intertwingly

It’s just data

Captcha this!

I’ve noticed an uptick of spam lately.  Not just on my weblog, but on a number of weblogs I follow.  Each time I do this, I adjust my defenses slightly, and the problem goes away — for a while.

My best defense to date has been requiring previews.  Until recently, this meant that comments have been left mostly by humans, often with ip addresses that ended in .ru.

A new bot in town

Lately, about 4-5 comments have made it through a day, presumably left by a bot.  I say it was likely a bot as no images, JavaScript, or CSS were fetched in the process.

The comments came from some of the same ip addresses you see here.  Full of the same BBCode formatted text.  Given the use of BBCode, it is clear that the software wasn’t even specifically targeting my weblog.

What’s amazing about this is that the bot was able to fetch my page, issue a preview with non-empty text, fetch the result, obtain the hidden nonce from that page, and submit a comment.  The nonce are even escaped using numeric character references.  This was all designed to be completely automatic and transparent to humans, but present a rather twisty passage for bots to traverse.

I was, however, successful in marking all such links as nofollow.  For now.

Response

I’ve implemented an unusual captcha system.  First, the images are not distorted.  In fact, if you have posted to my weblog in the past 90 days, or have visited it within the past week (but more than an hour ago), and aren’t running afoul of the throttle, the display of the image will be entirely suppressed; furthermore, the input field will be pre-filled in for you and hidden.  If you are not recognized, but have JavaScript turned on, DHTML will be used to fill in that input field for you, and that portion of the form will be set to display:none.  In fact, even if you are new, have both JavaScript and images turned off, you will find that the alt attribute of the image will contain the necessary text.

I’m really not targetting humans with this.

I’ve also intentionally left this open.  If somebody wanted to specifically target my weblog, all I can do is slow them down.  This isn’t meant for those people either.  This is meant for the ones that cast their nets wider.