Form - Spam - Without Captcha or similar

[woulduprefer]

Hi guys,

Hope everyone is well.

I'm currently going through a process with a few others creating a
fairly simple voting website. There's currently a holding page up (with
the sites functionality) here - www.woulduprefer.co.uk.

We've been experiencing a large number of spam posts over the past few
days (this is currently whats stopping us from going live). The bot is
simply selecting one of the options and clicking submit a number of
times.

To try and stop this we put a simple script in place that if the
question ID, and IP of the submitter matched the last entered record,
then to hide the radio buttons and submit button. Try it. If you vote,
click submit, you'll get taken to the same page without the form
components. I was sure this would stop the issues occuring, but I was
wrong.

Obviously giving the nature of the site/forms, I can't add captcha (or
similar random words/codes) because that would ruin the whole point.

Has anyone come up with some clever if statements (or any other
solutions) for a similar problem?

Any help is much appreciated.

Regards
WYP

 

[Daniel Crichton]

Hi guys,

Hope everyone is well.

I'm currently going through a process with a few others creating a
fairly simple voting website. There's currently a holding page up (with
the sites functionality) here - www.woulduprefer.co.uk.

We've been experiencing a large number of spam posts over the past few
days (this is currently whats stopping us from going live). The bot is
simply selecting one of the options and clicking submit a number of
times.

To try and stop this we put a simple script in place that if the
question ID, and IP of the submitter matched the last entered record,
then to hide the radio buttons and submit button. Try it. If you vote,
click submit, you'll get taken to the same page without the form
components. I was sure this would stop the issues occuring, but I was
wrong.

The bot won't ever see the resulting form, it'll just keep using the initial
form. Put the checking code in place on the server side when processing the
form data and reject it there when it's submitted, don't rely on anything
client side.

Obviously giving the nature of the site/forms, I can't add captcha (or
similar random words/codes) because that would ruin the whole point.

Has anyone come up with some clever if statements (or any other
solutions) for a similar problem?

I ended up dealing with an issue on a few of my own sites where comment
forms were being abused to post URLs in order to increase Google page ranks
(luckily we moderate all comments so they were never made public on the
site, but it was annoying to have to clear them all out and find the real
comments), and so added a small piece of code to generate a unique random
number (not one already used for a submission), and another number as a
checksum for that number (say combine the random number with a constant
string, and then md5 hash the result to get the checksum), and include those
as hidden fields in the form. When the form is submitted the checksum is
calculate for the number, compared to the checksum passed in the hidden
field, and if they match then the random number is checked against existing
submissions - if it's there, the comment is discarded as a duplicate as that
instance of the form had already been processed. GUIDs make handy random
numbers as they are pretty much guaranteed to be unique, and are easily
generated with a simple API call. It sounds complicated, but it's actually
pretty simple and very effective - the form can only be submitted once, and
unless the bot author can figure out how you calculate your checksum there's
no way to generate new random numbers and matching checksums.

Dan

 

[Daniel Crichton]

Daniel wrote to (e-mail address removed) on Fri, 1 Dec 2006
14:53:17 -0000:

The bot won't ever see the resulting form, it'll just keep using the
initial form. Put the checking code in place on the server side when
processing the form data and reject it there when it's submitted, don't
rely on anything client side.


I ended up dealing with an issue on a few of my own sites where comment
forms were being abused to post URLs in order to increase Google page
ranks (luckily we moderate all comments so they were never made public on
the site, but it was annoying to have to clear them all out and find the
real comments), and so added a small piece of code to generate a unique
random number (not one already used for a submission), and another number
as a checksum for that number (say combine the random number with a
constant string, and then md5 hash the result to get the checksum), and
include those as hidden fields in the form. When the form is submitted the
checksum is calculate for the number, compared to the checksum passed in
the hidden field, and if they match then the random number is checked
against existing submissions - if it's there, the comment is discarded as
a duplicate as that instance of the form had already been processed. GUIDs
make handy random numbers as they are pretty much guaranteed to be unique,
and are easily generated with a simple API call. It sounds complicated,
but it's actually pretty simple and very effective - the form can only be
submitted once, and unless the bot author can figure out how you calculate
your checksum there's no way to generate new random numbers and matching
checksums.

Oh, the bot can still pull another instance of the form up and get the
server generated hidden fields. However, in my experience so far, none of
the bots have done that - they pulled a form instance once, and then just
submitted over and over again using just the POST variables, which is why
they've been caught out. There's nothing stopping requesting the form again
and getting new random values that will work - but then again there's
nothing stopping a human doing the same thing anyway.

The only real solution is to use a captcha, but as you said yourself that
just makes your form more awkward to use. Personally I don't see a problem
using one though - but rather than using the obscured text ones, use a
random question and answer one where the user has to type the answer in. The
bots are getting better at handling the image text ones, and often do a
better job of interpreting the text than a human could. I've had a few forum
signup forms recently where I had real trouble reading the letters in the
captcha, and I gave up on a couple of them - and I have near perfect vision,
imagine the hassle for someone with vision problems!

Dan

 

[Trevor L.]

The only real solution is to use a captcha, but as you said yourself
that just makes your form more awkward to use. Personally I don't see
a problem using one though - but rather than using the obscured text
ones, use a random question and answer one where the user has to type
the answer in. The bots are getting better at handling the image text
ones, and often do a better job of interpreting the text than a human
could. I've had a few forum signup forms recently where I had real
trouble reading the letters in the captcha, and I gave up on a couple
of them - and I have near perfect vision, imagine the hassle for
someone with vision problems!

I am very much a beginner in ASP and my website below is not very complex.

But I addressed the problem of SPAM to my guestbook by a captcha. I actually
generated it only once and then saved the image, so it doesn't vary for each
visit. An MVP (sorry forgotten who) said he does similar and doesn't find
the static image makes any difference.

But the point of my post is that I also find it difficult to read the
captcha image on my own page. Of course I know what it is. If my memory gets
really bad, it is stored in an .inc file which is not public but that hasn't
happened yet ;-))

I wonder whether creating an image with a script font e.g. Brush Script
would work as well as or better than a capthca image
--
Cheers,
Trevor L.
[ Microsoft MVP - FrontPage ]
MVPS Website: http://trevorl.mvps.org/
----------------------------------------

 

[Daniel Crichton]

Trevor wrote on Sat, 2 Dec 2006 10:35:24 +1100:

I am very much a beginner in ASP and my website below is not very complex.

But I addressed the problem of SPAM to my guestbook by a captcha. I
actually generated it only once and then saved the image, so it doesn't
vary for each visit. An MVP (sorry forgotten who) said he does similar and
doesn't find the static image makes any difference.

But the point of my post is that I also find it difficult to read the
captcha image on my own page. Of course I know what it is. If my memory
gets really bad, it is stored in an .inc file which is not public but that
hasn't happened yet ;-))

I wonder whether creating an image with a script font e.g. Brush Script
would work as well as or better than a capthca image

I think it depends on what you're hosting, and whether it's similar to other
sites. For instance, there are plenty of bots targetting phpBB or PHP-Nuke
sites (or other heavily used similar CMS and forum systems), I've had to
harden my own personal site and those of some friends against being hit
being these (they post comments or attempt hundreds of registrations in the
hope that the default settings are in place that will let Google pull up the
comments/member list and so increase their page rank). Even with captchas
these sites were still being hit and the captchas bypassed, probably because
the bots were written to process the captchas and so bypass the normal
checks for a human (in each case the sites I've cleaned up and modded had
captchas enabled and yet the bots still got in).

If your script is homegrown and so unlike anyone else's then anything is
likely to stop a bot in it's tracks. Often the bot writers won't be bothered
about trying to go back and fix the posting script for one site.

Dan