How to Prevent Form Spam Without Captchas

← Back to Stories (view on slashdot.org)

How to Prevent Form Spam Without Captchas

Posted by ryuzaki0 on Wednesday November 8, 2006 @05:30AM from the can't-beat-the-curte-power-of-kittenauth dept.

UnderAttack writes "Spam submitted to web contact forms and forums continues to be a huge problem. The standard way out is the use of captchas. However, captchas can be hard to read even for humans. And if implemented wrong, they will be read by the bots. The SANS Internet Storm Center covers a nice set of alternatives to captchas. For example, the use of style sheets to hide certain form fields from humans, but make them 'attractive' to bots. The idea of these methods is to increase the work a spammer has to do to spam the form without inconveniencing regular users."

15 of 272 comments (clear)

And how... by Creepy+Crawler · 2006-11-08 05:36 · Score: 4, Interesting

Ok, so captchas and other email obfuscation mechanisms are used a lot. Fine, a web designer can choose to do this.

Now, lets enter US law: American with Disabilities Act. Target is currently being sued for NOT complying with this federal law. I can understand why businesses would be required for this, but where will the net-boundaries stop?

For example, I have a US corp. I hire an offshore datacenter to handle web processing. Is my website have the compulsory ADA lawss upon it, or do they not apply due to international boundaries? Yipe.
--
- Mod parent up! by Anonymous Coward (Score:1) Thurs, Nov 31, @13:37
1. Re:And how... by tomstdenis · 2006-11-08 05:59 · Score: 4, Insightful
  
  I think you'd find Slashdot very much more trivial and redundant if all non-Americans left.
  
  That said, ADA's can go fuck themselves. I can see making exceptions for EMPLOYEES but why would I have to go out of my way to help customers? What if it's simply not cost effective? If it costs millions to placate the handful of noisemakers is it worth the effort?
  
  Being blind really has to suck. And *I DO* wish that companies would help them out. I don't think we should force them though as it can lead to smaller companies who can't afford to deal with it going out of business.
  
  Sure, our websites would then be ADA compliant, but there would only be a handful of mega-corp websites at that point. So you're trading what little free market economy we have left to placate special interest groups.
  
  Frankly, if I were blind I'd make due and where I couldn't I'd rely on friends or family. No shame in asking a family member to order something from a website for you. Granted "disabled" folk want their independence, they also have to be practical about it....
  
  Tom
  
  --
  Someday, I'll have a real sig.
2. Re:And how... by heinousjay · 2006-11-08 06:04 · Score: 5, Funny
  
  I think you'd find Slashdot very much more trivial and redundant if all non-Americans left.
  
  Indeed. I would miss the self-righteous off-the-mark diatribes about how we should run our country. I wouldn't be able to get my daily fill of hubris from people who think they are superior in every way. I don't know what I would do.
  
  --
  Slashdot - where whining about luck is the new way to make the world you want.
3. Re:And how... by tomstdenis · 2006-11-08 07:40 · Score: 4, Insightful
  
  You've obviously never ran a small business so you have no fucking clue whatsoever.
  
  Adding ADA compatible facilities and also making sure you're compliant costs money that most small companies don't have to spend. Given that it's to cater to a SMALLER market segment it's not good business sense to do it.
  
  And why should disabled people not expect to be 100% independent? Because majority rules. Sorry dude. Why should I cripple my business so you can read my literature? You don't have a right to be my customer. You have a right to employment, and to that end I'd have to at least accept the resumes of disabled folk. But i don't have to cater to the whims of every nancy out there with a problem.
  
  Not that catering is bad. I think if a company has the means and market it should attempt to go all ADA compliant. I think it's a good thing to get ramps, lifts, braille/etc. I just don't think it's a good idea to FORCE it upon people.
  
  Tom
  
  --
  Someday, I'll have a real sig.
4. Re:And how... by headonfire · 2006-11-08 08:47 · Score: 5, Insightful
  
  yeah, yeah I have. I helped run and manage a family antique shop for several years, then got out of the business to do more interesting things.
  
  It's not about being 100% independent, it's about being as independent as possible. It's about all the small shit that YOU take for granted. It's being able to take a hot bath without worrying if you're going to boil your nerveless legs off, get an infection, and die. it's being able to cook your own meals, at least once in a while; or get your own groceries, or buy the things that other people are buying. Why does a disabled person have to do without, or beg for help from someone? And what if there -isn't- anyone to help, an all too common situation? Shit, my buddy can't even leave the house without someone to help him right now. He's got a visiting nurse who is nice and brings him some fast food once in a while so he can have a bit of variety.
  
  If you're running a small enough shop, being ADA compliant isn't hard anyways, and can amount to a ramp and a handrail. Get some lumber, nails and a hammer and do it yourself! Shit, grants and tax incentives are even available for that shit! And offer assistance to the blind guy or girl, don't tell him/her to fuck off and learn to read. If you don't have regular blind customers, wait until someone asks before you spend the money on braille if you're gonna be cheap.
  
  Goddamn, it's not asking you to suck a dick and buy a ferrari for every cripple who walks or wheels into your storefront! Just let people do their thing, regardless of their physical abilities! It's not about making a ton of money, it's about DOING THE RIGHT THING FOR PEOPLE. And yeah, yeah I DO have a right to be your customer. You cannot deny me custom in your public shop because of my race, gender, religion, or physical ability. That's the law. You have the right not to sell and expose yourself to a lawsuit, but I do have the right to enter your shop until you tell me to leave.
  
  You know why it's law? because without the law, nobody would do it, because so many people are amoral cheapasses, particularly business owners. That's why we developed employee, child labor, and consumer protection laws - business owners weren't exactly chomping at the goddamn bit to be nice to people, not when it might cost a few dollars off the top.
What is wrong with Captchas? by Thansal · 2006-11-08 05:36 · Score: 4, Insightful

Why is it so hard to make a captcha that a bot can't read but a human can?

The slashdot captchas are among the easiest I have ever seen to read, however I still havn't seen any spam on slashdot. Is there something else goign on here? It can't be anything like IP banning or flood controlls as those don't stop botnets. Is it that spammers just don't target slashdot? or is it that captcha reading bots are not nearly that good at breaking them and we could tone down the level of those horrible tiwsted-doted-lined Captchas?

--
Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
1. Re:What is wrong with Captchas? by Pichu0102 · 2006-11-08 05:52 · Score: 4, Informative
  
  The slashdot captchas are among the easiest I have ever seen to read, however I still havn't seen any spam on slashdot.
  
  You obviously don't browse the comments at -1.
2. Re:What is wrong with Captchas? by antifoidulus · 2006-11-08 06:00 · Score: 4, Funny
  
  Yes, but then you exclude southern Republicans from using your site!
  
  --
  Monstar L
3. Re:What is wrong with Captchas? by Trailer+Trash · 2006-11-08 07:05 · Score: 4, Insightful
  
  What is the 3rd word in this sentance?
  
  How about:
  
  Which word is spelled incorrectly in my sentance?
  
  --
  Do you have ESP?
Javascript by Aladrin · 2006-11-08 05:39 · Score: 4, Interesting

I hadn't read the article yet, and just the summary, and as soon as they said 'hidden fields' that are attractive to spambots, I thought "Why not hide the fields from the spambot instead?"

It's easy, you just have the javascript create all or part of the form. Or modify the form in some way. It would happen before the user even sees the form, and the spambot would have to implement a javascript parser to get it. (Or a parser, that's unique to your site.)

I would think AJAX would be a huge hamper to them as well.

--
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
Luxury gifts for both sexes by Anonymous Coward · 2006-11-08 05:42 · Score: 5, Funny

Men's and Ladies Prestige Watches For all occasions! Perfect Christmas gifts!

These replicas have all the presence and poise of the originals after whome they were designed at a fraction of the cost. The attention to detail is paramount and they are comparable to the originals in every way.

To view our huge inventory visit our website now at:

http://pwned31337.ku/

: Replicated to the smallest detail
: 98% A+ Accuracy
: Includes all Proper Markings
: Wide selection and fast worldwide shipping
: Authentic Weight
: True-to-original self winding and quartz mechanisms
: Guaranteed worldwide Christmas delivery
Re:Probably because /. isn't prime real estate by geoffspear · 2006-11-08 05:53 · Score: 4, Funny

Think about it ... the slashdot crowd is technical and informed and "knows better"

You must be new here.

--
Don't blame me; I'm never given mod points.
If CSS being off reveals a hidden field... by gorckat · 2006-11-08 05:54 · Score: 4, Insightful

...can it be clearly labeld as bogus? Something like:

Subject: _______{-enter your spam topic here if you want me to disregard your email

Can the label/tag telling someone to leave a field blank be hidden form a bot but clearly visible to a live person?
Re:HTTP_REFERER by Bogtha · 2006-11-08 09:29 · Score: 4, Insightful

A lot of legitimate users have the Referer header switched off or otherwise unavailable. Apart from the privacy factor, it's also common for "firewalls" [sic] to disable or change them.

Of course, you wouldn't know this, because anybody who finds out is automatically banned from your website, so they don't have a chance to leave a comment or even find your email address letting you know about the problem.

--
Bogtha Bogtha Bogtha
use dnsbls by joost · 2006-11-08 10:30 · Score: 4, Interesting

Shameless plug! I developed a plugin for Ruby on Rails that uses DNSBLs to combat form spam. (begin shameless self promotion)

dnsbl_check rails plugin

Basically what the plugin does is check clients against one or more DNSBLs. You might know them from mail servers. You see, it turns out that the forms are almost always abused by bots. These bots are quite well known. sbl-xbl from spamhaus catches 80% in my setup, spamcop catches the rest. You enable the plugin for key controllers and it really does work.

(/end shameless self promotion) mod me down if you wish