Form Spam Bot Blocker: Protecting Web Forms Without CAPTCHA!
- You so protected your form that you yourself can not always make out what CAPTCHA drew?
- You have established a good captcha and you still read the news from time to time in your feedback.
about extenders of some organs, cheap viagra, etc.?
Well then, I propose to look at the problem of protecting Web forms from a different angle.
')
I assume that you already know what CAPTCHA is , perhaps many of you use this technology in your projects.
Recently I downloaded a file from rapidshare.com, there you need to specify the letters on which the cat is attached.
(The correct answer is ' X6VK ') .
So, neither from the first nor the second time did I “recognize” the captcha. Is there really no other way to identify the real user? Probably, it is, but after all rapidshare fights not with bots but with hackers who purposefully “punch” RapidShare.
So, in my article it will be about bots, i.e. systems for automatic search for Web-forms for their auto-submit, since I'm sure that with a targeted attack, you can add any form , in which case the developer’s actions should be aimed at maximizing the cost of one submission.
I am against drawing in users of the site into this “war”, because in the case of RapidShare I became a hostage of the “war of robots” of what “protects” and what “breaks through”.
The myth of the "impenetrability" CAPTCHA
Hacking problems CAPTCHA is well described by Vladislav Thought . I advise skeptics to read this topic. Below I will briefly list the main accents of the article.
It makes no sense to dwell on software vulnerabilities when implementing CAPTCHA, when a developer forgets that
- the duration of the session should be limited
- after receiving the form, the session should be immediately removed
- you need to check the data for empty values
The main way to get around CAPTCHA is to recognize it. To date, there are already many projects dedicated exclusively to CAPTCHA recognition. The most famous of them are two: “UC Berkeley Computer Vision Group” and “ PWNtcha ”. The degree of successful recognition in both projects is quite high (the list of CAPTCHA, which is already learned to recognize ).
For a very complex CAPTCHA, SPAMs practice using human resources. In the recognition process, free porn lovers who are offered to respond to the CAPTCHA test are used to view the next photo or video. The test itself is selected from the form of the server on which the SPAM-attack is made, the user's response, respectively, is inserted into the same form. The scheme is very simple in technical implementation, in addition, there are enough porn lovers too :).
What can "catch" Spam Bot
A year ago, digging into phpclasses.org , I came across a rather original PHP solution called Form Spam Bot Blocker . The developer of this php-class went the other way, his approach does not require any additional user input.
This technique is based on how the user behaves, and not on what he enters. The class creates /> tags with encrypted values ​​or visually hides the fields (by means of CSS) that the SPAM bot sees. The combination of several methods can really confuse a SPAM bot, even if it has just read the html code. It should be noted that no Capthca , Session , Cookie or Javascript- based methods are used here. Only pure (x) html and small CCS inserts.
Basic ideas:
- The user (human or robot) must have the same IP and the same http user agent ID as on the page with the HTML form and on the page-handler using the POST or GET method. The user always first visits the page with the HTML form, then the handler goes to the page, the robots do not always do this, as they often only access the landing page with the required parameters. In other words: the page containing the html form must be loaded before passing the parameters of the target page (the page that takes the parameters. IP and the consumer browser must be the same on both pages.
Spambot is forced to use the same IP and agent ID, scanning and attacking - The user will not be affected by hidden tags whose names change daily.
In fact, they could affect the user, for example, if he zashol on a page with a 23.57 form and sent a request at 0.06 (the next day), but there is a simple solution to this problem. Another handwork for the robot is to use the prescan (preliminary scan) html of the page containing the form and send a request with the scanned parameters. A daily change of hidden parameter names will require the robot to produce hstml pages before an attack.
Spambot is forced to pre-scan the form on the day of the attack. - The form must be zababmitit within a certain time period. If the time from loading the form to submission is too short or too long, then we are most likely dealing with a robot. For example, a user cannot fill in 6 fields in less than 2 seconds ...
Spambot is forced to zababmitit form within a certain time period,
scanning and attacking - Spambot will try to fill each form element with some value.
This is best guaranteed successful submit. If the standard input tag is placed in a form and visually hidden from the user by means of CSS, the user will not enter anything in this field. But it is very likely that the spambot will not “see through” and will fill this field.
Spambot is forced to identify the elements of visually hidden forms of traps and neglect them when attacking
Experience using Form Spam Bot Blocker
A few weeks ago I put this class on a fairly attended and loaded project in my organization. On the day, more than 1500-1700 “failed” attempts to register a form with a bot are registered. With the number of legal submit about 1200-1400. So far, the percentage of spam is quite low (most likely not from bots but from “themed” spammers), which partially automate their work with the help of browser plug-ins.
Perhaps, over time, this defense will be “punched” by many bots. But I liked the approach, it can be modified, deliver more traps.
In very responsible forms, it can be combined with CAPTCHA. It does not interfere.
How to use this class
- Create the necessary tags on the page containing the form
- Optionally set the default values ​​in the source code of the class (public variables)
- Include class in your script
- Create an object: $ blocker = new formSpamBotBlocker ();
- Optionally, run public methods or set public variables to adapt the default variables to your web form.
- You will output in the lice html-form: print $ blocker-> makeTags ();
Check the $ _POST or $ _GET arrays to see if they contain
valid parameters from the html formif ($ _POST) {// or $ _GET $ blocker = new formSpamBotBlocker (); $ nospam = false; $ nospam = $ blocker-> checkTags ($ _ POST); // or $ _GET if ($ nospam) print "Successful sabmit"; // handle valid request else print "There is a suspicion that this is a SPAM bot"; // handle invalid request }
Source: https://habr.com/ru/post/27756/
All Articles