|
|
 rob webster - 2008-02-13 23:16:10
I've only just found this class and not tried it yet but I've used another class (3817 Form Spam Bot Blocker) which uses a similar concept of hidden encrypted fields.
I found two problems.
Some, notably AOL, users triggered it.
An empty hidden field (the idea being if the hidden field was "found" and completed then the input was spam) could get filled accidentally by browser autofill so a valid form would be rejected.
So I based my own code on 3817 but assigned weightings to the results of the various spam tests and added a few of my own (like email address found in a text field not designated as an email field, attempts to embed HTML or program code. I validate input fields so a line of address might be javascript validated to 60 character max, if the PHP gets more than 60 characters it suggests someone has circumvented the javascript).
I then look at the total "score". I have 4 bands.
Spaminess = 0 send the mail
Low spaminess value send the email but append a note of what test(s) failed.
Medium spaminess send the mail to a gmail account reserved for this purpose and itemise tests failed. I can monitor that account for false positives and progressively refine the system. (I run about 100 websites for small businesses and use the same gmail "medium spaminess" account for them all, checking it takes a couple of minutes a day).
High spam value, delete unread.
If the form submission has medium or high spam value I do alert the sender. This is for two reasons. I do want the spammers to know that they failed, otherwise they keep sending spam and share the address with other spammers so my server is doing loads of work deleting the junk. Also there is still a risk of false positives so I want to inform genuine users of the failure and suggest remedial measures (but only in very general terms so as not to give the spammers any help).
I've not shared my program because I'm ashamed of it, it's very badly written and I think a better coder such as yourself might be able to use the same ideas more effectively.
Although I'm finding the program very effective I've also considered (but not done yet...) adding one of those captcha alternatives that generates a randomised very simple maths problem (e.g. 3926 Math Guard) for the form user to complete. This is just in case at some future date the spammers work out how to get round the traps already there, I could at the flick of a switch so to speak, enable an enhancement.
Another possibility I've considered is whether I could set up a single central form validator program shared by all my users so if I have a revised version I don't have to copy and tailor to 100 different websites.
Peter Barkway - 2008-02-14 09:28:04 - In reply to message 1 from rob websterRob,
Thanks for the advice. It is a good idea, as you say, to rate the level of spaminess and act accordingly. I'm always a bit paranoid about telling any potential spammer that they have failed and for a particular reason so purposely left that out and, as in the example file, make them believe that they succeeded but on reflection I guess I could open myself up to abuse of another sort.
I haven't come across the autofill problem but will play around with that just in case.
The class has more tricks to it than just setting up hidden fields, it hashes field names as well, and will randomly choose the names of any honeypots from an array that can be setup by yourself. It is designed primarily to fool Playback bots & Form-filling bots but still keep it simple for the user.
The reason for writing this class? Because so many people were starting to moan about readability of images and also the extra steps required, so I decided it might be time to move away from images and all the problems associated with this as it effects people with poor eyesite and therefore you have to able to relay it with sound, etc.
As for your idea of a central CAPTCHA facility for all of your sites I did come across a few people who offer that service already so it is possible to let other people keep ahead of the game on your behalf, I think reCAPTHA are one of them.
Thanks again for the advice and I will certainly look at putting the banding of spaminess into action and send email with test failures to a special account. In the meantime, I hope you find this class useful and secure.
Peter
|
