Geek Answers Handbook

How sites like Facebook are protected from the bot without any captcha

How are sites such as Facebook and Twitter protected from the bot during registration? I mean that there is no conversion in the registration form?

I want to create a registration form for a project, and I do not want the bot to be ugly during registration and Captchas.

edit My question is valid during registration, because I know that Facebook uses Captchas after registering for the first time.

+8
facebook captcha
source share
6 answers

Facebook uses some kind of hidden spam protection, if you look at the source of the registration form, you will see things like:

class="hidden_elem"><div class="fsl fwb">Security Check</div>This is a standard security test that we use to prevent spammers from creating fake accounts and spamming users.

so the capture becomes visible when javascript thinks you're a bot.

Where are several ways to make it harder for bots to complete registration without capture, things like the time it takes to fill out a form, ect event triggers. also random values ​​based on the session in the form (for direct forward views without loading the form)

also some people use hidden form elements with common names, such as "email", which are invisible in css, but simple simple bots will try to fill in all form fields, and so you can block them if this hidden element matters

twitter and fb spend a lot of time developing tags to block spammers. I do not think that they will make it publicly available, as this will counteract the product to combat spammers.

But you can download all client-side javascripts from fb or twitter and study them if you want, because most of the protection will be performed inside the client, and not on the server.

the server can only give out some random session variable, check the correct headers in the request, the total time, etc. its really limited.

some sites also use ajax exchanges between the server and the client when the user fills out the form, basically just to make it more difficult for bot developers to make simulated fake data exchanges.

In any case, unfortunately, where there is no simple solution for decent protection, simply without captcha or any issue.

also, for the “Send” button, you can use the image map instead of the button, you can dynamically create a large image with the submit botton image drawn on it in an arbitrary position, using things like GDI in PHP, and use css to display only part of this images using the actall button, and on the server side - to check the position of X and Y where the mouse was clicked, it will be difficult for the bots to smash. If they do not use real browsers and simply emulate a keyboard and mouse. In any case, as I said, unfortunately, where there is no simple solution.

+9
source share

One way is to send a confirmation to the user's email address or cell phone and receive a confirmation (so in this case you will only need to allow one email address or mobile phone for each account).

Another option is to use Negative CAPTCHA "or" Honeypot Captcha "

+2
source share

I don’t know how Facebook and Twitter do it, but if you want to create something simple and that does not interfere with the aesthetics of your site, I know that some websites simply ask the user to enter an answer to a simple mathematical problem like “what is 2 + 3? ". This is not the safest way to do this, but it is just a thought.

+1
source share

Well, you can always deploy hardware solutions to create a 4-7 level firewall rule. You can create specific rules to search for known bot agents crawling web pages. However, to stop the newly created bots, you need to know which agent they use for the bot.

+1
source share

Since you do not want CAPTCHA, you can use Keypic - keypic.com is an invisible protection that does not require CAPTCHA. This is an effective anti-spam method for any web form. Users of the site do not pass tests that are good for the site, as this improves the quality of the user’s work and, thus, increases the attractiveness of the user. The solution is a kind of expert system that analyzes user behavior and checks the database, and then concludes if the request comes from a legitimate user or robot. BTW, Twitter and Facebook still use CAPTCHA to verify the password, which is a very controversial method in terms of the effectiveness of such protection.

0
source share

I had a problem with a lot of bots subscribing to my Nintendo website, so I put one Mario image on the registration page (making sure that nothing in the image data says “Mario”) with the text “Who is this? One word answer. Since then there wasn’t a single bot registration. Not sure if this is actually a good solution, but not sure how smart bots work. I'm a little surprised that this worked.

In theory, this may contain several legitimate users, but it is difficult to imagine many legitimate users of the Nintendo website without knowing who Mario is ...

-one
source share

More articles:


All Articles