It’s just data

Captcha this!

I’ve noticed an uptick of spam lately.  Not just on my weblog, but on a number of weblogs I follow.  Each time I do this, I adjust my defenses slightly, and the problem goes away — for a while.

My best defense to date has been requiring previews.  Until recently, this meant that comments have been left mostly by humans, often with ip addresses that ended in .ru.

A new bot in town

Lately, about 4-5 comments have made it through a day, presumably left by a bot.  I say it was likely a bot as no images, JavaScript, or CSS were fetched in the process.

The comments came from some of the same ip addresses you see here.  Full of the same BBCode formatted text.  Given the use of BBCode, it is clear that the software wasn’t even specifically targeting my weblog.

What’s amazing about this is that the bot was able to fetch my page, issue a preview with non-empty text, fetch the result, obtain the hidden nonce from that page, and submit a comment.  The nonce are even escaped using numeric character references.  This was all designed to be completely automatic and transparent to humans, but present a rather twisty passage for bots to traverse.

I was, however, successful in marking all such links as nofollow.  For now.

Response

I’ve implemented an unusual captcha system.  First, the images are not distorted.  In fact, if you have posted to my weblog in the past 90 days, or have visited it within the past week (but more than an hour ago), and aren’t running afoul of the throttle, the display of the image will be entirely suppressed; furthermore, the input field will be pre-filled in for you and hidden.  If you are not recognized, but have JavaScript turned on, DHTML will be used to fill in that input field for you, and that portion of the form will be set to display:none.  In fact, even if you are new, have both JavaScript and images turned off, you will find that the alt attribute of the image will contain the necessary text.

I’m really not targetting humans with this.

I’ve also intentionally left this open.  If somebody wanted to specifically target my weblog, all I can do is slow them down.  This isn’t meant for those people either.  This is meant for the ones that cast their nets wider.


Captcha idea:
spammers have no style, so say
please respond in haiku.

If the responses like this are too short
and too much non-spam is being caught
you could try other tricks
like limericks
which will only stop idiots who can’t make the last line rhyme or scan.

Posted by Brian Ewins at

Manual trackback:

[link]

I needed to back up my MySQL db using phpMyAdmin and it didn’t work - someone posted 75 MB of spam links in an abandoned website I created a long time ago. I was really new to website programming when I created that, I wonder how beginners cope with these problems today?

Posted by Martin at

I like what I’m seeing here.  I typically hate CAPTCHAs because of the fact that they often seem hard for me, a human, to get past.  Most of the time the letters are too distorted to make it easy to read.  Often, I’ll have to try more than once before I get it correct.  If this system works well for you, then my opinion is that it blows everything else out of the water.

Posted by Scott Johnson at

death by spam

I didn’t plan to add this before the first Mephisto release, but Mephisto now has integrated Akismet spam blocking. Mephisto has been smooth sailing for a while now. Despite some rough patches in the UI, a few unimplemented functions, and an...

Excerpt from techno weenie - home at

Sam Ruby: Captcha this!

Sam Ruby: Captcha this! Uptick in spam, yeah. But my solution has successfully blocked everything. Except on my mail form where I’m not using my form library. I get the same BBCoded posts in my e-mail through the form. It’s silly....

Excerpt from Keith's Weblog at

Form SPAM

It appears I’m not the only one coming under generic form spam over the past few days. I caught this post by Sam Ruby the other day. It appears to be a totally generic form submission bot, but it’s pretty good. It’s been hitting...

Excerpt from Ian Landsman's Weblog at

Open Discussion: Fighting Spam in the New World

Today, Joshua Harvey and I removed the Globalize project’s Trac. Why? Because we had no filtering mechanism in place, and human intervention is damn near worthless in the fight against spam. Even before it became a problem for us, I had...

Excerpt from jvoorhis at

testing your catpcha

Posted by anonymous at

Spam...

I launched the new version of this site at the end of January. Everything was going fine but some weeks ago I received my first comment spam. At first I only deleted it but of course the problem got worse. There are various solutions for fighting...

Excerpt from tknight.org at

this years love!

Posted by party poker time at

Spam...

I launched the new version of this site at the end of January. Everything was going fine but some weeks ago I received my first comment spam. At first I only deleted it but of course the problem got worse. There are various solutions for fighting...

Excerpt from tknight.org at

CAPTCHA usability: Humane alternative to CAPTCHA

Revisiting CAPTCHA: Since W3C wrote about “inaccessibility of CAPTCHA” almost a year ago, a new technique has emerged: Using technology, to make it easier for humans, and challenging for robots to fill out a form, and using a more...

Excerpt from justaddwater.dk at

Automatic Preview

Jacques Distler:  My required preview is a part of my spam prevention strategy, and is intertwined with my issuances of nonces and captchas; neither of which are typically seen... [more]

Trackback from Sam Ruby

at

By: evariste

y6y6y6-Sam Ruby implemented CAPTCHA in a really interesting and friendly way, check it out. If I had to do it, I’d do it his way....

Excerpt from Comments on: Spam-b-gone at

Fatal error

Norman, sorry about the typo, it was actually right in the excerpt, but not in the first line of the whole entry, which is shown while it is current . I found strange that no news is good news is used as a criterion for ending a transaction, no...

Excerpt from Boxes and Glue's Comments at

I steal ideas from Sam Ruby

I’ve been making minor changes to the site recently (this will be the last theme change, honestly, I’m mostly happy with this one), the more interesting of them being a anti-spam feature I heard about a few years ago. It’s a...

Excerpt from mylittlepwnage at

Fatal Error

Norman, sorry about the typo, it was actually right in the excerpt, but not in the first line of the whole entry, which is shown while it is current . I found strange that no news is good news is used as a criterion for ending a transaction, no...

Excerpt from Boxes and Glue at

Add your comment