Protecting from "registration bots"? [closed] - security

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
What is best strategy of protecting from "registration bots". Ones that just POSTing registration forms to my server, creating dumb users.
For my application, it started with just several new accounts per day. But now it became a real problem.
I would like to avoid confirmation mail, as much as possible. What are strategies to prevent this?

You can use a variety of techniques here:
Use a CAPTCHA like reCaptcha
Present the user with a trivial problem like "2+2=?". A human will be able to respond correctly where as a bot won't.
Add a hidden text field to your form. Bots are programmed to fill in every field they can. If you find that the hidden field has some data in it when the form was submitted, discard the request.

Use something like reCaptcha

Any kind of captcha will do it. eg: reCAPTCHA, but for popular bots a simple check like: "from the following checkboxes below please select the nth one" will do it.
Also, if you use a popular app like phpBB, just a little tweaking of registration page will do it.
If your site is very popular, then it's a different story altogether, and there will be always a way to write bots specifically designed for your site, but these basic tricks should be enough to stop generic bots.

You could log the IPs of those bots and block them. That is if they are not rotating lots of IPs.

Related

Is there any effort towards a scraper and bot freindly Internet? [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I am working on a scraping project for a company. I used Python selenium, mechanize , BeautifulSoup4 etc. libraries and had been successful on putting data into MySQL database and generating reports they wanted.
But I am curious : why there is no standardization on structure of websites. Every site has a different name\id for username\password fields. I looked at Facebook and Google Login pages, even they have different naming for username\password fields. also, other elements are also named arbitrarily and placed anywhere.
One obvious reason I can see is that bots will eat up lot of bandwidth and websites are basically targeted to human users. Second reason may be because websites want to show advertisements.There may be other reasons too.
Would it not be better if websites don't have to provide API's and there would be a single framework of bot\scraper login. For example, Every website can have a scraper friendly version which is structured and named according to a standard specification which is universally agreed on. And also have a page, which shows help like feature for the scraper. To access this version of website, bot\scraper has to register itself.
This will open up a entirely different kind of internet to programmers. For example, someone can write a scraper that can monitor vulnerability and exploits listing websites, and automatically close the security holes on the users system. (For this those websites have to create a version which have such kind of data which can be directly applied. Like patches and where they should be applied)
And all this could be easily done by a average programmer. And on the dark side , one can write a Malware which can update itself with new attacking strategies.
I know it is possible to use Facebook or Google login using Open Authentication on other websites. But that is only a small thing in scraping.
My question boils down to, Why there is no such effort there out in the community? and If there is one, kindly refer me to it.
I searched over Stack overflow but could not find a similar. And I am not sure that this kind of question is proper for Stack overflow. If not, please refer me to the correct Stack exchange forum.
I will edit the question, if something there is not according to community criteria. But it's a genuine question.
EDIT: I got the answer thanks to #b.j.g . There is such an effort by W3C called Semantic Web.(Anyway I am sure Google will hijack whole internet one day and make it possible,within my lifetime)
EDIT: I think what you are looking for is The Semantic Web
You are assuming people want their data to be scraped. In actuality, the data people scrape is usually proprietary to the publisher, and when it is scraped... they lose exclusivity on the data.
I had trouble scraping yoga schedules in the past, and I concluded that the developers were conciously making it difficult to scrape so third parties couldn't easily use their data.

Measure the user experience of a website [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I know that this is no technical question, but since someone has posted a similar question here I thought it should be ok.
What I want to do is to measure the user experience of any website. Ideally, I would like to use some type of algorithm to get a number with a corresponding metric to evaluate the user experience.
I can think of some type of heuristics, e.g. if user gets a 404-error, the user experience is very low. On the other hand, if he or she buys something in an online store, the user experience is high. Of course this would not work if the page is e.g. a news page.
Does anyone of you know how I could calculate the user experience for websites?
Thanks in advance,
enne
What I understand from your question is that you want to measure the user experience based on technical terms, i.e.: number of views for a specific page, number of error pages showed to users, how many times a link has been clicked, what locations the users come from all over the world, and so on.
So, I think you are asking about website analytics, which you custom to do measurements for whatever you want, as famous examples for those tools:
Splunk
Google Analytics
Open Web Analytics (open source)
Please let me know if I answered your question.

Protection against Screenshot Keyloggers [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I was thinking of creating an on-screen keyboard to protect against keyloggers. The main problem is that I have found that there is a category of keloggers, called screenshot key loggers, which are able to take screenshots of the screen every time the mouse button is clicked.
For this reason, I feel that my approach of creating an on-screen keyboard does not protect against this category of keyloggers. Is there a way of coding the application which does not allow screenshots to be taken, or else alerts the user if these are being taken without his permission?
Edit
I am assuming that only the user is present in the room. Therefore, I am not trying to protect against other users from taking photos with their digital cameras. I only want to protect against screenshot keyloggers.
This is an issue that Trusted Computing can potentially address, but not on any system you'd likely be trying to deploy this for. Beyond screenshots, remember that if a device or piece of code can have local access, screenshots are one way to take that data. Another way would be to take that data passing through memory or other avenues of processing through the system. It's a very hard thing to prevent entirely.
If you are that paranoid so that you cannot trust the computer you are working on, I would highly advise introducing "factor" in the authentication.
"Google Authenticator" is an open-source "two-factor" security system (like a software version of an RSA token). It means a user would have to have it running on their smartphone, but it means if one does NOT have the phone, even if they have successfully sniffed the username and password, they cannot log-in. Google "Google Authenticator".
Other 2-factor methods involve sending one-time login codes to ones' cell phone (which again must be held), using a hardware-token key, or a list of one-time-only passwords.
I actually created an Apache-specific port of this if you want to use it: https://code.google.com/p/google-authenticator-apache-module/

Beta site and invitations [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I'm launching a startup web site, what i would like to know is how to start with that, i mean is better to use invitations first of all?
Then how to send invitations and to who?
How can i plan invitations? Which are best practices?
Does anyone is passed from this step with his own site?
Any experience on here?
thanks
Whether you create a beta version of the site first is completely up to you.
It really depends what type of website you're planning to make. Beta's are obviously a good way to gain feedback on your website and its functionality before releasing to everyone. Thus, allowing you to make improvements/fix bugs before everyone uses the site.
In terms of actually getting users for the beta, it's very much a case of marketing your website and its existence well (through social media, advertising etc.), and then providing some kind of 'sign up for the beta' page. You could then close registration for the beta once you have enough users, and devise some method of gaining feedback from users.
I haven't personally created a beta myself, but if I was to do it, I would do the above.
Hope that's of some help.

Prevent Hyperlinks to Bad Domains [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I have a forum, user's can post comments, they can also enable/disable and approve comments; however, I can't always trust users will disapprove comments linking to bad domains. Like these: http://www.mywot.com/en/forum/3823-275-bad-domains-to-blacklist
My question is two part:
If a user does hyperlink to a 'bad domain' like those in the link above, will my forum/forum-category/forum-category-thread be penalised by it, and even if so if I add no-follow to the forum thread's links?
Is there a free API service out there, that I can make a request to to get a list of bad domains, so I can then filter them out of users' posts?
I maybe being paranoid, but it's probably because I'm not too SEO savvy.
The actual algorithms aren't public, but this is what I found looking around the 'net.
1) Google's Web master Guidelines says that it may lower ranking for sites that participate in link schemes. As an example of a link scheme, they give "Links to web spammers or bad neighborhoods on the web". NoFollow may or may not have impact on it, but the consensus seems to be that it doesn't.
2) You can use either of Google's two safe browsing APIs to check if sites have been found to be phishing and/or malware sites.
If your website linking to bad domains, that will definitely harm your website but again; it is depending upon outgoing links ratio.
I strongly recommend recruit forum moderator from active members who can manually moderate forum post and will help you to save from spamming.
I am not sure but many forums allow various restriction like:
- Only members having number of post can keep link in forum reply
- Only specified months/days old member can share links
- Only particular number of links are allowed in forum post.
Kindly check for such facilities that can help you to restrict the users.

Resources