About 500 times a day, a bot is rendering and registering at my page. I know that it's a bot, because it has been a week with the same behaviour.
I already using a captcha. So the user angent looks like:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10
But it could also be an iPod or iPhone (it happend before).
So this User Agents aren't looking like a bot, so my question is: How can I detect that it's a bot, even if the user agent doesn't look like a bot?
User Agent can be easily spoofed, so this is not actually the question you want answered. You want to know what is broken with your CAPTCHA implementation, or if someone can suggest a harder to crack one.
Use a combination of something like fail2ban http://www.fail2ban.org/wiki/index.php/Main_Page and modsecurity http://www.modsecurity.org/ along with what John suggested.
If you're running WordPress, I highly suggest using WordFence as well.
How can I detect that it's a bot, even if the user agent doesn't look
like a bot?
Add an input field to your form with style display:none. The input field is not visible to humans so they will not enter anything, but auto-posting bots will populate the value. Pieces and parts only below (not a full example) just enough to give you the general idea.
$bot = ( isset( $_POST['bot'] ) ) ? $_POST['bot'] : '';
<input type="text" name="bot" id="bot" style="display:none;" value="<?php echo htmlspecialchars(stripslashes($bot)); ?>" />
if ( $_POST['bot'] != '' ) {
$spambot = 'Confirmed SpamBot - Bot Trap Value Entered: '.$_POST['bot'];
}
Related
I'm wondering how I can replace the functionality of the Google ranking action.
I'm sending out email at the end of a ticket/support issue and want to be able to let customers state whether they are happy or not with the service they are getting without opening a web browser(inline button/link) or another method. I was trying to hijack the RSVP method however it appears as if the only answers you can set are "Yes, No, and, Maybe"
Looks like there is a lot in SCHEMA.ORG seems like Google has given up on any additions to the basic 3(Yes,No,Maybe) buttons with no real options.
Thanks
so I am starting a website for finding products and I was wondering is it possible to make a search where for example your looking to buy a laptop, and lets say and theres a check box that says "Intel CPU" and "AMD CPU" and once you mark all the specs you want it will give you search results on a specific laptop with those specs! I apologize for my question being so long, But is it possible and how do I approach doing it?
Thanks,
Reese.
Well, You could always have an ajax request sent whenever user clicks the check box and return the list from php (which will connect to the database) and update the list. A lot of websites use this feature.
I'm working on a system which needs to do the following:
(from linux)
* Call a user by phone
* Tell the user some action is required
* Give the user a choice and allow him to select based on his choice:
* Then based on the entry, run a command
ex: "Your attention is required because something is wrong. To implement solution Alpha, press 1. To implement solution Beta, press 2"
(user press 1): "Ok, solution Alpha is now in effect"
Of course this needs to be done from a website. I am sure there are services which do this, what are some?
Thanks
Basically, thanks to Greg, I found Voiceshot and other companies on the web. Gotta love it.
Thank you very much Greg.
For web sites that have username/password text input fields, the browser usually handily offers to remember them for you (in my case, Safari puts them in my OS X keychain).
This simply does not happen with certain web sites. The first example that comes to mind is vBulletin forums. Meaning you can't use a complex/random password unless you're willing to copy and paste it from somewhere each time.
Are browsers detecting when to offer to remember these by "does this look like a username/password" heuristics and failing sometimes?
How does this work behind the scenes?
Edit: Fellow Safari users, check out this combo:
http://8-p.info/greasekit/
http://userscripts.org/scripts/show/8021
http://userscripts.org/scripts/show/28696
There's an 'autocomplete="off"' attribute on form (not officially in HTML4, but generally supported).
Try this:
<form id="loginForm" action="login.cgi" method="post" autocomplete="off">
You could use <FORM METHOD="post" ACTION="action.cgi" AUTOCOMPLETE="off"> but this only works in IE I think.
You could also use a random string for the password field ID so that the browser cannot be sure that a previously entered password is authenticating the same page this time round.
Another strategy would be to not use type="password" as the browser uses this to identify a field as a password - however, this is not a good idea as the password would not be blanked out when the user types it into the form. Any javascript to emulate this would not be executed if JS was disabled.
I think using the first two techniques would probably be as good a solution as is possible without resorting to advising your users to not allow the browser to store passwords.
I am considering allowing users to post to my site without having them register or provide any identifying information. If each post is sent to a db queue and I then manually screen these posts, what sort of issues might I run into? How might I handle those issues?
Screening every post would be tedious and tiresome. And prone to annoying admin spam. My suggestion would be to automate as much of screening as possible. And besides, providing any identifying information does nothing to prevent spam (a bot will just generate it).
A lot of projects implement recognition system: first the user has to post 1-2 posts that are approved, then by IP and (maybe) a cookie he's identified as a trusted poster, so his posts appear automatically (and later can be marked as spam).
Also some heuristics on the content of the post could be used (like amount of links in the post) to automatically discard potential spam posts.
The most obvious issue is that you'll get overwhelmed by the number of submissions to screen, if your site is sufficiently popular.
I would make sure to add some admin tools, so you can automatically kill all posts from a particular IP address, or that match a particular regex. That should help get rid of obvious spam faster, but again, you'd have to be behind the wheel for all of that.
Tedium seems to be the greatest concern – screening posts manually is effective against spam (I'm assuming this is what you want to weed out) but very boring.
It could be best fixed with a cup of coffee and nice music to listen to while weeding?
I've found that asking for the answer to a simple question sent the browser as an image (like "2 + 3 - 4 =", a varient of a 'captcha' but not so annoying), with a wee bit of Javascript does quite well.
Send your form with the image and answer field, and a hidden field with a "challenge" (some randomly generated string). When the user submits the form, hash the challenge and the answer, and send the result back to the server. The server can check for a valid answer before adding it to the database for review.
It seems like a lot of work up front, but it will save hours of review time. Using jQuery:
<script type="text/javascript">
// Hash function to mask the answer
function answerMask()
{
var a = $('#a').val();
var c = $('#c').val();
var h = hex_md5(hex_md5(a) + c);
$('#a').val(h);
}
</script>
<form onsubmit="answerMask()" action="/cgi-bin/comment.py" method="POST">
<table>
<tr><td>Comment</td><td><input type="text" name="comment" /></td></tr>
<tr><td># put image here #</td><td><input id="p" type="text" name="a" size="30" /></td></tr>
<tr><td><input id="c" type="hidden" value="ddd8c315d759a74c75421055a16f6c52" name="c" /></td><td><input type="submit" value=" Go "></td></tr>
</p>
</form>
Edit update...
I saw this technique on a web site, I'm not sure which one, so this idea isn't mine but you might find it useful.
Provide a form with a challenge field and a comment field. Prefix the challenge with "Pick the third word from: glark snerm hork morf" so the words, and which one to pick, are easy to generate on the server and easy to validate when the form contents come back.
The point is to make the user do something, apply a few brain cells, and more work than it's worth for a script kiddie.
posts that attempt to look legit but aren't
the sheer volume
These are the issues that I see on my blog.