/c parsing JS is particularly problematic. Conservatively we're talking about a 200% increase in overall time required to process one page.

        Bandwidth was probably the wrong word although I don't think increasing bandwidth 125% is trivial. Time/speed/effectiveness was really the point I was trying to make.
    • nthitz, on 10/16/2007, -0/+1Any smart bot would also work just as the browser does. Request the JS and CSS once then cache it for the remainder of the attack session.
  • dentalFOSS, on 10/17/2007, -1/+2I guess the poster should have just linked to the original article:
    http://isc.sans.org/diary.html?storyid=1836
  • MacBrowser, on 10/22/2007, -7/+2why the hell would somebody charge you for bandwidth is beyond me.... the hosting for this site is cr@p!
    • D14BL0, on 10/23/2007, -0/+9Most hosts charge for bandwidth. It's usually the most expensive part of any hosting service.
    • 10GunSalute, on 10/16/2007, -0/+1Hey MacBrowser, here's a crazy idea: If you have no idea what the hell you're talking about, DON'T POST A COMMENT
  • Laqrhead, on 10/16/2007, -2/+3I've done this and it works.
  • D14BL0, on 10/16/2007, -0/+4Nice idea, but now that this idea has been submitted to the entire world, spammers only need to update their bots to look for CSS which hides any box and ignore it.
  • dumpydooby, on 10/16/2007, -1/+1Use Javascript to change the input type from TEXT to HIDDEN might be a less circumventable idea. Bots won't be utilizing Javascript, so their input type would remain as TEXT, and therefore would have the ability to be filled in. Regular users can use Javascript to destroy that form field entirely if they want.

    Besides, using Javascript would also leave room for a noscript area where you can add CAPTCHA in order to have a graceful degradation.
  • jspegele, on 10/16/2007, -4/+3Great idea!!! I can really see how having a dead website would prevent spam!!
    • nthitz, on 10/16/2007, -0/+1Wow you were like the 5th person to make that joke... It still isn't funny.
  • mlambir, on 10/16/2007, -1/+0well... maybe it would be harder for the spam bot to detect this if it was done dynamically on java script... you could add several URL fields... and hide them randomly... i can't think of a way to break this without parsing java script
  • ShieldAxe, on 10/17/2007, -1/+2Dugg for the comments.
  • rootnik, on 10/17/2007, -4/+61: Run out allotted web resources resulting in account suspension.
    2: ???
    3: Profit
    • wheezy360, on 10/16/2007, -0/+2Dude don't ruin the "????, PROFIT!" gag by using it so lamely!
  • EnergyUK, on 10/17/2007, -1/+1I've used this method and it didn't work all too well for me. It reduced the spam... didn't kill it tho.
  • mrboratsagdiev, on 10/17/2007, -4/+3Buried for absolute duncery. Nothing new, and it doesn't work as well as you think it might.
  • Fetching more discussions...
    Show 51 - 75 of 75 discussions
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.