Comments on: Preventing spam with drag and drop

By: advanced

advanced — Mon, 29 Oct 2007 04:42:10 +0000

Working hard to make the net less accessible? Spam prevention solutions should probably be intelligence and/or parameter “check and balance” based, and preferably transparent. Interface complexity (or in this case obfuscation) without demand or purpose is just backwards.

/* meander off topic */

Personally I like the honeypot solutions. The most transparent approach uses hidden form fields with default names like “url” and “website” to entice the bots into submitting spam data on a flagged query id, thus resulting in an automated IP ban (usually just a proxy block). Meanwhile the visible UI is unaffected. So far these solutions have been VERY effective at keeping the bots out even on phpBB (i.e xrumer).

/* on another note */

Most bots have a pronounced signature in the page order they visit and the lightening fast times between page accesses. IMHO, identifying and blocking particular traffic patterns would be more effective than any type of UI based scheme. It seems to me that Google uses a similar approach to pro-actively protect against worm query floods.

/* back to the point */

Regardless, I’ve seen more than a few macro bots (ghostkeys) that use recorded mouse events to yield a quick/n/easy workaround to complex navigation, honeypots, serialization and tokens.. an approach that’s light years behind the modern multisocket bot but effective none the less and likely to resurface given a continued demand.

By: Gavin

Gavin — Sat, 27 Oct 2007 01:27:02 +0000

@ Simon: What’s sad is your comment. Even if the proposed concept is bad, at least there’s people trying to solve the problem.

By: Simon Jia

Simon Jia — Fri, 26 Oct 2007 19:37:58 +0000

a true sad way of problem solving.
it is important to keep the user happy and the experience smooth. even the simple question style of spam blocking can annoy some user (trust me, i’ve read some ppl’s comments on that).

By: Sam C

Sam C — Fri, 26 Oct 2007 14:51:12 +0000

@Joe
Spam bots just speak http like your browser does. If you have the browser do something automatically and send the result in the form post then the spam bot will learn to fake it and send the same values in the form post. CAPTCHAs and questions generally work because humans are needed to provide additional input. If you take humans out of the mix then all you are left with are machines. Since machines can easily emulate other machines you are left with nothing.

By: Joe

Joe — Thu, 25 Oct 2007 15:18:48 +0000

The thing wrong with that solution (the one posed) is that it isn’t performing any real connection in the background; that’d be the easiest place to exploit. Yes, I understand that it’s a proof of concept too.

Ajaxian’s anti-spam attempt, although not terribly great, has worked surprisingly well; I haven’t seen any spams in the posts I’ve read so.. guess it works.

I’ve tossed around the idea as using the mouse position as the authenticating aspect of the user. Most bots are automated and don’t use the mouse or keyboard (generally) so I thought if you’d watch the mouse for a bit and see “human like” movements, then a flag should be set to allow the comment.

Of course there are still things to work out and even then I’m sure it’d get bypassed but, perhaps it’s another proof of concept that I’m working on.

By: Chris Korhonen

Chris Korhonen — Thu, 25 Oct 2007 13:29:16 +0000

I liked the suggestion from a few weeks back – include an additional input field in the comment submission form, and hide it using CSS so that the user doesn’t even see it.

Spam bots will usually attempt to.. um.. spam.. text and input fields, meaning that if the ‘hidden’ text field contains any data, you can assume that message is spam.

Granted, for users of screenreaders/text browsers and the like, you cannot effectively hide the field – so just use a label to tell the user not to fill that field in. Voila…

We have an effective solution for distinguishing between humans and spam bots, which is also accessible.

By: Gavin

Gavin — Thu, 25 Oct 2007 12:44:28 +0000

@ Will: I agree, but isn’t it just a matter of time before spammers tackle that too? I mean, if you have stuff like chatbots that have a database with all possible answers to all possible questions, wouldn’t it be just as easy to do the same to answer ajaxian-style captchas?

By: Will Peavy

Will Peavy — Thu, 25 Oct 2007 11:56:50 +0000

I think the best spam prevention is the type used on ajaxian.com. Text based spam filters are accessible to people with screen readers or color blindness, and 99.9% of web developers know the “three letter acronym of what is used to style web pages”… while 99.9% of bots don’t.

By: Gilles

Gilles — Thu, 25 Oct 2007 10:04:16 +0000

@Rick: It is just a Proof of Concept (POC). It is not a solution for your problems.
@Trevor: Amen
@theKM: See my comment at Rick. You could send an XML request after dropping “the box” to verify something etc.

Guys.. it is just a new way of looking at things..

By: Thomas Hansen

Thomas Hansen — Thu, 25 Oct 2007 09:38:11 +0000

Oh, yea, sorry forgot to post the actual VIDEO… :S
http://ajaxwidgets.com/Blogs/thomas/create_an_ajax_captcha_control.bb

By: Thomas Hansen

Thomas Hansen — Thu, 25 Oct 2007 09:37:31 +0000

@Michael Connor
Here’s a video about how to create an Ajax CAPTCHA in 5 minutes and 55 seconds for those interested (.Net, Gaia)
Now let’s see if the ajaxian spam system catches THIS comment as a spam comment… ;)

By: theKM

theKM — Thu, 25 Oct 2007 05:59:02 +0000

it’s not an accessibility issue… it just doesn’t provide the security that captcha’s are designed to do.

By: theKM

theKM — Thu, 25 Oct 2007 05:57:30 +0000

this doesn’t work, because it doesn’t change the server API. The captcha works because the server has a key, it’s served encrypted in the image, and the only way to get it back is by reading the image.

The “drag and drop” thing is just some UI verification… the server API hasn’t verified that it’s all good. So to the spammer, it’s just as easy to implement their bots as it ever was… sniff for the server API, and mimic it.

Captcha’s work only because the server API says “guess this”, and there’s an unknown that has tom come back in through the API. With this, the script is just saying that it was run… the API had no control to start with.

By: Trevor

Trevor — Thu, 25 Oct 2007 02:06:18 +0000

Suppose I donâ€™t know the answer, then what?

Then you’re very likely not reading Ajaxian. Human-detection questions should, to be most effective, target the site’s audience. If you really don’t know, but want to post a comment, you, as a human, have the advantage of using wikipedia or google or a good ol’ book to find out.

But I think itâ€™s good to experiment with concepts and Ajaxian is a great place to publish proof of concepts and bounce ideas around.

Yes, and while I wish folks here would be a little more respectful when criticizing, the benefit of having a place to post proofs of concept is to get them criticized so you can make the concept effective, secure, valuable and the best it can be as a solution to real problems.

The best, most accessible, solution to the problem that I’ve found is to ask human-logic questions. This fails when users don’t speak the language the questions are written in, so if your site has a multilingual audience, another solution (image, arithmetic) might be more appropriate.

Another solution, if you’re lucky enough to be able to require Javascript, would be to leave

By: Rick

Rick — Thu, 25 Oct 2007 01:13:39 +0000

Besides not actually preventing spam, this would stop you from being able to tab through the form and submit it with just the keyboard.

By: jo

jo — Thu, 25 Oct 2007 00:12:16 +0000

Doesn’t akismet render these solutions obsolete?

By: NullDaddy

NullDaddy — Wed, 24 Oct 2007 22:52:15 +0000

Who cares how secure it is… all that one has to do to stop spam is make it a little more difficult for the spammer/bot and ta-da, they move on to the next mark.

As long as you change it up you will stay ahead of the pack. If everyone is using Captcha then there is more incentive to find ways to crack it… on the other hand if everyone is using a custom solution, theres less chance of a hacker taking the time to crack it.

Think of “the club” … I’m sure its stopped a few cars from being stolen, but once its been found out how easily you can cut a steering wheel with a bolt cutter… and off comes the club. If you own a Ferrari I would hate to think you’d trust your car to this security product alone. But on the other hand if your driving a POS, who the hell cares you could leave the keys in the ignition and no one would take it.

By: Michael Connor

Michael Connor — Wed, 24 Oct 2007 21:53:52 +0000

I wrote a 100 line captcha using JSP and it rocks. Check it out at http://www.jroller.com/mlconnor

By: gene

gene — Wed, 24 Oct 2007 19:44:49 +0000

this does nothing, spam bots attack the http request that posts the comment. spam bots dont have to deal with DOM or javascript, they just make the call the browser ends up calling.

By: Tara Kelly (PassPack)

Tara Kelly (PassPack) — Wed, 24 Oct 2007 18:34:43 +0000

On accessibility and server side validation – sure, ok, agreed.

But I think it’s good to experiment with concepts and Ajaxian is a great place to publish proof of concepts and bounce ideas around.

I’m sure someone can find a statistic on how many false starts it takes before an idea finally reaches it’s final form… nothing comes out of the box perfect.

Good experiment. Who knows, maybe it’ll spark an accessible-server-validated-super-alternative-captcha idea for someone else.

Cheers!