How to Prevent Form Spam Without Captchas

UnderAttack writes "Spam submitted to web contact forms and forums continues to be a huge problem. The standard way out is the use of captchas. However, captchas can be hard to read even for humans. And if implemented wrong, they will be read by the bots. The SANS Internet Storm Center covers a nice set of alternatives to captchas. For example, the use of style sheets to hide certain form fields from humans, but make them 'attractive' to bots. The idea of these methods is to increase the work a spammer has to do to spam the form without inconveniencing regular users."

And how...

[Creepy+Crawler]

Ok, so captchas and other email obfuscation mechanisms are used a lot. Fine, a web designer can choose to do this.

Now, lets enter US law: American with Disabilities Act. Target is currently being sued for NOT complying with this federal law. I can understand why businesses would be required for this, but where will the net-boundaries stop?

For example, I have a US corp. I hire an offshore datacenter to handle web processing. Is my website have the compulsory ADA lawss upon it, or do they not apply due to international boundaries? Yipe.

Re:And how...

[tomstdenis]

I think you'd find Slashdot very much more trivial and redundant if all non-Americans left.

That said, ADA's can go fuck themselves. I can see making exceptions for EMPLOYEES but why would I have to go out of my way to help customers? What if it's simply not cost effective? If it costs millions to placate the handful of noisemakers is it worth the effort?

Being blind really has to suck. And *I DO* wish that companies would help them out. I don't think we should force them though as it can lead to smaller companies who can't afford to deal with it going out of business.

Sure, our websites would then be ADA compliant, but there would only be a handful of mega-corp websites at that point. So you're trading what little free market economy we have left to placate special interest groups.

Frankly, if I were blind I'd make due and where I couldn't I'd rely on friends or family. No shame in asking a family member to order something from a website for you. Granted "disabled" folk want their independence, they also have to be practical about it....

Tom

Re:And how...

[heinousjay]

I think you'd find Slashdot very much more trivial and redundant if all non-Americans left.

Indeed. I would miss the self-righteous off-the-mark diatribes about how we should run our country. I wouldn't be able to get my daily fill of hubris from people who think they are superior in every way. I don't know what I would do.

Re:And how...

[Captain+Splendid]

Well, in all fairness, at we least we furriners just give you an earful, whereas typical American hubris is usually delivered via shock and awe.

Mods: go nuts! I have karma to burn, bitches.

Re:And how...

[GigsVT]

The ADA wasn't passed by disabled people, it was passed by able bodied legislators who, on the left, wanted some bullshit feelgood legislation, and on the right, wanted to play up how supportive they were of disabled veterans.

Most disabled people accept thier limitations and aren't imposing about it.

Re:And how...

[fprintf]

Just try taking their reserved parking spaces closest to the mall entrance and you will see just how "imposing" disabled people can be about it.

Re:And how...

[lord+aDam]

Im sure disability-discrimination laws exist in the European Union too

Yes, there are accessibility laws in countries all over the world.

Re:And how...

[tomstdenis]

You've obviously never ran a small business so you have no fucking clue whatsoever.

Adding ADA compatible facilities and also making sure you're compliant costs money that most small companies don't have to spend. Given that it's to cater to a SMALLER market segment it's not good business sense to do it.

And why should disabled people not expect to be 100% independent? Because majority rules. Sorry dude. Why should I cripple my business so you can read my literature? You don't have a right to be my customer. You have a right to employment, and to that end I'd have to at least accept the resumes of disabled folk. But i don't have to cater to the whims of every nancy out there with a problem.

Not that catering is bad. I think if a company has the means and market it should attempt to go all ADA compliant. I think it's a good thing to get ramps, lifts, braille/etc. I just don't think it's a good idea to FORCE it upon people.

Tom

Re:And how...

[SethHoyt]

That's a pretty thoughtless remark.

First off, SSI is for supplementing low income. SSDI is for disability. Secondly, how can you claim that Asperger's is a "fake mental disorder"? It's not something that just appeared recently. It took about 50 years from the time Hans Asperger identified it to when it became an accepted medical diagnosis. Clearly, there's been plenty of time between then and now to study and evaluate the validity of the work. I think it's pretty careless of you to dismiss it off-hand.

One reason people don't get the services they need is that people like you assume that if you can't see the disability, then they probably don't have one. Anyone who knows how a computer program works should know that malfunctioning code is not always obvious, and the cause of its mis-behavior is not always easy to trace. Well the human brain is much less understood than machine code, and is that much harder to diagnose when something is not right.

So if you know something the experts do not, then perhaps you should enlighten the rest of us.

Re:And how...

[clambake]

Now, lets enter US law: American with Disabilities Act.

So? Just put a phone number on the site with a "If you are disabled and can't use our captcha, please call our tech support and we'll set up an account."

Re:And how...

"That said, ADA's can go fuck themselves."

I'm disabled and Can't fuck myself, you insensitive clod!

Re:And how...

[Gr8Apes]

What makes you think Americans don't already have lots of points of view?

Seriously, what makes you think Americans are a homogeneous mass?

That said, I agree with the underlying theme of your statements - America has gotten away from defending individual freedoms, which is what it was all about originally. Perhaps we should get back to doing just that.

Re:And how...

[headonfire]

yeah, yeah I have. I helped run and manage a family antique shop for several years, then got out of the business to do more interesting things.

It's not about being 100% independent, it's about being as independent as possible. It's about all the small shit that YOU take for granted. It's being able to take a hot bath without worrying if you're going to boil your nerveless legs off, get an infection, and die. it's being able to cook your own meals, at least once in a while; or get your own groceries, or buy the things that other people are buying. Why does a disabled person have to do without, or beg for help from someone? And what if there -isn't- anyone to help, an all too common situation? Shit, my buddy can't even leave the house without someone to help him right now. He's got a visiting nurse who is nice and brings him some fast food once in a while so he can have a bit of variety.

If you're running a small enough shop, being ADA compliant isn't hard anyways, and can amount to a ramp and a handrail. Get some lumber, nails and a hammer and do it yourself! Shit, grants and tax incentives are even available for that shit! And offer assistance to the blind guy or girl, don't tell him/her to fuck off and learn to read. If you don't have regular blind customers, wait until someone asks before you spend the money on braille if you're gonna be cheap.

Goddamn, it's not asking you to suck a dick and buy a ferrari for every cripple who walks or wheels into your storefront! Just let people do their thing, regardless of their physical abilities! It's not about making a ton of money, it's about DOING THE RIGHT THING FOR PEOPLE. And yeah, yeah I DO have a right to be your customer. You cannot deny me custom in your public shop because of my race, gender, religion, or physical ability. That's the law. You have the right not to sell and expose yourself to a lawsuit, but I do have the right to enter your shop until you tell me to leave.

You know why it's law? because without the law, nobody would do it, because so many people are amoral cheapasses, particularly business owners. That's why we developed employee, child labor, and consumer protection laws - business owners weren't exactly chomping at the goddamn bit to be nice to people, not when it might cost a few dollars off the top.

Re:And how...

[SillyNickName4me]

You've obviously never ran a small business so you have no fucking clue whatsoever.

Maybe gp doesn't, but I do, and I also happen to be visually impaired (not blind, but bad enough to never be able to drive a car, not be able to read any signs that I can't get close to etc)

Adding ADA compatible facilities and also making sure you're compliant costs money that most small companies don't have to spend. Given that it's to cater to a SMALLER market segment it's not good business sense to do it.

It costs money in quite some cases, but this is to expand your market, not to cater to a smaller market.

And why should disabled people not expect to be 100% independent? Because majority rules. Sorry dude.

What you just described is tirany by the majority, not a democratic society. You may not have noticed, but the system in the USA has all kinds of provisions to try to prevent exactly that. Actually taking into account the needs of minorities, upto individuals, is a fundamental part of the system.

Why should I expect to not be 100% dependent? because there is no reason why I should be. I am actually in a situation where I am not much more dependent on others then I would be without being visually impaired. That is for a substantial part a consequence of my own choices, and it is first of all my own responsibility to see to this. That said, I am hindered by many things that would not have costed money to prevent, will cost little to fix, and mostly happen out of ignorance, not because of it costing money. I don't see anything wrong with getting people to put a little thought into this, if needed by means of the law.

Not to mention that when as many disabled people as possible can be as independent as reasonably possible, the outcome for society as a whole is surely better from a social point of view, and it is quite likely cheaper on the whole as well.

Why should I cripple my business so you can read my literature?

Expanding your potential market is not in itself crippling your business.

You do have a point that it may not be worth it financially when you have to do things like install ramps, elevators etc, it may not fit into your specific building for cosmetical or whatever other reasons, and you can quite rightfully ask how far this should go anyway.

Hence I don't think that there should be laws forcing this onto companies, rather, those who do try to be accessable to disabled people should get the possible cost compensated in the form of tax breaks for example.

You don't have a right to be my customer.

No, but depending on where exactly you live, you might not be allowed to discriminate against me based on disability.

You have a right to employment,

Again this depends on local law, this is different from state to state in the USA, and even more different between countries..

and to that end I'd have to at least accept the resumes of disabled folk. But i don't have to cater to the whims of every nancy out there with a problem.

Making sure you do not create obstacles for disabled people out of ignorace is not catering to the whims of everyone out there with a problem, it is being a decent human who tries to better the society he lives in. Being forced to incure cost for the sake of a better society however is not a good thing (because of the forced part of it), encouragement to do a bit extra in the form of compensation however seems like a worthwhile idea to me.

Not that catering is bad. I think if a company has the means and market it should attempt to go all ADA compliant. I think it's a good thing to get ramps, lifts, braille/etc. I just don't think it's a good idea to FORCE it upon people.

This I completely agree with, and since for all I can tell this was your real point also, maybe do yourself the favor to slow down a bit before posting such rants as the one in front of it, you have a reasonable and well defendable point of view I believe, but much of your post is going to prevent people from seeing that because it rather makes you look unreasonable and extremist.

What is wrong with Captchas?

[Thansal]

Why is it so hard to make a captcha that a bot can't read but a human can?

The slashdot captchas are among the easiest I have ever seen to read, however I still havn't seen any spam on slashdot. Is there something else goign on here? It can't be anything like IP banning or flood controlls as those don't stop botnets. Is it that spammers just don't target slashdot? or is it that captcha reading bots are not nearly that good at breaking them and we could tone down the level of those horrible tiwsted-doted-lined Captchas?

Re:What is wrong with Captchas?

[Agent00Wang]

I've always wondered why designers don't use something simpler such as showing a picture of an easily identifiable object and requiring the user to identify it. This would work in 99.9% of cases. Alternatively, for the screen reader crowd, the check could something like, "What is the fifth word in this sentence?" There's probably some obvious flaw with this technique that I'm not thinking of, or I imagine it would have been done already.

Re:What is wrong with Captchas?

[junglee_iitk]

Why is it so hard to make a captcha that a bot can't read but a human can?

Numerous times there is confusion between I and L. Since every site uses its own set of images and its own 'set of rules to obfuscate', the user has all the reasons to be confused. Then there is 3 coupled with something that makes it look like B etc.

Ofcourse, you will fail one time only, as on next reload you will get a new image to read, but as the article says, user response drops. People want to help you and you are making it, kind of, harder.

Re:What is wrong with Captchas?

[Lanoitarus]

The obvious flaw is that you need to create each one, and they therefore are inherently more limited in number. Text-based chaptchas are generated by a computer- pictures of pandas and their associated word would have to be done by hand.

Re:What is wrong with Captchas?

[sugapablo]

What's worked surprisingly well for me is simple arithmetic. Adding a random math problem such as 2 + 5 = [ ] or 3 + 4 = [ ] has DRAMATICALLY decreased the amount of form spam two of my websites have received.

Re:What is wrong with Captchas?

[Pichu0102]

The slashdot captchas are among the easiest I have ever seen to read, however I still havn't seen any spam on slashdot.

You obviously don't browse the comments at -1.

Re:What is wrong with Captchas?

[Thansal]

I actualy like the ones like that.

instead of obfuscated images, just put in plain text questions.
What is 2+2?
What is the 3rd word in this sentance?
What is the name of my blog?

All of these can be answered by some one using a screen reader, and take less time then figguring out a captch. Sure it does not stop manual spamming, but what does?

Re:What is wrong with Captchas?

[Agent00Wang]

Awesome, I'm sitting here during my lunch break at work, checking out that page, and what do I see under some of the sample captchas? Goatse, barely distorted.

Re:What is wrong with Captchas?

[antifoidulus]

Yes, but then you exclude southern Republicans from using your site!

Re:What is wrong with Captchas?

[Thansal]

actualy, I browse at 0, as alot of ACs have some rather good posts. (infact I brwse at 0 Nested, so I see even more of these posts)

I still have yet to see anything that was an ad, I have seen pleanty of trolls, but those are not bots. I forgot about the lameness filter, and I admit to being curious if that is catchign things....

Re:What is wrong with Captchas?

[nine-times]

These questions or pictures again need to be either automatically generated or generated by humans. If automatically generated, they would need to follow a pattern, and so the challenge would then be on the spammers to identify the pattern and train their bots to read the pattern and respond appropriately.

If, on the other hand, they're generated by humans, it would be expensive to generate each one, and so they'd be limited in number. Therefore the spammers simply go about collecting each one, identifying them, and they've broken the system.

Either way, it's like an arms race. The people blocking the spammers are just trying to stay one step ahead of the spammers.

Re:What is wrong with Captchas?

[JesseMcDonald]

instead of obfuscated images, just put in plain text questions.

That's been considered before. The problem with that approach is that, unlike image-based CAPTCHAs, there are a limited number of templates available for natural-language questions. The spammer just has to compile a list of the various patterns of questions and answers, a much easier task than designing an OCR program capable of extracting random, disconnected letters and numbers from a randomly distorted image. The problem is essentially one of hash functions -- plain-text questions can be solved as easily as they can be generated, whereas image-based CAPTCHAs are easy to generate but difficult (for computers) to decipher. Your last example ("What is the name of my blog?") is probably the best, since it's somewhat resistant to ordinary dictionary attacks, but there could be several reasonable answers (depending on the blog) and the correct answer(s) would have to be separately entered into each site. For many sites the answer may also be trivially derived from the title of the page, or some other element no less predictable than the form elements employed to enter the comment.

Re:What is wrong with Captchas?

[91degrees]

The main reason it works is probably because so few other sites use the same method.

Security through obscurity dogma be damned! When a breach isn't fatal, there are cases where obscurity works well enough.

Re:What is wrong with Captchas?

[nuzak]

> Why is it so hard to make a captcha that a bot can't read but a human can?

Because anything difficult to OCR can be a real pain for humans too. Still, it's not that spammers are mass-OCR'ing images, it's that they actually get humans to enter the captchas, sometimes providing porn as a reward, but it's sometimes also a paid operation with goldfarming-style sweatshops. In a way, this is fine, because it scales far worse than full scale automation, but it does keep captchas from being a panacea.

It's the combination of the captcha, rate controls, and moderation that keeps spam out of here. All links here have rel="nofollow" as well, making them useless for google spamming, and the spammers know it. Basically it's a poor return on investment when you can spam a bunch of blogs that are wide open.

Re:What is wrong with Captchas?

[Trailer+Trash]

What is the 3rd word in this sentance?

How about:

Which word is spelled incorrectly in my sentance?

Re:What is wrong with Captchas?

[Gzip+Christ]

Yes, but then you exclude southern Republicans from using your site!

That's a feature, not a bug.

Re:What is wrong with Captchas?

[Goaway]

Except that there is no such thing as a picture of an easily identifiable object, especially not if you don't want to block non-English speakers. People will come up with many different words for the same thing, people will misspell it, people will not know the English word for it, and people will just not know what it is.

Re:What is wrong with Captchas?

[roscivs]

Still, it's not that spammers are mass-OCR'ing images, it's that they actually get humans to enter the captchas, sometimes providing porn as a reward, but it's sometimes also a paid operation with goldfarming-style sweatshops.

I disagree. I run a phpBB site that by default uses a really crappy CAPTCHA, fairly easy for bots to defeat. I was getting about two or three bots registering a day. I switched to using a different, more difficult CAPTCHA (but the URL etc. for the image was the same, only the algorithm for generating it changed) and immediately the spambots disappeared. Haven't had any for weeks.

If the CAPTCHAs were being defeated by humans, there should have been no change. It had to have been spammers mass-OCR'ing images.

Javascript

[Aladrin]

I hadn't read the article yet, and just the summary, and as soon as they said 'hidden fields' that are attractive to spambots, I thought "Why not hide the fields from the spambot instead?"

It's easy, you just have the javascript create all or part of the form. Or modify the form in some way. It would happen before the user even sees the form, and the spambot would have to implement a javascript parser to get it. (Or a parser, that's unique to your site.)

I would think AJAX would be a huge hamper to them as well.

Re:Javascript

[masterzora]

The reason CSS doesn't cause the same issues is because the CSS method isn't dependent on the CSS working. If the CSS doesn't work, then, oh well, good thing we have this text telling the user not to use those forms. If the Javascript doesn't work, crap, the user can't even see the necessary forms. See the difference?

Re:Javascript

[Aladrin]

Please, read before you respond.

"I hadn't read the article yet," is NOT the same as "I haven't read the article yet,"

I've read it. You can stop posting the same 'rtfa' over and over. Jeez.

Blind users

[awtbfb]

This is still somewhat problematic for blind users. If decoy field names are picked up when CSS is turned off, then there will be a lot of users exposed to the bogus fields.

Re:Blind users

[Ahnteis]

It's fairly trivial to also hide a comment telling non-CSS-browser-users to leave a field blank.

Blind people can't see. They aren't stupid. :P (Well, any more then anyone else.)

Foiling spammers without a captcha

[kfg]

Just shoot 'em on sight.

KFG

Luxury gifts for both sexes

Men's and Ladies Prestige Watches For all occasions! Perfect Christmas gifts!

These replicas have all the presence and poise of the originals after whome they were designed at a fraction of the cost. The attention to detail is paramount and they are comparable to the originals in every way.

To view our huge inventory visit our website now at:

http://pwned31337.ku/

: Replicated to the smallest detail
: 98% A+ Accuracy
: Includes all Proper Markings
: Wide selection and fast worldwide shipping
: Authentic Weight
: True-to-original self winding and quartz mechanisms
: Guaranteed worldwide Christmas delivery

field name encrypt

[Inmatarian]

Private Key encrypt the randomized field names and have a hidden Public Key field. That way, the fields foo, bar, and abacab have no sense of meaning to the bots, but will decrypt to subject, body, and spammer catcher.

Re:field name encrypt

[thejrwr]

Mxing the Form order up would help too, as the bot maker could just look at the order of the fields,

Probably because /. isn't prime real estate

[everphilski]

Think about it ... the slashdot crowd is technical and informed and "knows better" ... why would someone spambot slashdot? It surely would not be effective...

Re:Probably because /. isn't prime real estate

[geoffspear]

Think about it ... the slashdot crowd is technical and informed and "knows better"

You must be new here.

If CSS being off reveals a hidden field...

[gorckat]

...can it be clearly labeld as bogus? Something like:

Subject: _______{-enter your spam topic here if you want me to disregard your email

Can the label/tag telling someone to leave a field blank be hidden form a bot but clearly visible to a live person?

Re:How Accessible though?

[DittoBox]

Many that I've seen recently actually have an audio key to listen too if you can't read the image.

My Method

[CastrTroy]

My Method is to just disallow posting of html. I have a simple blog, and if they try to do anything like post too many HREFs or or something, then I just deny the post. That seemed to work for the most part. The bots usually tried to post URLs on my site, so if they posted something like with < and >. They also try posting [link]...[/link] which also doesn't work on my blog, so I just display an error message and let the user fix it. You can still post straight URLs, but that's not too good for spammers, because they usually want a link. I also stop people from trying to post more than 5 URLs in a single post, since I noticed the bots like to do that. I recently upgraded by blog to use AJAX to submit the comments. Adds an extra layer of protection against the bots, but I really haven't needed any since I added in the filters mentioned above.

Re:My Method

[anshil]

I wrote my guestbook for a project page - php code myself... simply because I wanted to learn how to code PHP+MySQL.

Its now some years ago, in the beginning no problem... then got hit my massive spamming.
Cleaned it up.

I never wanted to do captchas or question, since it should be most easy and convenient for the human user to post, anonymously without much worries, the "entry barrier" has to be low.

First I blocked some IPs did not help much.

A great benefit was I gave the user a cookie when viewing the main side, and looked if the cookie is still there when viewing the guestbook, that got rid of the spam bots... but in the last time some seem to have learned that as well.

Now I block on server side just as you everything that containts "a href=" "[url]" or "[link]" and that stuff, just as you, this really blocks A LOT, since they all are out to post links to raise their side in google.

Now the few that get through 1-2 a week, I block special content strings, usually their URL like mycoolrippoffs.com or that stuff.

Related Story

[Amazing+Quantum+Man]

Since the editors didn't see fit to put this in related links:

What Ways Can Sites Handle Spambot Attacks?

Just serve as application/xml+xhtml

[liangzai]

This will prevent 100% of the bots from even entering your page... ... plus a few IE users.

Vbulletin forums?

[Shoeler]

I run two largish Vbulletin forums - and we get at least 1-2 spammers a day. I haven't found a way to prevent them yet, but I have found a way to stop em from getting any traffic or money for the unsuspecting idiot that clicks on them.

I use an anti-spam e-mail technique: blacklist.

Vbulletin has a censoring system where words you choose can be replaced with your choice of characters - by default it's an *. www.clickmeforspam.com, where I would use the "clickmeforspam.com" as the censored word, shows up as www.****************** .

It's quite hilarious to see the humans behind the spam, who have registered, gotten through a human image trap, clicked on a link e-mailed to them, logged in and posted their spam re-post it like 2-3 times only to realize they got owned by my filter. They get all pissed off, and by that time a user has reported the post or we've seen it and banned them. It's very fun to make fun of them in their spam posts filled with ***s. :)

Blind users? Use proper CSS

[Shadowlore]

Use CSS' media types.

Aural, braille, and embossed are all media types that would hide the fields for blind users if done correctly (i.e. used and the reader supports it, which you'd think they would want to). This technique is not the only reason why blind user's tools need to work differently based on mediate type in CSS.

Re:HTTP_REFERER

[Remco_B]

In the program run to process form input, I check the HTTP_REFERER header sent by the client. It should exactly match the URL of the form that was being posted, if it doesn't, then you know that someone is accessing the input program illegally, i.e. they aren't using your form.

Yes, except for people like me who use some sort of proxy that always sends a fake referer header.

What does my program do when it detects a bot? It returns a 403 Forbidden error and adds the ip address of the client to .htaccess with a "Deny from" directive.

And that would deny me the chance to reconfigure my proxy to send your site a correct referer header and try my submission again.

Been doing this for a while

[sparkz]

I've been doing a variation this for quite a while now on my phpBB forum. There are bots which identify a phpBB forum and simply POST a user-account creation to the relevant page. This then adds their URL to the forum's memberlist page, improving their Google ranking.

I won't stand for that, so the simple fix is to remove the "WEBSITE" input from the form. If "WEBSITE" gets POSTed along with the other data, I know it's a robot and post a message to kindly go away. Genuine users can edit their profile once the account is activated, if they want to plug their website.

Re:HTTP_REFERER

[Bogtha]

A lot of legitimate users have the Referer header switched off or otherwise unavailable. Apart from the privacy factor, it's also common for "firewalls" [sic] to disable or change them.

Of course, you wouldn't know this, because anybody who finds out is automatically banned from your website, so they don't have a chance to leave a comment or even find your email address letting you know about the problem.

use dnsbls

[joost]

Shameless plug! I developed a plugin for Ruby on Rails that uses DNSBLs to combat form spam. (begin shameless self promotion)

dnsbl_check rails plugin

Basically what the plugin does is check clients against one or more DNSBLs. You might know them from mail servers. You see, it turns out that the forms are almost always abused by bots. These bots are quite well known. sbl-xbl from spamhaus catches 80% in my setup, spamcop catches the rest. You enable the plugin for key controllers and it really does work.

(/end shameless self promotion) mod me down if you wish