1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lack of Interest [Suggestion] Efficient way to stop robots registering

Discussion in 'Closed Suggestions' started by Floren, Sep 3, 2010.

  1. Floren

    Floren Well-Known Member

    I'm pretty sure you already saw this article, but I will post it anyways.
    Using this technique, it will be virtually impossible for a robot to register or perform any other spam related tasks. Why? Because you can actually set yourself the increment value, for example. On top of that, you can generate easy a slider with jQuery. :)

    I would really want this present into Xen. It will bring value to the product, since is something not implemented into any software out there.
     
    Decent60 likes this.
  2. Erik

    Erik Well-Known Member

    Sorry, but this is useless because as soon as the bot writers see this gain acceptance (which it would if it was included by default into forum software like XenForo), they will write the JavaScript to move the slider or just bypass the sliding mechanism completely ($('form').submit(), anyone?). The only effective CAPTCHA is one that is checked server-side and requires the user to do something that in principle computers cannot do (moving a slider is not one of those things).

    Not to mention it is unusable for blind users and those using screenreaders.
     
  3. Enigma

    Enigma Well-Known Member

    I like debating things. Problems I see...
    1. Not accessible-- not everyone has the motor skills necessary to slide the slider
    2. Can't complete the form without mouse support (no keyboard only), unless the control supports sliding with the arrow keys
    3. Requires Javascript
    4. Quite trivially breakable
      1. Use human labor to move the slider, just like using human labor to crack CAPTCHAS
      2. Use a couple lines of Javascript to automatically move the slider.
      3. Simply submit the form with whatever value the slider to the right submits
    My conclusion: Not worth the effort to even think about it.
     
  4. Daniel J. Gagnon

    Daniel J. Gagnon New Member

    Good thinking, but it isn't logical.

    Honestly, the only good alternative for CAPTCHA is the question and answer thing, where you input questions such as "What color is the sky?" and the user inputs: blue. (And then change the questions and answers from time to time)

    Maybe have this like an add-0n, but I don't see this being a good default.
     
    Been Told likes this.
  5. Erik

    Erik Well-Known Member

    These would still be relatively easy to bypass. Usually the questions are all very similar. If I was a spammer writing a registration bot, it would be trivial for me to search the page for "What color is the sky?", find a nearby form field, and input "blue." It would probably work 90% of the time. Same thing with math problems ("what is 2+2?"). Just parse the math problem and enter the answer. By just browsing the internet, I could probably compile a pretty good database of questions fairly quickly. :)
     
  6. DSF

    DSF Well-Known Member

    Since many years I use qualified Q&A AND time checking between registration display and submit a registration.
    The result of this way is very simple: NONE, NOTHING, NO bot spam registration!
    I do never chance it.
     
  7. Floren

    Floren Well-Known Member

    Is very difficult to move the slider with Javascript if you don't know to what value/condition (defined as option) to stop. :) I don't want to go into details but is easy to protect that slider result value and make it unique, with a token generated before and after submission.

    About screen readers, there are few plugins allowing you to make jQuery readable, Visualize for example. But you are right, is not useful to depend on plugins. I tend to forget certain details. :)
     
  8. Enigma

    Enigma Well-Known Member

    Just slide it with Javascript until the text underneath changes?
     
  9. Erik

    Erik Well-Known Member

    Sorry, but I'm not buying "I don't want to go into details." The reality is that if the needed value is sent to the browser (which it would need to be for the current behaivor), then a bot can find that value and use it to exploit the script.

    Here's the code in the example you linked to. This is run every time the slider is moved:
    Code:
    function updateSlider1(a) {
        if (a == 4) {
            $("UserHuman").value = "6).%Y.g-";
            $("short_slider_wrapper").fade({
                duration: 0.35,
                afterFinish: function () {
                    $("loading_msg").appear({
                        duration: 0.35,
                        afterFinish: function () {
                            $("UserAddForm").submit()
                        }
                    })
                }
            })
        }
    }
    Really, it's pathetically basic. All I need to do to exploit it is:
    Code:
    $("UserHuman").value = "6).%Y.g-";
     $("UserAddForm").submit();
    
    Doesn't matter, they still wouldn't be able to move the slider. ;)
     
  10. anotheralias

    anotheralias Well-Known Member

    That's why you make the questions unique, and change them often. "What is 2+2?" is the same difference as using "password" for your password.
     
  11. AndyB

    AndyB Well-Known Member

    The unique questions and answer system works very well and is easy to use. It can be made as simple as asking the applicant to enter a certain word.
     
  12. James

    James Well-Known Member

    The only way I can see this working is by using the server to check if the action was actually done... or perhaps actually checking if onmouseup and onmousedown events actually occur.

    This requires JS and it means people with JS disabled can't register though :p
     
  13. Erik

    Erik Well-Known Member

    My point is that most of these questions are often the same or very similar. Anyone writing a script to beat these would accumulate a database of questions over time. After a period of time you could probably beat a fair number of the systems out there, and for a spammer, even something like a 20% success rate is excellent. Case in point:
    This took me only a couple minutes to write, and it's fairly robust. It gets the required word out of a phrase of text. From there it would be trivial to enter the value into the nearest field and submit the form.
    PHP:
    <?php
    $string_1 
    "Please enter the word 'XenForo.'";
    $string_2 'Enter the word "vBulletin".';
    $string_3 'enter bananas';
    $string_4 'Blah blah blah blah padding text please enter the word "Xen" blah bloopy blah';

    //All of these can be beaten with this regex which took me a minute to write
    $regex '/\benter( the word)? ("|\')?([A-Z ]+)\.?("|\')?\b/i';

    for(
    $i 1$i <= 4$i++) {
         
    preg_match($regex, ${'string_'.$i}, $matches);
         echo 
    "$matches[3]\n";
    }

    /* Output:
    XenForo
    vBulletin
    bananas
    Xen
    */
    ?>
    Now imagine someone who spends hours on this every day and does it for a living. :) Hopefully you can see why using basic questions in a question and answer system can be weak. :)
     
  14. Tigratrus

    Tigratrus Well-Known Member

    We use the question answer system, but we ask them to enter a certain word spelled backwards, and all in lower case instead of capitals as it's usually written (and as it is in the request). It's worked very VERY well for us, I don't think I've seen a bot break it yet. Now, if they custom code a bot to register JUST on our site, of course they can, but we're not worried about that too much, just about the hordes of generic bots out there ;-)
     
    anotheralias likes this.
  15. anotheralias

    anotheralias Well-Known Member

    I have them write it backwards too and it has worked just fine so far, but that's a great idea adding case-sensitivity.
     
  16. Erik

    Erik Well-Known Member

    I agree, this is the best solution. Create a question that is very unique and have a lot of them. Unfortunately this is not usually the case. At least in my experience, most of the QA systems I've seen use pretty generic questions. :)
     
  17. anotheralias

    anotheralias Well-Known Member

    If you have a board with a specific topic, you can ask questions on that topic that people are likely to know, too. Like for a Lost board: what's a three-letter name for Smokey. That ought to be even harder to crack than "type this word backwards," since even reversing words won't get them in.
     
  18. James

    James Well-Known Member

    I use similar methods, such as asking the user to type in all the vowels or type in the xth letter or asking them to type the spoken alphabet equivalent to a letter (such as "cod" - charlie oscar delta).
     
  19. AndyB

    AndyB Well-Known Member

    I wouldn't assume that. There are thousands of variations as unique as the forums themselves. It doesn't take very much creativity to come up with a unique Question and Answer.
     
  20. Erik

    Erik Well-Known Member

    I may be wrong. I'm just speaking from personal experience when signing up for forums and seeing questions like "what is 4 + 1?" very often. :)
     

Share This Page