Recent Topics

1 Apr 09, 2010 00:21    

Hello my friends from long long ago!

I'm soon about to create a commenting system for the CMS I deploy for my clients. And I would like ideas to combat spam.

Would these checks be enough?

For comments:
- Check if cookie [blah] exists, if not set it to a random number, save that number on the session. On comment submit, check that cookie against the session. Check referrer to determine if we should have a session.
- Use javascript to add a server side supplied random number to the form variable [blah]. On comment submit, check that the random number submitted is the same as expected.

Would one of those checks be enough (which one)? Or should I use both (and operation)? Or should I use either (or operation)?

For trackbacks:
- Use method here

- Benjamin "balupton" Lupton

2 Apr 09, 2010 00:49

Some bots save cookies
Js isn't enabled by all users

Try playing with css ;)


3 Apr 10, 2010 15:17

What could CSS do?

So I'm thinking then to do the following:
1. Have the cookie check and javascript check.
2. Have the cookie check and if javascript is disabled have a reCaptcha check.

If the user has cookies disabled, they don't get to post a comment.

Seems like that would enable the majority say 95%+ of users to post comments without any annoying fields, and 5%- to have to use a captcha.

Any use cases that this would fail for besides say captcha recognition and human helper bots?

4 Apr 10, 2010 19:44

CSS can tell you if it's a bot or a human without the need for (re)captcha / cookies / js. Although the ability to use cookies makes life easier ;)


5 Apr 13, 2010 22:36

Ok, now you've got me wondering. As you always do.

I wanna know, wise one, how can CSS distinguish usefully between bot and hume?

6 Apr 15, 2010 22:38

Bot's can't parse css successfully, normal usage is to have multiple inputs, only one of which is "visible" to a human. Fill in any other box and you're a bot.

Get a tad more imaginative and you can kill the ones that parse css as well ;)

Only failure is you can't detect bot versus screen/text reader :( but you can kill captcha/cookies/js/other hoops. I detest any hoop that humans have to jump through to prove they're not a bot, so I prefer to move the goal posts.


7 Apr 16, 2010 10:12

Hrmm.... I would have ruled that option out due to bots brute forcing the different fields?

8 Apr 16, 2010 11:20

And if the correct field changes randomly? ;)


9 May 26, 2010 10:30

¥åßßå wrote:

And if the correct field changes randomly? ;)

Well, if they brute all the possibilities, doesn't matter, they still get it through...

10 May 26, 2010 16:38

Lol, if you allow them to brute force your form then you really need to rethink your method ;)


Form is loading...