How do forms spambots work? 3

[Sleidia]

Hello,

Does anyone know where I could find documentation detailing most of the ways the spambots work?

I have designed an anti-spam php code that writes a long numerical string into a textarea hidden by CSS. If the numerical string is replaced by any text, the mail isn't sent.

I assume that the spambot will override the textarea content with its rubbish ... which is supposed to be is roal.

The thing is that I'm not sure if this method could effectively work against spambots.

What do you tink?

Thanks!

PS : don't tell me about captchas because I don't want them.

 

[feherke]

Hi

I have designed an anti-spam php code that writes a long numerical string into a textarea hidden by CSS. If the numerical string is replaced by any text, the mail isn't sent.

Well, CSS is quite simple to interpret, at least compared with JavaScript. And while [gray][small]1)[/small][/gray] stronger bots can even solve CAPTCHAs and [gray][small]2)[/small][/gray] tricking the bots with hidden [tt]form[/tt] elements is quite common, [gray][small][⇒][/small][/gray] I would expect that today bots are parsing CSS for [tt]display: none[/tt], [tt]visibility: hidden[/tt], [tt]text-indent: -1000px[/tt] and similar things. So I would do the hiding with JavaScript.

But this is just my theory.

Sorry, I know about no related documentation.


Feherke.

http://rootshell.be/~feherke/

 

[DonQuichote]

I am afraid that there is an arms race with spam bots, so there is no "how they work". As many of them fill all the fields to prevent server rejection, I would include a field that must be left empty. And off course you could hide the field in a lot of ways with CSS:
[ul]
[li]out-of-screen in a box[/li]
[li]transparent[/li]
[li]in the same colour as its background[/li]
[/ul]

But all you can do is making it difficult for them, not prevent it entirely.

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[darryncooke]

a way i found that works really great and has reduced spamming from about 50 per day to about 1 per week is to just include a field with a simple math problem.

Darryn Cooke

http://www.darryncooke.com

| The New Orange County Graphic designer and Marketing and Advertising Consultant

http://www.bloobie.com

| Marketing and Advertising blog

 

[jpadie]

Darryn, your solution is a user-active captcha, which the OP was trying to avoid.

all basic solutions are captcha. all a captcha is is trying to tell an automaton apart from a human. i suspect that sleidia is trying to avoid and image or user interactive captcha.

sleidia: i posted this solution a while ago. it could be finissed further by injecting the hidden dom element into the form rather than injecting the value, but to date none of my sites appear to be being successfully spammed, but then none of them are high traffic.

here is the code:

http://rathercurious.net/archives/155

 

[Sleidia]

Thanks everyone

As jpadie said, I'm trying to avoid any user interaction for the anti-spam measures because :

1. users aren't responsible for what spammers do (so why punish them?)
2. users have better things to do
3. none of the existing methods are user-friendly

Feherke :
The fact that the spambots can identify the CSS "display: none" is a non-issue for me because the purpose of this CSS is only to hide the textarea and its security code to the human visitor just to avoid confusion or accidental deletion before submission. If a hidden form is filled with junk by spambots it's all good for me because it's my way to identify them. Again, it's the disappearance of the security code that prevents the form from being submitted.

Jpadie :
You must know that I still suck at classes
I trust you when you say that your idea works great, but as the young disciple that I am, I feel that I have to find/create my own code, a code that I will fully understand from the ground.

So, in the end, I'm left with this question : will the spambots override the security code or not?

But I reckon that my idea would fail miserably if the spambots append their junk to the forms values instead of replacing them.

In that case, DonQuichote's idea about one more field that must be left empty would fix the issue.

Anyway, I'm ready to read your opinions on that matter.

 

[jpadie]

take my code and break it down into ideas.

part I: form submission is ignored unless a client token and a server token match up.
part II: the tokens are single use only.

part I and part II already add significant overhead to spammers as instead of a simple post request they will have to perform a get followed by parsing the data followed by a post.

but our friendly spammers are persistent and if your site is high traffic they will spend the processor cycles doing this.

part III: deliver the server side token programmatically

to beat this, the spammers now need to parse and execute javascript server side. this is a material headache for them.

part IV: insert random delays and events before fetching the js token. such as mouse movements etc. difficult (but not impossible) to emulate server side.

it's not impossible to break any captcha system. and in fact i read that some spambots are not actually automated systems but people-farms in 3rd world countries paid by the site to upload spam and, probably, attack vectors.

i combine my solution with something like akismet in order to give good spam protection. in a month i get many thousands rejected by my system, a couple of hundred by akismet and no spam. over six months, i have had one bogu spam entry slip through both nets and i'm still not sure that it was spam as it was written in chinese.

 

[jpadie]

i post this not so that you will be persuaded to use my code, but so that you can see the approach and write something yourself if you agree with the approach.

 

[feherke]

Hi

The fact that the spambots can identify the CSS "display: none" is a non-issue for me [gray](...)[/gray] If a hidden form is filled with junk by spambots it's all good for me because it's my way to identify them.

I am sure, clever bots will not touch hidden fields.


Feherke.

http://rootshell.be/~feherke/

 

[Sleidia]

Jpadie :
Thanks for your explanation
So, do you think it's impossible to have efficient enough anti-spambots measures that solely rely on server side code?

Feherke :
What you say sounds mostly true for type=hidden form elements but it's hard to believe that they could identify a CSS style from within a CSS file. And I could even hide the textarea with opacity anyway.

 

[feherke]

Hi

it's hard to believe that they could identify a CSS style from within a CSS file.

For me is harder to believe that they can read the obfuscated texts from CAPTCHA images. But the truth is, they can.


Feherke.

http://rootshell.be/~feherke/

 

[Sleidia]

Feherke :
I understand what you're saying but I wasn't writing only about the technical aspect of the issue.
I mean, spambots can decipher captchas probably because it's the most commonly used protection.
Tell me if I'm wrong but I don't think that the spammers would develop a spambot that works against a script that would be found only on one server, my server.

 

[jpadie]

Sleidia

they absolutely do, yes. if a site is high traffic the spammers will code specifically to circumvent that site's anti-spam protection.

captcha is a generic term for distinguishing humans from automata. it is not restricted to image related captcha/recaptcha etc.

 

[feherke]

Hi

I don't think that the spammers would develop a spambot that works against a script that would be found only on one server, my server.

I would say, if a spammer develops for your site, the best you can do is to change the protection method periodically.

I am sure they can detect the hidden [tt]form[/tt] field trick with generic code, without coding anything specific for your site. And for less evolved bots probably a per-site configuration is enough.


Feherke.

http://rootshell.be/~feherke/