Honeypots, captchas and spam bots

GreGorGy

GreGorGy

BULLSFAN
Joined
Jan 18, 2005
Messages
15,290
Reaction score
1,527
Location
Benoniebfkweesnie
I had captchas - they suck and are very often undecipherable. Honeypots present their own problems. So, I figured a new scheme might work. Not my idea, mind you, something I picked up on my travels. A hidden field in the form records the epoch time. The responder checks the difference between the form's time and its time. If it is less than X seconds, then the form was quite obviously auto-completed.

Anyone use similar solutions? I have just coded it this morning and I am keen to see what the threshold will be for human versus bot completion.

Would such an idea even work? Are there pitfalls?
 
The drag and drop picture reconstruction captcha seems to be fairly effective.
 
sp4ceman said:
fast typists and autocomplete might suck
Click to expand...

Thought about that - timed myself using both methods. This form simply cannot be completed in under 3 seconds. I won't be trashing those that are - they just get labelled and come to me instead of the client. But that is a valid point.
 
Bar0n said:
The drag and drop picture reconstruction captcha seems to be fairly effective.
Click to expand...

except for people with disabilities. What I do not like about captchas, besides the legibility issue, is that they require the user to do something - "Hello customer. Prove you want to do business by being messed around by me for 2 seconds."
 
GreGorGy said:
No need - this particular form is specific and the message part would have to be completed for it to make sense.
Click to expand...

Do it anyway. Filling in a name and perhaps a message subject takes a few precious seconds extra, without annoying the user too much. Then make the time threshold about 10-15 seconds.
 
Bar0n said:
Do it anyway. Filling in a name and perhaps a message subject takes a few precious seconds extra, without annoying the user too much. Then make the time threshold about 10-15 seconds.
Click to expand...

Given that I am trialing this week, I will in fact do that on Wednesday or so - then I can compare. At the moment, the form just records the times and informs me - that will allow me to gather more data on both scenarios. Thanks.
 
What if the captcha were animated...the letters moving around and you just had to enter them in any order. Striped or animated backgrounds would make it much harder for spambots to detect the letters.

I'm still not a huge fan of captchas though and it's surprising that the most popluar solution is to demand that the user decipher untidy, mish-mashed letters and numbers to get to the next phase.
 
saor said:
What if the captcha were animated...the letters moving around and you just had to enter them in any order. Striped or animated backgrounds would make it much harder for spambots to detect the letters.

I'm still not a huge fan of captchas though and it's surprising that the most popluar solution is to demand that the user decipher untidy, mish-mashed letters and numbers to get to the next phase.
Click to expand...

Too easy. Bot can simply take a snapshot and easily decipher.
 
saor said:
What if the captcha were animated...the letters moving around and you just had to enter them in any order. Striped or animated backgrounds would make it much harder for spambots to detect the letters.
Click to expand...

Any captcha - animated, easily read, moving picture, simply maths - is unacceptable for me. I do not want a real customer to be annoyed by the website's need to have less spam. Something many people that use captchas - be they the messy things or this animation suggested above or moving picture parts - miss is that person with disabilities struggle tremendously. Poor sighted folk are screwed, end of story. Mobility restricted individuals are already at pains to attempt contact. Another hurdle is not going to be welcomed by them either.

While this particular client has few (if any) people with disabilities, other clients have many - one is solely that - and therefore a blanket solution would need to include all people.
 
Bar0n said:
Too easy. Bot can simply take a snapshot and easily decipher.
Click to expand...
Yeah :). With regards to the OP - wouldn't it also be an easy fix for spambots to simply implement a delay in filling out a form? For the bot time is irrelevant, so it could just be standard protocol that it delays the field input.
 
Why not use JavaScript to check if there are actual keystrokes? You only need to check the 26 letters of the alphabet, or even just the vowels.

A bot would simply find textboxes and change their values, not pass keystrokes.
 
saor said:
Yeah :). With regards to the OP - wouldn't it also be an easy fix for spambots to simply implement a delay in filling out a form? For the bot time is irrelevant, so it could just be standard protocol that it delays the field input.
Click to expand...

It would - if such a solution was in popular deployment AND prevented submission of the form. Bot arrives, grabs fields, submits. The time traps live on the PHP side and the bot knows nothing about these, assuming success, and moves on.

But that is part of my data gathering this week - to see how long a bot takes to complete the form.
 
Bar0n said:
Why not use JavaScript to check if there are actual keystrokes? You only need to check the 26 letters of the alphabet, or even just the vowels.

A bot would simply find textboxes and change their values, not pass keystrokes.
Click to expand...

Now that is a VERY interesting suggestion. The form would have to get an email address to process anything. So a guaranteed keystroke set would be @ and dot. I think once this time thing is tested, I am gonna look at this concept.
 
GreGorGy said:
Now that is a VERY interesting suggestion. The form would have to get an email address to process anything. So a guaranteed keystroke set would be @ and dot. I think once this time thing is tested, I am gonna look at this concept.
Click to expand...

I'll forward you the bill for my consulting fees. :p
 
infection said:
This is easy circumvented. Just add a delay to the bot either between entry of each field or submission of the form.
Click to expand...

I know - but as explained for the tl;dr crowd - the circumvention is only necessary if the submission fails. Here's the logic:
Code: 
FORM:
...input name="spam" value="<?php echo $date("U"); ?>"...

HANDLER
if (date("U") >= ($_REQUEST["spam"] + 3)) //Form took 3 secs to complete
  {
   //send mail
  }
header ("Location: formposted.php");

The spambot has no idea it has failed so why would it want to now add a delay? What would it gain from even thinking of a delay? It is a bot, not an AI megamind.
 
infection said:
Correct, but as my previous reply states. This would require that the user have JavaScript enabled on their side. Unfortunately each method has their downside and from the administrator point, they need to decide where they draw the line.

This is just as good a method as using the client-side check box, and in my opinion the best method to determine a bot.

Though, always a combination of two or three methods would be better in the long run.
Click to expand...

Not enabling JS on your browser in this day and age would render the web a complete cluster****. Try it. No normal person uses a computer without JS enabled.

Power users would use NoScript to disable JS on specific sites where it is annoying.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X