Lack of interest [Suggestion] Efficient way to stop robots registering

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.

Floren

Well-known member
I'm pretty sure you already saw this article, but I will post it anyways.
Using this technique, it will be virtually impossible for a robot to register or perform any other spam related tasks. Why? Because you can actually set yourself the increment value, for example. On top of that, you can generate easy a slider with jQuery. :)

I would really want this present into Xen. It will bring value to the product, since is something not implemented into any software out there.
 
Upvote 1
This suggestion has been closed. Votes are no longer accepted.
Sorry, but this is useless because as soon as the bot writers see this gain acceptance (which it would if it was included by default into forum software like XenForo), they will write the JavaScript to move the slider or just bypass the sliding mechanism completely ($('form').submit(), anyone?). The only effective CAPTCHA is one that is checked server-side and requires the user to do something that in principle computers cannot do (moving a slider is not one of those things).

Not to mention it is unusable for blind users and those using screenreaders.
 
I like debating things. Problems I see...
  1. Not accessible-- not everyone has the motor skills necessary to slide the slider
  2. Can't complete the form without mouse support (no keyboard only), unless the control supports sliding with the arrow keys
  3. Requires Javascript
  4. Quite trivially breakable
    1. Use human labor to move the slider, just like using human labor to crack CAPTCHAS
    2. Use a couple lines of Javascript to automatically move the slider.
    3. Simply submit the form with whatever value the slider to the right submits
My conclusion: Not worth the effort to even think about it.
 
I'm pretty sure you already saw this article, but I will post it anyways.
Using this technique, it will be virtually impossible for a robot to register or perform any other spam related tasks. Why? Because you can actually set yourself the increment value, for example. On top of that, you can generate easy a slider with jQuery. :)

I would really want this present into Xen. It will bring value to the product, since is something not implemented into any software out there.

Good thinking, but it isn't logical.

Honestly, the only good alternative for CAPTCHA is the question and answer thing, where you input questions such as "What color is the sky?" and the user inputs: blue. (And then change the questions and answers from time to time)

Maybe have this like an add-0n, but I don't see this being a good default.
 
Good thinking, but it isn't logical.

Honestly, the only good alternative for CAPTCHA is the question and answer thing, where you input questions such as "What color is the sky?" and the user inputs: blue. (And then change the questions and answers from time to time)

Maybe have this like an add-on, but I don't see this being a good default.
These would still be relatively easy to bypass. Usually the questions are all very similar. If I was a spammer writing a registration bot, it would be trivial for me to search the page for "What color is the sky?", find a nearby form field, and input "blue." It would probably work 90% of the time. Same thing with math problems ("what is 2+2?"). Just parse the math problem and enter the answer. By just browsing the internet, I could probably compile a pretty good database of questions fairly quickly. :)
 
Since many years I use qualified Q&A AND time checking between registration display and submit a registration.
The result of this way is very simple: NONE, NOTHING, NO bot spam registration!
I do never chance it.
 
Sorry, but this is useless because as soon as the bot writers see this gain acceptance (which it would if it was included by default into forum software like XenForo), they will write the JavaScript to move the slider or just bypass the sliding mechanism completely ($('form').submit(), anyone?). The only effective CAPTCHA is one that is checked server-side and requires the user to do something that in principle computers cannot do (moving a slider is not one of those things).

Not to mention it is unusable for blind users and those using screenreaders.

Is very difficult to move the slider with Javascript if you don't know to what value/condition (defined as option) to stop. :) I don't want to go into details but is easy to protect that slider result value and make it unique, with a token generated before and after submission.

About screen readers, there are few plugins allowing you to make jQuery readable, Visualize for example. But you are right, is not useful to depend on plugins. I tend to forget certain details. :)
 
Is very difficult to move the slider with Javascript if you don't know to what value/condition (defined as option) to stop. :) I don't want to go into details but is easy to protect that slider result value and make it unique, with a token generated before and after submission.
Sorry, but I'm not buying "I don't want to go into details." The reality is that if the needed value is sent to the browser (which it would need to be for the current behaivor), then a bot can find that value and use it to exploit the script.

Here's the code in the example you linked to. This is run every time the slider is moved:
Code:
function updateSlider1(a) {
    if (a == 4) {
        $("UserHuman").value = "6).%Y.g-";
        $("short_slider_wrapper").fade({
            duration: 0.35,
            afterFinish: function () {
                $("loading_msg").appear({
                    duration: 0.35,
                    afterFinish: function () {
                        $("UserAddForm").submit()
                    }
                })
            }
        })
    }
}
Really, it's pathetically basic. All I need to do to exploit it is:
Code:
$("UserHuman").value = "6).%Y.g-";
 $("UserAddForm").submit();

About screen readers, there are few plugins allowing you to make jQuery readable, Visualize for example. But you are right, is not useful to depend on plugins. I tend to forget certain details. :)
Doesn't matter, they still wouldn't be able to move the slider. ;)
 
These would still be relatively easy to bypass. Usually the questions are all very similar. If I was a spammer writing a registration bot, it would be trivial for me to search the page for "What color is the sky?", find a nearby form field, and input "blue." It would probably work 90% of the time. Same thing with math problems ("what is 2+2?"). Just parse the math problem and enter the answer. By just browsing the internet, I could probably compile a pretty good database of questions fairly quickly. :)

That's why you make the questions unique, and change them often. "What is 2+2?" is the same difference as using "password" for your password.
 
The unique questions and answer system works very well and is easy to use. It can be made as simple as asking the applicant to enter a certain word.
 
The only way I can see this working is by using the server to check if the action was actually done... or perhaps actually checking if onmouseup and onmousedown events actually occur.

This requires JS and it means people with JS disabled can't register though :P
 
That's why you make the questions unique, and change them often. "What is 2+2?" is the same difference as using "password" for your password.

My point is that most of these questions are often the same or very similar. Anyone writing a script to beat these would accumulate a database of questions over time. After a period of time you could probably beat a fair number of the systems out there, and for a spammer, even something like a 20% success rate is excellent. Case in point:
The unique questions and answer system works very well and is easy to use. It can be made as simple as asking the applicant to enter a certain word.
This took me only a couple minutes to write, and it's fairly robust. It gets the required word out of a phrase of text. From there it would be trivial to enter the value into the nearest field and submit the form.
PHP:
<?php
$string_1 = "Please enter the word 'XenForo.'";
$string_2 = 'Enter the word "vBulletin".';
$string_3 = 'enter bananas';
$string_4 = 'Blah blah blah blah padding text please enter the word "Xen" blah bloopy blah';

//All of these can be beaten with this regex which took me a minute to write
$regex = '/\benter( the word)? ("|\')?([A-Z ]+)\.?("|\')?\b/i';

for($i = 1; $i <= 4; $i++) {
     preg_match($regex, ${'string_'.$i}, $matches);
     echo "$matches[3]\n";
}

/* Output:
XenForo
vBulletin
bananas
Xen
*/
?>
Now imagine someone who spends hours on this every day and does it for a living. :) Hopefully you can see why using basic questions in a question and answer system can be weak. :)
 
We use the question answer system, but we ask them to enter a certain word spelled backwards, and all in lower case instead of capitals as it's usually written (and as it is in the request). It's worked very VERY well for us, I don't think I've seen a bot break it yet. Now, if they custom code a bot to register JUST on our site, of course they can, but we're not worried about that too much, just about the hordes of generic bots out there ;-)
 
We use the question answer system, but we ask them to enter a certain word spelled backwards, and all in lower case instead of capitals as it's usually written (and as it is in the request). It's worked very VERY well for us, I don't think I've seen a bot break it yet. Now, if they custom code a bot to register JUST on our site, of course they can, but we're not worried about that too much, just about the hordes of generic bots out there ;-)

I have them write it backwards too and it has worked just fine so far, but that's a great idea adding case-sensitivity.
 
We use the question answer system, but we ask them to enter a certain word spelled backwards, and all in lower case instead of capitals as it's usually written (and as it is in the request). It's worked very VERY well for us, I don't think I've seen a bot break it yet. Now, if they custom code a bot to register JUST on our site, of course they can, but we're not worried about that too much, just about the hordes of generic bots out there ;-)
I agree, this is the best solution. Create a question that is very unique and have a lot of them. Unfortunately this is not usually the case. At least in my experience, most of the QA systems I've seen use pretty generic questions. :)
 
If you have a board with a specific topic, you can ask questions on that topic that people are likely to know, too. Like for a Lost board: what's a three-letter name for Smokey. That ought to be even harder to crack than "type this word backwards," since even reversing words won't get them in.
 
We use the question answer system, but we ask them to enter a certain word spelled backwards, and all in lower case instead of capitals as it's usually written (and as it is in the request). It's worked very VERY well for us, I don't think I've seen a bot break it yet. Now, if they custom code a bot to register JUST on our site, of course they can, but we're not worried about that too much, just about the hordes of generic bots out there ;-)
I use similar methods, such as asking the user to type in all the vowels or type in the xth letter or asking them to type the spoken alphabet equivalent to a letter (such as "cod" - charlie oscar delta).
 
My point is that most of these questions are often the same or very similar.

I wouldn't assume that. There are thousands of variations as unique as the forums themselves. It doesn't take very much creativity to come up with a unique Question and Answer.
 
I wouldn't assume that. There are thousands of variations as unique as the forums themselves. It doesn't take very much creativity to come up with a unique Question and Answer.
I may be wrong. I'm just speaking from personal experience when signing up for forums and seeing questions like "what is 4 + 1?" very often. :)
 
Top Bottom