Reflections on automatic registration.
Currently, captchas are used to prevent automatic registration, but captcha generation takes server resource,
In the process of captcha selection, spammers use software that recognizes them with small probabilities, which is compensated by a large number of requests.
As a result, the spammer in the process of captcha selection will load our server to the limit.
I propose to answer with a symmetrical answer, namely, to load the client to such an extent that he physically could not register several accounts at the same time.
')
You can load for example:
1. We transfer to the client an "x" which is equal, for example, md5 (md5 (y) + z + md5 (a))
(we also transfer “a” from the previous formula, which is chosen randomly and serves to counteract the creation of databases of pairs x, yz on the client side)
2. We transfer the client javascript or flash to calculate the desired y and z using the brute force method.
3. We give him a captcha from the address Mysite / cap /? C = yzax (in case of missing 404)
I see the advantages of this method in that, unlike the caps, the xa, yz pairs on the server can be saved more because of their relatively small size (and the script itself can be placed in the cache since it is unchanged).
As a result, the server load when selecting a captcha should drop.
I will be glad additions and corrections.
upd: This method does not abolish the use of other methods, but only complements them if it is relevant.
In the process of captcha selection, spammers use software that recognizes them with small probabilities, which is compensated by a large number of requests.
As a result, the spammer in the process of captcha selection will load our server to the limit.
I propose to answer with a symmetrical answer, namely, to load the client to such an extent that he physically could not register several accounts at the same time.
')
You can load for example:
1. We transfer to the client an "x" which is equal, for example, md5 (md5 (y) + z + md5 (a))
(we also transfer “a” from the previous formula, which is chosen randomly and serves to counteract the creation of databases of pairs x, yz on the client side)
2. We transfer the client javascript or flash to calculate the desired y and z using the brute force method.
3. We give him a captcha from the address Mysite / cap /? C = yzax (in case of missing 404)
I see the advantages of this method in that, unlike the caps, the xa, yz pairs on the server can be saved more because of their relatively small size (and the script itself can be placed in the cache since it is unchanged).
As a result, the server load when selecting a captcha should drop.
I will be glad additions and corrections.
upd: This method does not abolish the use of other methods, but only complements them if it is relevant.
Source: https://habr.com/ru/post/46358/
All Articles