Lack of interest [Suggestion] Efficient way to stop robots registering

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.
Floren

Floren

Well-known member
I'm pretty sure you already saw this article, but I will post it anyways.
Using this technique, it will be virtually impossible for a robot to register or perform any other spam related tasks. Why? Because you can actually set yourself the increment value, for example. On top of that, you can generate easy a slider with jQuery. :)

I would really want this present into Xen. It will bring value to the product, since is something not implemented into any software out there.
 
Upvote 1
This suggestion has been closed. Votes are no longer accepted.
Eriksrocks said:
I may be wrong. I'm just speaking from personal experience when signing up for forums and seeing questions like "what is 4 + 1?" very often. :)
Click to expand...

You would have to sign up for several thousand forums to get an idea of the variations. I have not done that myself, but based on the success over the past few years since Q&A has been out, I will assume that there is lots of variation.
 
There may be variation in the questions themselves but I assume that a lot of these questions revolve around the same topic. A lot of the questions I have come across are maths-related and I think to myself "heh, a computer can process maths much faster than the human brain" before proceeding to click the red X :P
 
Sure, but you're blaming the code for human error. If people use it to ask math questions or "what color is the sky?" that's their problem.
 
A custom question like the "Are you human?" (not questions like "2+2?"). This system is better than captcha.
 
and how many custom questions can you seriously have?

the good thing with recaptcha is that with google managing it now, it is only going to get more powerful.
 
Several months ago, I read a very interesting blog post (can't find the link), from Google testing new anti spam features. They had a picture and you had to rotate it to a certain position as the question requested. Simlar use was to move the clock hands to a particular time etc..

These sound like brilliant ideas, but as few have said, it would be a problem with disabled users and probably with users w/o javascript.
 
who would provide the custom questions?
how many custom questions can you feed into the system?

if the database is included into the XF package, it would be available to everyone.
if the user feeds it, he would only have a finite range of questions.

from what i see recaptcha continues to do well. i am not sure if there has been a solid crack for it.
 
I have a very simple way of stopping bots from registering on my forum.
I haven't changed it for almost 2 years now and in that time I haven't had a single bot.

spambot.webp

If they ever do update their scripts to take it into account then I will simply change the value and/or add/remove a field.
 
Sushubh Mittal said:
who would provide the custom questions?
how many custom questions can you feed into the system?

if the database is included into the XF package, it would be available to everyone.
if the user feeds it, he would only have a finite range of questions.

from what i see recaptcha continues to do well. i am not sure if there has been a solid crack for it.
Click to expand...

I intend a custom question created by the administrator of the forum...example: what is the color of background of this forum? What is the nick of admin? (it's only an example...)

another little trick to stop spammers is to not permit to new users (only for the first post) to post links
 
Another trick is to SPELL out any numbers, don't put them in as digits ("two plus eleven" instead of "2 + 11" ). Personally though, I'd stay away from simple math like that though. The idea is to write directions that are easily comprehended by a human, but baffling to a bot. I'd particularly suggest using questions that are specific to your forum's topic if it has one.
 
Brogan said:
I have a very simple way of stopping bots from registering on my forum.
I haven't changed it for almost 2 years now and in that time I haven't had a single bot.

View attachment 1556

If they ever do update their scripts to take it into account then I will simply change the value and/or add/remove a field.
Click to expand...
I do a very similar thing. It works.

captcha, re-captcha, math problems do not work for us, although I still have them enabled for other reasons.
 
I've given up registering for a few things (that I was admittedly half-hearted about anyway) because I kept getting the Captcha wrong and I got tired of re-entering the other stuff. As an enduser I much prefer the anti-spam question.
 
It's always nice to see new ways of combating spam registrations but I don't think this one is viable. It's dependency on input from a mouse may well deter quite a few registrations. How many times have had to run a mouse on your leg because it just won't work on surface it's sitting on? There are a lot of computer users out there using abysmal peripherals for input/output and that slider system looks like it would require a degree of accuracy.

A CAPTCHA and a simple Q&A has kept all my forums 100% bot free for many years and to date I haven't seen anything else that beats that combination.
 
Eriksrocks said:
Sorry, but I'm not buying "I don't want to go into details." The reality is that if the needed value is sent to the browser (which it would need to be for the current behaivor), then a bot can find that value and use it to exploit the script.
Click to expand...
Let see...
PHP: 
$sliderValue = sha1($userName . $ip . $sliderId . $sliderValue);

$sliderId is a value automatically generated when you install the forums, that you can also regenerate in admincp:
PHP: 
$sliderId = uniqid('', true);

Is there a way to "guess" the $("UserHuman").value? Thanks for your input.
 
Floren said:
Let see...
PHP: 
$sliderValue = sha1($userName . $ip . $sliderId . $sliderValue);

$sliderId is a value automatically generated when you install the forums, that you can also regenerate in admincp:
PHP: 
$sliderId = uniqid('', true);

Is there a way to "guess" the $("UserHuman").value? Thanks for your input.
Click to expand...
I'm speaking in theoretical terms here. JavaScript is used to make the slider disappear and submit the form. Thus, the browser must know the value required for the slider (as it is written into the JavaScript by necessity). If the browser knows it, then bots can find it to, and easily exploit it to submit the form.

So yes, there is a way to find, not guess, the UserHuman value.

The only way you could do it so that the required value isn't sent to the browser is to put a form slider on top of an image with a line at a randomly generated position. You would slide the slider to the line, then you would click the submit button (no JavaScript used to determine when it's at the right position - it's all checked serverside based on the value submitted by the slider and the image generated). The problem with this is that it would be very, very easy for bots to just parse the image and use OCR-type technology to find the position of the line, then submit that value. You could try to confuse them by adding false lines, obscuring the position, etc, but then the slider would just get really complicated and confusing to use and it would be no easier than a standard text CAPTCHA, not to mention it's inaccessible for certain people. :)

Edit: w00t 1000th post! :D
 
Eriksrocks said:
JavaScript is used to make the slider disappear and submit the form... So yes, there is a way to find, not guess, the UserHuman value.
Click to expand...
I agree, to a certain point. The slider is used for validation only, it will not actually submit the form. Even if the spammer will look at Xen code and see that an username and IP are used, he will never be able to determine the sliderId value, since all 3 keys are already sha1'ed. That does not change the fact blind people will not be able to use the slider, so your point is very solid. :)

Now, please open a new suggestion thread, to have implemented the xen activity graphic you have in your signature. A nice location would be under the online users box. :)
 

Similar threads

PabloC
  • Question Question
XF 2.1 Looking for an efficient way to load fonts
Replies
2
Views
386
PabloC
PabloC
iamjudd
Efficient way to Restrict Site Access to specific location?
Replies
3
Views
477
djbaxter
djbaxter
Nulumia
XF 2.0 Most efficient way to rearrange Page_Container template?
Replies
0
Views
592
Nulumia
Nulumia
Ludachris
  • Question Question
XF 1.3 Correct, most efficient way to do my final vB import?
Replies
14
Views
1K
Ludachris
Ludachris
R
  • Suggestion Suggestion
Implemented A way to stop RTL replacements for specific rules
Replies
2
Views
667
refael
R
Top Bottom