Related
We are working with Lotus Notes in a Help Desk team and would be useful to know how much time we take to respond a message. Is there some way to achieve this?
The problem with the suggested approaches, is that they only measure the amount of time until someone begins to compose a response -- not the time until the response is sent. This, you could determine by forcing the replies to automatically save so that an agent could go through later to compare the received of original messages with the sent of the replies.
HOWEVER! As an occasional user of support services, I really don't want support staff measured on how quickly they respond. That's not a true measure of customer perceived value. I would instead want my support staff measured on how long it is before the customer feels their problem has been solved. Quality of service comes about from taking the trouble to understand the customer's question and carefully address their needs -- not from churning out reply emails at the fastest possible pace, which is what the proposed measurement would encourage.
I don't want a tech scored higher for replying immediately with a stupid non-answer, then replying immediately to my irritated request that they read the question, with another non-answer, than a tech who takes twice as long to send the original reply, but that reply answers my question. See?
Try creating a field that will record timestamp when the mail was replied to, ie. when user clicks on reply button, set the field's value to current time, then do the calculation of time passed between #created and that timestamp.
You can use the software called http://timetoreply.com which measures how quickly companies respond to online enquiries. You can measure email reply time using this software and its free.
Yes of course there is. If you have a current mail template, then responding to a mail sets a flag in the document. That changes the #Modified timestamp of the document.
A view with a column that calculates #Modified - #Created could already be a good start. Of course you can add any level of complexity to this by using LotusScript or Formula agents to analyze your data or to add own flags, etc...
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 11 years ago.
Locked. This question and its answers are locked because the question is off-topic but has historical significance. It is not currently accepting new answers or interactions.
What is the worst security hole you've ever seen? It is probably a good idea to keep details limited to protect the guilty.
For what it's worth, here's a question about what to do if you find a security hole, and another with some useful answers if a company doesn't (seem to) respond.
From early days of online stores:
Getting a 90% discount by entering .1 in the quantity field of the shopping cart. The software properly calculated the total cost as .1 * cost, and the human packing the order simply glossed over the odd "." in front of the quantity to pack :)
The least forgivable security hole, and unfortunately a very common and easy to find one at that, is Google hacking. Case in point:
http://www.google.com/search?q=inurl%3Aselect+inurl%3A%2520+inurl%3Afrom+inurl%3Awhere
It's amazing how many pages on the Internet, government sites in particular, pass an SQL query through the query string. It's the worst form of SQL injection, and it takes no effort at all to find vulnerable sites.
With minor tweaks, I've been able to find unprotected installations of phpMyAdmin, unprotected installations of MySQL, query strings containing usernames and passwords, etc.
Social Engineering:
<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
From bash.org
True story from my early days at Microsoft.
You haven't known fear until the day you wake up and see the headline on ZDNet.com that morning is "Worst Internet Explorer Security Hole Ever Has Been Discovered In 'Blah'" where 'Blah' is code you wrote yourself six months previously.
Immediately upon getting to work I checked the change logs and discovered that someone on another team -- someone we trusted to make changes to the product -- had checked out my code, changed a bunch of the security registry key settings for no good reason, checked it back in, and never got a code review or told anyone about it. To this day I have no idea what on earth he thought he was doing; he left the company shortly thereafter. (Of his own accord.)
(UPDATE: A few responses to issues raised in the comments:
First, note that I choose to take the charitable position that the security key changes were unintentional and based on carelessness or unfamiliarity, rather than malice. I have no evidence one way or the other, and believe that it is wise to attribute mistakes to human fallibility.
Second, our checkin systems are much, much stronger now than they were twelve years ago. For example, it is now not possible to check in code without the checkin system emailing the change list to interested parties. In particular, changes made late in the ship cycle have a lot of "process" around them which ensures that the right changes are being made to ensure the stability and security of the product.)
Anyway, the bug was that an object which was NOT safe to be used from Internet Explorer had been accidentally released as being marked "safe for scripting". The object was capable of writing binary files -- OLE Automation type libraries, in fact -- to arbitrary disk locations. This meant that an attacker could craft a type library that contained certain strings of hostile code, save it to a path that was a known executable location, give it the extension of something that would cause a script to run, and hope that somehow the user would accidentally run the code. I do not know of any successful "real world" attacks that used this vulnerability, but it was possible to craft a working exploit with it.
We shipped a patch pretty darn quickly for that one, let me tell you.
I caused and subsequently fixed many more security holes in JScript, but none of them ever got anywhere near the publicity that one did.
I hope you can spot what's wrong here. (Terribly wrong, in fact):
String emailBody = "";
for (int i = 0; i < subscribers.Count; i++)
{
emailBody += "Hello " + subscribers[i].FirstName + ",";
emailBody += "this is a reminder with your account information: \n\n:";
emailBody += "Your username: " + subscribers[i].Username + "\n";
emailBody += "Your password: " + subscribers[i].Password + "\n";
emailBody += "Have a great day!";
emailDispatcher.Send(subscribers[i].EmailAddress, emailBody);
}
The last recipient was the happiest ;)
The old IBM System 36 dumb terminals had a keyboard combination that started the recording of a macro. So when a terminal was not logged in, you could start the recording of a macro and leave it in that position. Next time someone logged in, the keystrokes would be recorded in the macro and the recording would end automatically when maximum allowed keys was recorded. Just come back later and replay the macro to autolog-in.
The worst security hole I've ever seen was actually coded by yours truly and caused the Google Bot to delete my entire database.
Back when I was first learning Classic ASP, I coded my own basic blog application. The directory with all the admin scripts was protected by NTLM on IIS. One day I moved to a new server and forgot to re-protect the directory in IIS (oops).
The blog home page had a link to the main admin screen, and the main admin screen had a DELETE LINK for each record (with no confirmation).
One day I found every record in the database deleted (hundreds of personal entries). I thought some reader had broke into the site and maliciously deleted every record.
I came to find out from the logs: The Google Bot had crawled the site, followed the admin link, and the proceeded to follow all the DELETE LINKS, thereby deleting every record in the database. I felt I deserved the Dumbass of the Year award getting inadvertently compromised by the Google Bot.
Thankfully I had backups.
The worst hole I've ever seen was a bug in a web application where giving an empty user name and password would log you in as administrator :)
Once noticed this on the URL of a web-site.
http://www.somewebsite.com/mypage.asp?param1=x¶m2=y&admin=0
Changing the last parameter to admin=1 gave me admin privileges. If you are going to blindly trust user input at least don't telegraph that you are doing it!
I saw this one in The Daily WTF.
<script language="javascript">
<!--//
/*This Script allows people to enter by using a form that asks for a
UserID and Password*/
function pasuser(form) {
if (form.id.value=="buyers") {
if (form.pass.value=="gov1996") {
location="http://officers.federalsuppliers.com/agents.html"
} else {
alert("Invalid Password")
}
} else {
alert("Invalid UserID")
}
}
//-->
</script>
Nothing can beat this IMHO.
At a university no less, which will remain nameless, they had all their action queries being passed through the URL instead of form posted.
The thing worked a treat until Google Bot came along and ran through all of their URLs and wiped their database.
Surprised no one has brought up social engineering, but I got a kick out of this article.
Summary: malicious users can buy a few dozen flash drives, load them with an auto-run virus or trojan, then sprinkle said flash drives in a company's parking lot late at night. Next day, everyone shows up to work, stumble on the shiny, candy-shaped, irresistable hardware and say to themselves "oh wow, free flash drive, I wonder what's on it!" -- 20 minutes later the entire company's network is hosed.
"Pedo mellon a minno", "Speak friend and enter", on the gates of Moria.
Microsoft Bob
(Credit: Dan's 20th Century Abandonware)
If you enter your password incorrectly a third time, you are asked if you have forgotten your password.
http://img132.yfrog.com/img132/8397/msbob10asignin15.gif
But instead of having security, like continuing to prompt for the correct password until it's entered or locking you out after a number of incorrect attempts, you can enter any new password and it will replace the original one! Anyone can do this with any password "protected" Microsoft Bob account.
There is no prior authentication required.
his means User1 could change their own password just by mistyping their password three times then entering a new password the fourth time -- never having to use "change password."
It also means that User1 could change the passwords of User2, User3... in exactly the same way. Any user can change any other user's password just by mistyping it three times then entering a new password when prompted -- and then they can access the account.
http://img132.yfrog.com/img132/9851/msbob10asignin16.gif
I had Joe X's former home address, and needed to know his newer current address in the same city, but had no way to contact him. I figured he was receiving the usual daily pile of mail order catalogs, so I arbitrarily called the 800 number for See's Candies (as opposed to Victoria's Secret, or Swiss Colony, or any other big mailer):
Me: "Hi, I'm Joe X. I think you've got me on your mailing list twice, at both my old address and my new address. Does your computer show me at [old address] or at [fake address]?"
Operator: "No, we show you at [new address]."
Giving 1=1 in a textbox lists all the users in the system.
Being an application security consultant for a living there are lots of common issues that let you get admin on a website via something. But the really cool part is when you can buy a million dollars worth of socks.
It was a friend of mine working on this gig but the jist of it was that prices for items in a certain now very popular online book (and everything else) shop were stored in the HTML itself as a hidden field. Back in the early days this bug bit a lot of online stores, they were just starting to figure out the web. Very little security awareness, I mean really who is going to download the HTML, edit the hidden field and resubmit the order?
Naturally we changed the price to 0 and ordered 1 million pairs of socks. You could also change the price to negative but doing this made some part of their backend billing software buffer overflow ending the transaction.
If I could choose another it would be path canonicalization issues in web applications. It's wonderful to be able to do foo.com?file=../../../../etc/passwd
Committing the database root password to source control by accident. It was pretty bad, because it was source control on Sourceforge.
Needless to say the password got changed very quickly.
Not changing admin passwords when key IT employees leave the company.
Though this is not the worst security hole I’ve ever seen. But this is at least the worst I’ve discovered myself:
A pretty successful online shop for audiobooks used a cookie to store the identification information of the current user after successful authentication. But you could easily change the user ID in the cookie and access other accounts and purchase on them.
Right at the start of the .com era, I was working for a large retailer overseas. We watched with great interest as our competitors launched an online store months before us. Of course, we went to try it out... and quickly realized that our shopping carts were getting mixed up. After playing with the query string a bit, we realized we could hijack each other's sessions. With good timing, you could change the delivery address but leave the payment method alone... all that after having filled the cart with your favorite items.
When I first joined the company I currently work at, my boss was looking over the existing e-commerce web site of a prospective new client. This was in the fairly early days of both IIS and e-commerce, and security was, shall we say, less than stringent.
To cut a long story short, he altered a URL (just out of curiosity), and realised that directory browsing wasn't turned off, so you could just cut the page name off the end of the URL and see all the files on the web server.
We ended up browsing a folder containing an Access database, which we downloaded. It was the entire e-commerce customer/order database, replete with several thousand unencrypted credit card numbers.
People posting their passwords on public websites...
When I was 13 years old my school opened a social network for the students. Unfortunately for them I found a security bug where you could change the URI to another userID like "?userID=123" and become logged in for that user. Obviously I told my friends, and in the end the schools social network was filled with porn.
Wouldn't recommend it though.
I think the blank username / password field for superuser access is by far the worst. But one I have seen myself was
if (password.equals(requestpassword) || username.equals(requestusername))
{
login = true;
}
Too bad one operator makes such a big difference.
Mine would be for a bank I was a customer of. I wasn't able to log on, so I called customer service. They asked me for my user name and nothing else - didn't ask any security questions or try to verify my identity. Then instead of sending a password reset to the email address they had on file, they asked me what email address to send it to. I gave them an address different than what I had on file, and was able to reset my password.
So essentially, all a hacker would need is my user name, and he could then access my account. This was for a major bank that at least 90% of people in the United States would have heard of. This happened about two years ago. I don't know if it was a poorly trained customer service rep or if that was standard procedure.
I'll share one I created. Kind of.
Years and years and years ago the company I was working for wanted indexing on their ASP web site. So off I went and set up Index Server, excluded a few admin directories and all was good.
However unknown to me someone had given a sales person ftp access to the web server so he could work from home, this was the days of dialup and it was the easiest way for him to swap files.... and he started uploading things, including documents detailing the markup on our services.... which index server indexed and starting serving up when people searched for "Costs".
Remember kids, whitelists not blacklists.
One of the simplest, yet really cost worthy is:
Payment systems that use engines such as PayPal can be flawed because the response back from PayPal after payment was successful is not checked as it should be.
For example:
I can go on to some CD purchase website and add some content to the cart, then during the checkout stages there's usually a form on the page that has been populated with fields for paypal, and a submit button to "Pay"..
Using a DOM Editor I can go into the form "live" and change the value from £899.00 to £0.01 and then click submit...
When I'm on the PayPal side of things I can see that the amount is 1 penny, so I pay that and PayPal redirects some parameters to the initial purchase site, who only validates parameters such as payment_status=1, etc., etc. and do not validate the amount paid.
This can be costly if they do not have sufficient logging in place or products are automatically dispatched.
The worst kind of sites are sites who deliver applications, software, music, etc.
How about an online document manager, which allowed to set every security permission you could remember...
That is until you got to the download page... download.aspx?documentId=12345
Yes, the documentId was the database ID (auto-increment) and you could loop every single number and anyone could get all the company documents.
When alerted for this problem the project manager response was: Ok, thanks. But nobody has noticed this before, so let's keep it as it is.
A Norwegian pizza delivery had a security hole where you could order negative amounts of pizzas at their new and shiny internet portal and get them for free.
How can I prevent that forms can be scanned with a sort of massive vulnerability scanners like XSSME, SQLinjectMe (those two are free Firefox add-ons), Accunetix Web Scanner and others?
These "web vulnerability scanners" work catching a copy of a form with all its fields and sending thousands of tests in minutes, introducing all kind of malicious strings in the fields.
Even if you sanitize very well your input, there is a speed response delay in the server, and sometimes if the form sends e-mail, you vill receive thousands of emails in the receiver mailbox. I know that one way to reduce this problem is the use of a CAPTCHA component, but sometimes this kind of component is too much for some types of forms and delays the user response (as an example a login/password form).
Any suggestion?
Thanks in advance and sorry for my English!
Hmm, if this is a major problem you could add a server-side submission-rate limiter. When someone submits a form, store some information in a database about their IP address and what time they submitted the form. Then whenever someone submits the form, check the database to see if it's been "long enough" since the last time that IP address submitted the form. Even a fairly short wait like 10 seconds would seriously slow down this sort of automated probing. This database could be automatically cleared out every day/hour/whatever, you don't need to keep the data around for long.
Of course someone with access to a botnet could avoid this limiter, but if your site is under attack by a large botnet you probably have larger problems than this.
On top the rate-limiting solutions that others have offered, you may also want to implement some logging or auditing on sensitive pages and forms to make sure that your rate limiting actually works. It could be something simple like just logging request counts per IP. Then you can send yourself an hourly or daily digest to keep an eye on things without having to repeatedly check your site.
Theres only so much you can do... "Where theres a will theres a way", anything that you want the user to do can be automated and abused. You need to find a median when developing, and toss in a few things that may make it harder for abuse.
One thing you can do is sign the form with a hash, for example if the form is there for sending a message to another user you can do this:
hash = md5(userid + action + salt)
then when you actually process the response you would do
if (hash == md5(userid + action + salt))
This prevents the abuser from injecting 1000's of user id's and easily spamming your system. Its just another loop for the attacker to jump through.
Id love to hear other peoples techniques. CAPTCHA's should be used on entry points like registration. And the method above should be used on actions to specific things (messaging, voting, ...).
also you could create a flagging system, and anything the user does X times in X amount of time that may look fishy would flag the user, and make them do a CAPTCHA (once they enter it they are no longer flagged).
This question is not exactly like the other questions about captchas but I think reading them if you haven't already would be worthwhile. "Honey Pot Captcha" sounds like it might work for you.
Practical non-image based CAPTCHA approaches?
What can be done to prevent spam in forum-like apps?
Reviewing all the answers I had made one solution customized for my case with a little bit of each one:
I checked again the behavior of the known vulnerability scanners. They load the page one time and with the information gathered they start to submit it changing the content of the fields with malicious scripts in order to verify certain types of vulnerabilities.
But: What if we sign the form? How? Creating a hidden field with a random content stored in the Session object. If the value is submitted more than n times we just create it again. We only have to check if it matches, and if it don't just take the actions we want.
But we can do it even better: Why instead to change the value of the field, we change the name of the field randomly? Yes changing the name of the field randomly and storing it in the session object is maybe a more tricky solution, because the form is always different, and the vulnerability scanners just load it once. If we don’t get input for a field with the stored name, simply we don't process the form.
I think this can save a lot of CPU cycles. I was doing some test with the vulnerability scanners mentioned in the question and it works perfectly!
Well, thanks a lot to all of you, as a said before this solution was made with a little bit of each answer.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
What should a good BugTracking tool be capable of?
Although there is a large set of features that a bug tracker can have I feel like it is a little overkill and was considering rolling out my own solution. With that being said I didn't want to remove any core functionality that might be used frequently with existing solutions.
The ones I can think of so far:
- creating bugs
- assigning bugs
- closing bugs
- adding description to the bug
Thanks!
Communication between the developer and the user.
Ability for the user to assign certain bits of information such as severity (how much that bug relates to them).
Ability for the developer to override that priority and, if possible, give a reason.
Ability to assign tasks to a developer.
Ability to sort between bug, enhancement, and feature request. The difference between an enhancement and feature request is very subtle but VERY important.
Ability to attach files (such as screen shots)
Ability to have custom fields (such as being able to select which OS, which service pack level, application version, etc).
Ability to have custom user profiles which also give detailed information about their hardware. It's also nice to be able to have the users phone number (if they are on your LAN) so you can ask questions, if needed.
Privacy. Some items, such as security exploits or information that deals with financial information, will need to be kept secret. Even OSS does this from time to time until they can get a patch ready. Everyone has their own rules.
Ability to show the changes between revisions so you can email out a Change Log so users know what you have and have not done.
Reminders about which items are left undone and are assigned to you / unassigned at all.
That's all I can think of...
A good search engine.
It's amazing how many bug tracking products that cost thousands of dollars get this horribly wrong.
Without a really decent search your bug tracking is more like a "bug logging" - log and forget - system which is pretty much useless.
create a bug
close a bug
this is sufficient for closure over the life-cycle of a 'bug' entity. Whether it is enough features for your purpose is another matter.
Take a look at the features of Mantis, choose the features that you need, calculate how long it would take you to write them, and then spend your time on something more useful unless you absolutely have to create your own. ;-)
For most systems like a bug tracking one, it's usually not the creation or editing of the data that makes the system useful. It all comes down to how easily you can navigate through the information to 'add-value' on top of just collecting the data.
Think about the people who will use the system, the programmers, managers, etc. For each group of people, what type of information will make it worth their while to come back to the system over and over again. How can you make it easier for them to get this information?
Collecting information is easy, adding value to it is the hard part.
Paul.
A bug tracker is nothing more than a list of things that need to be done.
It can be as simple as a text file in the software's directory to a fully fledged bug tracker with hundreds of users.
Start with what you need to work with, then expand as needed.
Use Jira, you'll be in good hands.
Here are some important features:
Assign priority to bug (e.g. critical, major, medium, minor, trivial)
Assign bug to a specific release in which it will be fixed
Watcher functionality (so you can be e-mailed when the status changes)
Workflow (i.e. who is working on it, what's the status)
Categorization, Prioritization, and Standardization.
And an easy way to query it so that you can reap the rewards of your hard work on the above three.
Also, make sure whatever you do is extensible! We always decide to add/edit our bug templates during the project depending on needs/fires.
There are a lot of great solutions out there, you probably don't need to roll your own.. But either way you're going to have to make the same decisions. We use a solution that allows us to roll our own templates, so at the beginning of every project we revisit this same discussion.
FWIW: When we rolled our own request tracking system, we built it around procmail and our existing internal web authentication system because we wanted it to be extremely unobtrusive to use: we just send e-mails to the developers (using group aliases if we want) and add a "[t]" to the subject to open a ticket. The recipients get a modified e-mail with the original request and an additional link to the web page that displays the ticket and allows them to close it with 1 mouse click. So the most common tasks are performed through the e-mail client (opening, requesting more information, replying, ...), although there is also a simple web interface for searching etc.
It took only a few hours to write and after more than 34000 request tickets in 7 years or so, I guess it's OK to claim that it has only the essential core features:
create a ticket (by e-mail with marked subject)
close a ticket (clicking on the link in the e-mail, then clicking on "done")
all communication goes over e-mail, not through a web interface(!)
people who were recipients or sender of the original e-mail (opening ticket) are notified about closed tickets ("Subject: <old subject> closed by <someone>" + link to ticket in the body, enough information for most people so they don't have to go look which ticket/bug that was etc.)
a simple web interface provides a search function for own/open/sent/team tickets
Notable absent features that might be needed for a bigger development team / more intense software development:
flexible status for the tickets (dupe, wontfix, reopened etc.)
priorities
reassigning tickets explicitly (in our dev team, the e-mail just gets resent to the unlucky guy who has to do it)
adding comments to the ticket that don't get sent to everyone
assigning the bug to a particular version of the software
YMMV, but it has worked very well for us so far, both for bugs and for simple requests that the sender wants to keep track of.
Define bug.
Thinking about that will most likely make you realize that you're gonna spend a lot of time "rolling your own".
This might be a little beyond what you had in mind, but for me, integration with source control is a must-have. To be able to view the diffs between versions associated with a bug/issue is very handy.
Please please please don;t spend much time "rolling your own". Your time is better spent researching and learning to use real tracking systems.
Some to look at
Trac, Bugzilla and FogBugz. The last one has free hosted solution for small (one or two man shops?) companies.
SO has lots of threads about this topic.
Try not to roll your own unless it is just a word doc or a spreadsheet. Any time you spend making your own is a TOTAL waste.
EDIT
Since you won't be dissuaded, then I'll maybe add some things others have not mentioned.
You need reporting functionality - users need to be able to run queries and they should be able to select the fields they want to "view".
Workflow/lifecycle of a defect is also a good feature. (basically a state machine of the states the defect will go through. ) In fact, this is a useful exercise for you to define all your use cases and functionality. Given that you are in college and did not start out as aa CS major, I doubt you will come up with many on your own. Take some time to browse the feature lists and demos of existing products.
Ability for emails to be sent to various interested parties.
Anonymous users able to see a SPECIFIC defect that they entered
Different access levels and authorities (admin, manager, developer, tester, end-user)
Our bug tracking system is one of the two essential links between my company and our customers ("live" product reviews where existing customers are encouraged to suggest improvements and user interface tweaks being the other).
A bug tracking system must, first and foremost, encourage trackable "dialogs" with your customers. It must answer the question "Have you fixed the problem (defined broadly) that I have been having yet?"
It must have (in no particular order):
A short description of the problem or feature request (the title)
Room for an extended description
The ability to attach files/images (screenshots)
The ability to prioritize bugs/features
The ability to categorize entries as bugs, features, inquiry, etc.
The ability to assign bugs/features to areas (UI, database, documentation, etc.)
he ability to assign bugs/features to products (we track bugs on five products)
The ability to assign bugs/features to releases ("to be fixed in version 5.1")
The ability to assign bugs/features to people (developers/writers)
The ability to assign bugs/features to customers (reporters)
The ability to re-assign to a different person (developer)
The ability to Resolve bugs/features (mark them as finished and ready for testing)
The ability to mark resolution status (fixed, won't fix, can't reproduce, etc.)
The ability to Close bugs/features (take them off list after resolution & testing)
The ability to Reopen bugs/features (restore to "Open" if testing fails)
The ability to inform customers the bug has been resolved (e.g. via email)
Date and Time stamp on every step (Open, Resolve, Close, Re-open)
The ability to report on the number of Open bugs! (how close to release are we?)
The ability to show bug reports versus resolutions
The ability to search on bugs/features by date, priority, product, person, etc.
The ability to list and sort bugs for easy scanning!
Those are the things that we typically use in our system (FogBugz). While this may seem like a long list, we really do use every feature that I've listed here!
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
What are some popular spam prevention methods besides CAPTCHA?
I have tried doing 'honeypots' where you put a field and then hide it with CSS (marking it as 'leave blank' for anyone with stylesheets disabled) but I have found that a lot of bots are able to get past it very quickly. There are also techniques like setting fields to a certain value and changing them with JS, calculating times between load time and submit time, checking the referer URL, and a million other things. They all have their pitfalls and pretty much all you can hope for is to filter as much as you can with them while not alienating who you're here for: the users.
At the end of the day, though, if you really, really, don't want bots to be sending things through your form you're going to want to put a CAPTCHA on it - best one I've seen that takes care of mostly everything is reCAPTCHA - but thanks to India's CAPTCHA solving market and the ingenuity of spammers everywhere that's not even successful all of the time. I would beware using something that is 'ingenious' but kind of 'out there' as it would be more of a 'wtf' for users that are at least somewhat used to your usual CAPTCHAs.
Shocking, but almost every response here included some form of CAPTCHA. The OP wanted something different, I guess maybe he wanted something that actually works, and maybe even solves the real problem.
CAPTCHA doesn't work, and even if it did - its the wrong problem - humans can still flood your system, and by definition CAPTCHA wont stop that (cuz its designed only to tell if you're a human or not - not that it does that well...)
So, what other solutions are there? Well, it depends... on your system and your needs.
For instance, if all you're trying to do is limit how many times a user can fill out a "Contact Me" form, you can simply throttle how many requests each user can submit per hour/day/whatever. If your users are anonymous, maybe you need to throttle according to IP addresses, and occasionally blacklist an IP (though this too can be circumvented, and causes other problems).
If you're referring to a forum or blog comments (such as this one), well the more I use it the more I like the solution. A mix between authenticated users, authorization (based on reputation, not likely to be accumulated through flooding), throttling (how many you can do a day), the occasional CAPTCHA, and finally community moderation to cleanup the few that get through - all combine to provide a decent solution. (I wonder if Jeff can provide some info on how much spam and other malposts actually get through...?)
Another control to consider (dont know if they have it here), is some form of IDS/IPS - if you can detect and recognize spam, you can block THAT pattern. Moderation fills that need manually, here...
Note that any one of these does not prevent the spam, but incrementally lowers the probability, and thus the profitability. This changes the economic equation, and leaves CAPTCHA to actually provide enough value to be worth it - since its no longer worth it for the spammers to bother breaking it or going around it (thanks to the other controls).
Give the user the possibility to calculate:
What is the sum of 3 and 8?
By the way: Just surfed by an interesting approach of Microsoft Research: Asirra.
http://research.microsoft.com/asirra/
It shows you several pictures and you have to identify the pictures with a given motif.
Try Akismet
Captchas or any form of human-only questions are horrible from a usability perspective. Sometimes they're necessary, but I prefer to kill spam using filters like Akismet.
Akismet was originally built to thwart spam comments on WordPress blogs, but the API is capabable of being adapted for other uses.
Update: We've started using the ruby library Rakismet on our Rails app, Yarp.com. So far, it's been working great to thwart the spam bots.
A very simple method which puts no load on the user is just to disable the submit button for a second after the page has been loaded. I used it on a public forum which had continuous spam posts, and it stopped them since.
Ned Batchelder wrote up a technique that combines hashes with honeypots for some wickedly effective bot-prevention. No captchas, just code.
It's up at Stopping spambots with hashes and honeypots:
Rather than stopping bots by having people identify themselves, we can stop the bots by making it difficult for them to make a successful post, or by having them inadvertently identify themselves as bots. This removes the burden from people, and leaves the comment form free of visible anti-spam measures.
This technique is how I prevent spambots on this site. It works. The method described here doesn't look at the content at all. It can be augmented with content-based prevention such as Akismet, but I find it works very well all by itself.
http://chongqed.org/ maintains blacklists of active spam sources and the URLs being advertised in the spams. I have found filtering posts for the latter to be very effective in forums.
The most common ones I've observed orient around user input to solve simple puzzles e.g. of the following is a picture of a cat. (displaying pictures of thumbnails of dogs surrounding a cat). Or simple math problems.
While interesting I'm sure the arms race will also overwhelm those systems too.
You can use Recaptcha to at least make a captcha useful. Then you can make questions with simple verbal math problems or similar. Microsoft's Asirra makes you find pics of cats and dogs. Requiring a valid email address to activate an account stops spammers when they wouldn't get enough benefit from the service, but might deter normal users as well.
The following is unfeasible with today's technology, but I don't think it's too far off. It's also probably overkill for dealing with forum spam, but could be useful for account sign-ups, or any situation where you wanted to be really sure you were dealing with humans and they would be prepared for it to take a few minutes to complete the process.
Have 2 users who are trying to prove themselves human connect to each other via their webcams and ask them if the person they are seeing is human and live (i.e. not a recording), by getting them to, for example, mirror each other's movements, or write something on a piece of paper. Get everyone to do this a few times with different users, and throw a few recordings into the mix which they also have to identify correctly as such.
A popular method on forums is to simply queue the threads of members with less than 10 posts in a moderation queue. Of course, this doesn't help if you don't have moderators, or it's not a forum. A more general method is the calculation of hyperlink to text ratios. Often, spam posts contain a ton of hyperlinks, and you can catch a lot this way. In the same vein is comparing the content of consecutive posts. Simply do not allow consecutive posts that are extremely similar.
Of course, anyone with knowledge of the measures you take is going to be able to get around them. To be honest, there is little you can do if you are the target of a specific attack. Rather, you should focus on preventing more general, unskilled attacks.
For human moderators it surely helps to be able to easily find and delete all posts from some IP, or all posts from some user if the bot is smart enough to use a registered account. Likewise the option to easily block IP addresses or accounts for some time, without further administration, will lessen the administrative burden for human moderators.
Using cookies to make bots and human spammers believe that their post is actually visible (while only they themselves see it) prevents them (or trolls) from changing techniques. Let the spammers and trolls see the other spam and troll messages.
Javascript evaluation techniques like this Invisible Captcha system require the browser to evaluate Javascript before the page submission will be accepted. It falls back nicely when the user doesn't have Javascript enabled by just displaying a conventional CAPTCHA test.
Animated captchas' - scrolling text - still easy to recognize by humans but if you make sure that none of the frames offer something complete to recognize.
multiple choice question - All it takes is a ______ and a smile. idea here is that the user will have to choose/understand.
session variable - checking that a variable you put into a session is part of the request. will foil the dumb bots that simply generate requests but probably not the bots that are modeled like a browser.
math question - 2 + 5 = - this again is to ask a question that is easy to solve but prevents the bots ability to generate a response.
image grid - you create grid of images - select 1 or 2 of a particular type such as 3x3 grid picture of animals and you have to pick out all the birds on the grid.
Hope this gives you some ideas for your new solution.
A friend has the simplest anti-spam method, and it works.
He has a custom text box which says "please type in the number 4".
His blog is rather popular, but still not popular enough for bots to figure it out (yet).
Please remember to make your solution accessible to those not using conventional browsers. The iPhone crowd are not to be ignored, and those with vision and cognitive problems should not be excluded either.
Honeypots are one effective method. Phil Haack gives one good honeypot method, that could be used in principle for any forum/blog/etc.
You could also write a crawler that follows spam links and analyzes their page to see if it's a genuine link or not. The most obvious would be pages with an exact copy of your content, but you could pick out other indicators.
Moderation and blacklisting, especially with plugins like these ones for WordPress (or whatever you're using, similar software is available for most platforms), will work in a low-volume environment. If your environment is a low volume one, don't underestimate the advantage this gives you. Personally deciding what is reasonable content and what isn't gives you ultimate flexibility in spam control, if you have the time.
Don't forget, as others have pointed out, that CAPTCHAs are not limited to text recognition from an image. Visual association, math problems, and other non-subjective questions relayed through an image also qualify.
Sblam is an interesting project.
Invisble form fields. Make a form field that doesn't appear on the screen to the user. using display: none as a css style so that it doesn't show up. For accessibility's sake, you could even put hidden text so that people using screen readers would know not to fill it in. Bots almost always fill in all fields, so you could block any post that filled in the invisible field.
Block access based on a blacklist of spammers IP addresses.
Honeypot techniques put an invisible decoy form at the top of the page. Users don't see it and submit the correct form, bots submit the wrong form which does nothing or bans their IP.
I've seen a few neat ideas along the lines of Asira which ask you to identify which pictures are cats. I believe the idea originated from KittenAuth a while ago..
Use something like the google image labeler with appropriately chosen images such that a computer wouldn't be able to recognise the dominant features of it that a human could.
The user would be shown an image and would have to type words associated with it. They would keep being shown images until they have typed enough words that agreed with what previous users had typed for the same image. Some images would be new ones that they weren't being tested against, but were included to record what words are associated with them. Depending on your audience you could also possibly choose images that only they would recognise.
Mollom is supposedly good at stopping spam. Both personal (free) and professional versions are available.
I know some people mentioned ASIRRA, but if you go to all the adopt me links for the images, it will say on that linked page if its a cat or dog. So it should be relatively easy for a bot to just go to all the adoptme links. So its just a matter of time for that project.
just verify the email address and let google/yahoo etc worry about it
You could get some device ID software the41 has some fraud prevention software that can detect the hardware being used to access your site. I belive they use it to catch fraudsters but could be used to stop bots. Once you have identified an device being used by a bot you can just block that device. Last time a checked it can even trace your route throught he phone network ( Not your Geo-IP !! ) so can even block a post code if you want.
Its expensive through so prop. a better cheaper solution that is a little less big brother.