Spam: how to prevent?

[yoshida]

Currently I'm facing a new challenge.Some spambot thinks it's funny to flood my guestbook with spam messages. So I had to do the unthinkable:build a delete button.Deleting spam messages is just a temporary solution. What would be the best serversided way to prevent spam? I don't want extra user interaction, and I'm pretty certain spambots use random IPs.Some of the options that I have in mind: - lure the spambot into filling a hidden field (handler checks if the field still has the default value) - content filtering (would require the handler to check the message against a database)Most of the spam messages are pretty much the same. They contain a bunch of gibberish with a link every now and then. They also don't know how to fill the e-mail field.Help appreciated.

[real_illusions]

a captcha image thing is the usual way.the random letters thing you see so often. theres quite a few scripts out there i think..if not..then someones bound to be clever enough in here to write one:)

[aspnetguy]

The best solution would be a captcha (random code use must fill in).If you do not want the users to have to fill in extra stuff like a captcha then you could put new entries in a moderating que and you would have to approve/disapprove them manually.

[yoshida]

Yeah, but I don't want any extra user interaction. I want to outsmart a spambot.Approve/disapprove would be a nice way, but it's not exactly what I want either. The captcha is a big letdown for me on registration pages.I could also include a checkbox like 'I agree with the posting terms and conditions' or something like that.

[justsomeguy]

- lure the spambot into filling a hidden field (handler checks if the field still has the default value)

That's a damn good idea! They might not fill in a hidden field though, but you could create a text field and then use CSS to set display: none; Give it a name like bodytext or comment and have your actual comment box be named something random like r2d2. That way anyone using a CSS compliant browser will not see it, but it should hook every bot out there.

[yoshida]

If a paranoid pirate ninja says so, I sure as he|| agree! :)I must admit tho, that the idea is not my own. All credits on this one are due to a co-worker who is also a PHP programmer.STATUS: implemented.Result(s) tomorrow.

		echo "<br><textarea rows=8 cols=35 name=gibgib></textarea></table>";		echo "<div style=\"display: none\"><input type=tekst name=message><input type=tekst name=content><input type=tekst name=gcon></div>";

Handler:

			if ($_POST['gcon'] == "" || $_POST['content'] == "" || $_POST['message'] == "") {				$query="INSERT INTO gastenboek VALUES ('','$gnam','$gmal','$page','$datum','$gdat','$gcon')";				mysql_query($query);

1-19-07: no new spam messages yet. Let's not propagate this solution throughout the web - people might adapt their spambots.

[Taustin Powers]

Anyone else tried this with good results?It seems strange to me.....how exactly does a spambot actually work? Can it even fill in a field that it finds in the code, if it's not actually displayed? I think I will try this, but I'd love to hear from more people who already have!

[Mr_CHISOL]

Haven't tried it, it may work.Spambots behave in different ways, some scans the whole form, and then post depending on what the fields is called and some just scan the action-argument on the form-tag and use default (or pre-scanned) fieldnames.I had a problem with the latter, I use captcha, but forgot to check if the code-field (and the saved code) was empty (or eaven set), so the bot(s) kept posting as usual (ignoring the new code-field), so it could keep posting...But it should work on both type of bots

[astralaaron]

How do you create a hidden textfield? / NEVER MIND you guys already posted that... hah sorry

[Taustin Powers]

How do you create a hidden textfield? / NEVER MIND you guys already posted that... hah sorry

Just found this thread by the original poster:http://w3schools.invisionzone.com/index.php?showtopic=12247Seems like the spambots caught up with him eventually. I'm thinking about trying this method, but NOT HIDING the field, leaving it visible on the page. The field could be named "Name" or "Message" in the code, but you can label it "Please leave blank" on the actual page. Yes, users would see an extra pointless field when making their entry, but that still seems more user-friendly to me than the captcha-method... And only someone who is ACTUALLY LOOKING AT AND READING the page would know not to enter that field....does that make sense at all?

[justsomeguy]

It makes sense, but it's not user friendly. First, it's confusing to the users why there would be a text field at all that they aren't supposed to put anything into. Second, if someone typed anything into it, when they hit submit they would get rejected. You don't want to reject users. The best method is to hide the text field with CSS. Don't just create a normal hidden input, create a normal text input and use CSS to either move it off the screen, set the display to none, or put it under something else. It would be best to have normal CSS on the text field itself (CSS that won't hide it), and have another element (like a picture) be displayed over the text field so that the text field is concealed. That way, even if the script checked the CSS for the text field they wouldn't be able to tell that it is hidden.But don't display a text field to the user and tell them to leave it blank, at worst that will confuse the user and at best it will make you look lazy.

[Taustin Powers]

It makes sense, but it's not user friendly. First, it's confusing to the users why there would be a text field at all that they aren't supposed to put anything into. Second, if someone typed anything into it, when they hit submit they would get rejected. You don't want to reject users. The best method is to hide the text field with CSS. Don't just create a normal hidden input, create a normal text input and use CSS to either move it off the screen, set the display to none, or put it under something else. It would be best to have normal CSS on the text field itself (CSS that won't hide it), and have another element (like a picture) be displayed over the text field so that the text field is concealed. That way, even if the script checked the CSS for the text field they wouldn't be able to tell that it is hidden.But don't display a text field to the user and tell them to leave it blank, at worst that will confuse the user and at best it will make you look lazy.

Ooh, I like the idea of putting an image over it! Maybe even one that blends into the background, camouflaging it. Right now, I just placed the field way below everything else, so one would have to scroll to even get to it. And since there is only a few fields and the Submit button at the top, there would really be no need to scroll and look for anything else...but I like your idea a lot better.

[Skemcin]

If you use the hidden field trick - which does work btw - make sure you put the form field IN the <form> but below the last usable form field and below the submit button. For anyone who uses tabs to navigate through will end up in there whether you hide it with CSS or an image.Do note that this is not good for the blind. If you really want some good insight, view this presentation in its entirety:https://admin.acrobat.com/_a204547676/p86736245/(about 1hr)But, the best way is to use this service:http://akismet.com/Using their web service has proven far more effective that any thing else, including CAPTCHA - which btw is not at all Section 503 compliant.

[justsomeguy]

Well.. in all fairness, the section 508 website isn't section 508 compliant either. Or, at least it used to not be compliant, I'm not sure if it has since been updated or not.

[Taustin Powers]

Alrighty, I implemented it. A field called "message", in the posting form and everything, it would even add its content to the guestbook entry if the entire post wasn't blocked.And it's located below the submit button, covered by an image that blends in with the background. Now the wait begins to see what happens! :)EDIT: Is there a way to somehow log the failed attempts?

[justsomeguy]

You can log whatever you want. Write it to a database, or a file, or whatever you want to do. You're only limited by what you know how to do.

[Taustin Powers]

You can log whatever you want. Write it to a database, or a file, or whatever you want to do. You're only limited by what you know how to do.

In that case, I am very limited! :)But I'm sure I'll figure it out.

[Skemcin]

@justsomeguy - yep, you're right and I'd go as far to say that there probably isn't a single website that is S503 compliant. But implementing CAPTCHA will (wihtout question) put an immediate stop to an impaired person's ability to use the related functionality. There is a lot of assisstive technology that can get around most of the way we (yes including myself) abuse or take advantage of the inability to police coding standards. I simply mentioned it to make sure people are aware of the disadvantages of techniques introduced since the advantages are typically the only things communicated.@TaustinPowers - what justsomeguy has not really detailed since it is understandably sort of obvious to many, is that since you have a form that posts to a page where code has been written to process the form, all you need to do is interject some additional code during that process. So, for instance, you might take all the information submitted in the form and just before you populate an email with it, you might insert that same information into a database or append it to a txt file you have on your site. If you research how to create and insert information into a database or research how to create and append a file with which ever server side scripting language (asp,php,coldfusion) you are using, then his statement is on point, you cna do what ever you want to do.

[Mr_CHISOL]

A little note: You could a link that says "Hear this text" (on CAPTCHA etc) (I've seen it on some sites). The problem would be to generate the soundfile.

[Skemcin]

Thats an interesting alternative and although you might need to be as complex as CAPTCHA. Just having several one file and randomly selecting one might work . . . I'd have to throw that one around a little.

[boen_robot]

Well, if you have a text-to-speech program that happens to have a CLI, you can call it and have that program generate the audio file. What really bothers me is if such program will be able to put random sound effects all over so that speech-to-text programs can't beat it. Also, I don't know any such program. Do you?

[Taustin Powers]

@TaustinPowers - what justsomeguy has not really detailed since it is understandably sort of obvious to many, is that since you have a form that posts to a page where code has been written to process the form, all you need to do is interject some additional code during that process. So, for instance, you might take all the information submitted in the form and just before you populate an email with it, you might insert that same information into a database or append it to a txt file you have on your site. If you research how to create and insert information into a database or research how to create and append a file with which ever server side scripting language (asp,php,coldfusion) you are using, then his statement is on point, you cna do what ever you want to do.

Thanks for elaborating. I know that most of this stuff is self-explanatory for most people, I'm just really a PHP-newbie. But I already have a little script that adds email addresses to a text file (for a mailing list), so I'm sure I can find a way to have the guest book write to a text file as well, when the error is triggered. I'll just have to take some time and play around with it!

[justsomeguy]

Well, if you have a text-to-speech program that happens to have a CLI, you can call it and have that program generate the audio file.

You don't even need that. If you generate a string like "Cr4J9W", you wouldn't want a program trying to pronounce that. All you need are 36 audio files, one for each letter and number. What you would need to do is be able to join all of the individual files you need into one large file that you can stream to the user. I've seen Microsoft use the audio technique on their captcha sites.Or gee, I guess you could do a Google search too. Look at result 1.http://www.google.com/search?client=opera&...-8&oe=utf-8

[boen_robot]

You don't even need that. If you generate a string like "Cr4J9W", you wouldn't want a program trying to pronounce that. All you need are 36 audio files, one for each letter and number. What you would need to do is be able to join all of the individual files you need into one large file that you can stream to the user. I've seen Microsoft use the audio technique on their captcha sites.Or gee, I guess you could do a Google search too. Look at result 1.http://www.google.com/search?client=opera&...-8&oe=utf-8

Hm... that first CAPTCHA library is nice one. Gotta test it sometime .As for joining the audio files... that's a good idea, but again, you need additional files to be randomly placed between letters. Otherwise, speech-to-text programs could easily break through. If that Filtre thing could place audio effects within letters, it would be just awesome.

[Taustin Powers]

Alright, I'm having the file report every time an error message is triggered by the guest book form - and there were 3 incidents already just in the last two hours! So this method is definitely somewhat effective. We'll see how well it works in the long run....