Once again about captcha
Now on Habré has become very popular topic of protecting forms from bots. I got the impression that most writers are not fully aware of this task. Here I will try to give a brief overview of the problems faced by developers and some solutions.
1) We do not protect against random spam bots (for a regular parser that reads information and sends forms, minimal protection is enough)
2) Our service is interesting enough for spammers or other robots, i.e. we will do the protection which will be carefully studied (if you want to protect your blog, it is enough to change the field names and / or to substitute an invisible form)
3) Our product is distributed (i.e. it is standardized)
4) To maintain popularity, users should be comfortable.
1) Substitution and sending of any fields as well as getting any pages without problems.
2) Statistical handlers
3) Image Tools
4) Knowledge of technology is not worse than you and me !!!
UPD : 5) Use in components of bots of browsers
And now we look at most of the published articles and we feel sad, because means of malefactors allow to make protection round without problems.
')
1) Statistics tend to infinity (google captcha a bunch of very different fonts)
2) Custom solutions (rapidshare with cats and delay)
3) Hard-formed and difficult-to-recognize captcha (yandex)
4) For common engines, the generated protection depending on the parameters (variations tend to infinity) is similar to 1, but here is not a common base but the uniqueness of each instance (bitrix recently)
UPD: The method of form generation by the Ajax from the session was raised by friends and its failure was recognized on an industrial scale because there are bots using ie, firefox, etc.
Terms of the task of form design
1) We do not protect against random spam bots (for a regular parser that reads information and sends forms, minimal protection is enough)
2) Our service is interesting enough for spammers or other robots, i.e. we will do the protection which will be carefully studied (if you want to protect your blog, it is enough to change the field names and / or to substitute an invisible form)
3) Our product is distributed (i.e. it is standardized)
4) To maintain popularity, users should be comfortable.
Malicious tools
1) Substitution and sending of any fields as well as getting any pages without problems.
2) Statistical handlers
3) Image Tools
4) Knowledge of technology is not worse than you and me !!!
UPD : 5) Use in components of bots of browsers
And now we look at most of the published articles and we feel sad, because means of malefactors allow to make protection round without problems.
')
Possible areas of problem solving applied with a certain degree of success
1) Statistics tend to infinity (google captcha a bunch of very different fonts)
2) Custom solutions (rapidshare with cats and delay)
3) Hard-formed and difficult-to-recognize captcha (yandex)
4) For common engines, the generated protection depending on the parameters (variations tend to infinity) is similar to 1, but here is not a common base but the uniqueness of each instance (bitrix recently)
UPD: The method of form generation by the Ajax from the session was raised by friends and its failure was recognized on an industrial scale because there are bots using ie, firefox, etc.
Source: https://habr.com/ru/post/50355/
All Articles