Geek Answers Handbook

Blocking spam on a PHP site without disturbing the user

I am currently working on a small chat / forum site that I put together on the weekend and it has anonymous entries (i.e. usernames or passwords). It seems that the spammer may be simple, but I do not want to disturb the user with the help of captcha or similar inputs to protect against spam.

Are there any alternatives invisible to the user? Thank you for your help.

+6
input php validation captcha
source share
5 answers

One thing you should know about spammers is always to go for low hanging fruit. Same thing with hackers. By this, I mean that they will choose the easiest to hit goals that affect most users. This is why vulnerabilities in PHP and Windows are often used: they affect so many users that if you find such a weakness / exploit, your target "market" is huge.

This is also a big part of why Linux and Mac OS remain relatively unscathed viruses, for example: the target market is much smaller than Windows. Now I do not equate the security and reliability of Windows with Mac / Linux, but even though the security model of the last two is much better, the number of attacks against the first is still disproportionate to the shortcomings that it has.

I am talking about this because one of the best ways to avoid such problems is not to use popular software. For example, phpBB has many attacks made against it just because it is so popular.

Thus, making your own chat / forum system, you are at a disadvantage, because you have a system that does not have field testing, something popular, but you also have the advantage that it is not worth a spammer to to use him. So you need to keep track of what automatic systems can do against you. Contact forms on sites typically have recognizable tokens (for example, name, email address and comment fields).

Therefore, I would advise:

  • Ignoring responses that enter within 5-10 seconds of sending the form to the user;
  • Using honeypot (hidden CSS / JS fields as described elsewhere);
  • Using Javascript, where applicable for rendering, reordering, or displaying a form;
  • Using unpredictable form field names; and
  • Negative throttle responses over IP.
+8
source share

This is not a bomb-protected solution, but you may have hidden input fields. If they are not left empty, you have caught a bot. Bots, as a rule, fill in all input fields, while users always leave fields that they do not see empty.

+6
source share

This helped me in 100% of cases:

<input type="text" style="display:none" name="email" value="do not fill this in it is for spam catching" />

Then server side (PHP):

 if($_POST['email'] != 'do not fill this in it is for spam catching') { // spam }

As mentioned earlier, most bots fill in everything, especially entrances called email.

+2
source share

The idea behind capchas is that it is very easy for people to get through, but very difficult for bots, etc. to avoid this. If you do not want such a solution, what will allow these spam bots to be placed on your site?

This is similar to the fact that you want your computer to be safe, but you do not want to use antivirus and firewall.

I think you could create a session for every user who visits your site, and the first time they want to post something, they will show their capcha (no need to log in, just skip capcha). If they pass this, just store the flag in the session so that it is human. While they open their browser, they can publish and respond on their site what they want. Bots are unlikely to pass this first test.

0
source share

There are two classes of spam protection.

Firstly, it makes it difficult to automatically process bots on your site. For this, the hidden field form method is often mentioned and is suitable for sites with low traffic. These protections can be trivially defeated by a spam bot written for your site. However, if you are too small a target, this will not happen.

The second is the "annoying" types. This is usually due to subscription, registration, or email. You can use several approaches to make this less annoying, but it takes a lot more effort on the bot side to post spam.

Please note that both of these approaches can often discourage disconnected and mobile users.

0
source share

More articles:


All Articles