⬆️ ⬇️

Fighting robots. Explanations.

After reading the notes about the beginning of my struggle with robots , many suggested using standard tools like captcha or input fields hidden by CSS properties. There were also non-standard options, such as recognition of visual images (is this cat or dog shown in the picture?), Analysis of mouse movement around the page before sending a comment or confusion in the field names.



I like some of these methods, some I don’t. For example, despite the effectiveness of spam filtering using captcha, its use seems to me impractical, as well as the use of pattern recognition. Think for yourself - the user each time has to prove that he is not a camel. I would be offended in his place.



Other actions to draw a line between robots and real people, such as analyzing mouse movement on a page before sending a comment, seem to me too complicated. With the same result, you can check whether the robot supports Javascript or not. In this case, in any case, users with Javascript disabled remain overboard. This is not good, despite the small number of them. Also, do not forget about the fact that client-side scripts are very easy to emulate, and therefore, they are not suitable for serious security systems.



But the methods invisible to the simple user, I think the most successful. In small projects that do not require protection from specialized robots, it is worth using such solutions. This hiding (display: none) of the special input field “for spammers” - an ordinary user will not see it, and the robot will write something to it. You can also create confusion in the field names - the field with the post address should be called “name”. As a result, the name of the spammer will be hammered into it and it will not pass validation.

')

The methods described in the last group are good in the first place because the user does not prove to anyone that he is not a spammer - the spammers present themselves. In the worst case, the user each time will have to agree that it is not a camel - do not fill in an empty field for spammers. It seems to me that such an approach will become more popular over time than using only captcha, despite the effectiveness of the latter.



Already, in large services, captcha often appears for screening potentially robotized users - for example, those that from the 1st attempt could not remember their password. Or those who leave more than 5 comments in 5 minutes. Those. the presumption of innocence works - the user is considered to be a person until he performs something not peculiar to a person, but characteristic of a robot. You can develop a similar attitude towards users, taking for analysis not only current actions, but also the entire accumulated history of this user.



Unfortunately, I do not have detailed statistics on robots and their behavior. This is a good target for research. Maybe even I'll do it. If such statistics were, it would be possible to talk about robots more specifically, specifying specific numbers. Agree - it would be interesting to know the percentage of robots who can bypass a certain type of protection. Or possessing unique skills (for example, those who can handle Javascript or disguise themselves as living people when navigating the site). This would allow building a site spam protection policy more effectively.



I want to draw an analogy. As in a casino, they watch visitors without interfering with their game and trying to calculate cheats based on an analysis of their behavior, so I want to see site protection systems that detect spam robots, focusing not only on its immediate actions, but on its past history and behavioral patterns. I think, having such information, it is possible to identify robots (including specialized ones) quite effectively, without disturbing ordinary users.



taken from my blog

Source: https://habr.com/ru/post/25133/



All Articles