Note that I'm not claiming that I have the absolute best way to go about
doing this, but I do have my opinions.
If a form mail spamming software is going to go through the process of
parsing JavaScript and CSS, it wouldn't be a leap at all to see them
parsing CAPTCHA's. There is open source CAPTCHA parsing code, and it
has been around for a long time, and spammers are known to use this code
for at least cracking accounts at places like Hotmail and Yahoo for
sometime.
If I was a spammer, I would start cracking CAPTCHA's before I bothered
with JavaScript and CSS. While there may very well be code out there
that mimicks keystrokes and the like, spammers are not trying to hit
100%, and that's why adding DIV visibility hidden fields fools these guys.
I do consider CAPTCHA's a barrier for legitimate users, and I personally
feel they are a pain, especially if they are messed up enough to not be
easily broken with CAPTCHA parsing code. Since this is the most common
automation blocking method, it is also the most likely to fail to
protect things down the line.
My take is to do something custom/non-standard, and essentially reverse
engineer their methods. They test forms for success, so you fool them
by pretending there is success. If a simple solution like DIV
visibility hidden used on extra fields that will cause the mail not to
be sent, but nevertheless verified, stops working, then I would jump to
other methods. They have to have a payload, so blocking URL's with
JavaScript is appropriate for many contact forms, and you check for
URL's in the mail sending script and pretend success if found. Again,
spammers won't know the difference, and they aren't going to great
lengths to obfuscate URL's currently, so that would be 100% effective,
but an occasional pain for visitors who for some reason desire to send
URL's.
I also like some of Mark's designer's tricks, and there are tons of
tricks out there that can be effective. For instance, you could use
JavaScript to read the screen sizes, and if they are too small, or
non-existent, you pretend success, but do not send the E-mail.
The pretend success is a major component of all of these tricks, and it
is easy enough to create some sort of multi-factor hurdle that is just
too custom for a generic form submission program to get right.
CAPTCHA's on the other hand are a burden for legitimate users, and their
utility will likely disappear in time, whereas these other methods are
neither a burden, nor are they likely to cease being effective.
That's my take on it.
Matt
Darin Cox wrote:
Hmmm... good idea. Though the testing/form filler tools I've seen
aren't using pasting. They are generating keystrokes and targeting
them into the appropriate fields.
With the tools I've seen, the ability exists to put pauses in, but
that would effectively restrict volume submissions for a spammer, and
therefore cut down significantly on traffic. The only drawback is for
forms that a user accesses multiple times and may use previously
submitted data. In those cases, they might resubmit the form as-is,
thus invalidating the timer. Also, note that the confirmation page is
CAPTCHA.
Darin.
----- Original Message -----
*From:* Marc Catuogno <mailto:[EMAIL PROTECTED]>
*To:* declude.junkmail@declude.com <mailto:declude.junkmail@declude.com>
*Sent:* Wednesday, April 09, 2008 12:22 PM
*Subject:* RE: [Declude.JunkMail] form spam filter
One thing we did on our domain is to ban "pasting" so that the scripts
couldn't paste their info into our fields. Also I just had an idea
and asked the webmaster if he could program the form to perform a
different action if the form page was opened for too short of a time
period. Like shoot to a second page that would ask for a confirmation
click or word to be typed in. This assumes that a person would take
significantly more time to fill a form than a program, even if it is a
keystroke generator
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of
*Darin Cox
*Sent:* Wednesday, April 09, 2008 11:54 AM
*To:* declude.junkmail@declude.com
*Subject:* Re: [Declude.JunkMail] form spam filter
Matt,
I did understand. What I'm saying is that it doesn't always work. To
clarify, in addition to less sophisticated automated form fillers that
would fill out all fields, there are also more sophisticated ones that
use keystroke generators to fill out forms. I just saw one in the
public domain last month. CAPTCHA doesn't have this problem, would
defeat those automated form fillers, and is therefore more reliable
with similarly very little effort to implement.
Darin.
----- Original Message -----
*From:* Matt <mailto:[EMAIL PROTECTED]>
*To:* declude.junkmail@declude.com <mailto:declude.junkmail@declude.com>
*Sent:* Wednesday, April 09, 2008 11:45 AM
*Subject:* Re: [Declude.JunkMail] form spam filter
No, I understood completely. I've seen forms with fields hidden by
DIVs still filled out. Some of the less sophisticated spam form
fillers I've seen used simply filled out every field. They were not
looking to see what was "visible" and what wasn't.
Actually this is the part that you misunderstood. The DIV's with
visibility hidden will never be filled out by real people, but they
will get filled out by form spam sending robots. So if they get
filled out, you pretend the submission was successful, but you don't
generate the E-mail.
It's a simple trick, and it works.
Matt
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
