Anti spam protection without captcha

14 Years Ago Krstevski 0 1K Views

Hello friends, now I will show you how to make a simple anti spam protection (without using captcha) who is very effective.

The original idea (for educational purposes) is taken from here:
Part 1
Part 2
Sorry about the links and macedonian language, but I respect my friend and I have to mention that he is the author of the idea.

So, let's start.

What is a spam bot and how it works ?
Spam bots is an application who is programmed to sending mails, write a posts and etc...
You can learn more about spam bots on wikipedia.

How it working a spam bot ?
I will give you a few simple examples written in Perl...

If the HTML form is:

<form name="my_form" action="add_post.php" method="post">
<input type="text" name="title" />
<textarea name="msg" rows="10" cols="50"></textarea>
</form>

Then. here is the spam script:

#!/usr/bin/perl

use HTTP::Request::Common;
use LWP::UserAgent;

$ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2");
push @{ $ua->requests_redirectable }, 'POST';

# directly on url (add_post.php)
my $url = "http://the-example-site.com/add_post.php";

my $title = "This is a spam title...";
my $message = "This is a spam message... bla bla bla...";

my $response = $ua->request(POST $url, ["title" => "$title", "msg" => "$message"]);

if ($response->is_success) {
	print $response->decoded_content 
} else {
	die $response->status_line;
}

print "Finish...";
exit;

This is the simple (not very effective) script for spamming (just for educational purposes).
This script will create "POST" object and will go directly on url.
The message will be successfully added.

Тхе аdvanced spam bot works:
- Takes the source from the url
- Parse HTML forms (takes directly url, name of the form elements)
- Creates POST object (with the form elements)
- Go on the directly url and will send the "post" object

So, I wrote simple example in PHP... How to protect from spam bots.
If someone has a better solution can correct me. :)

Thanks, SkyDriver.

php

<?php
	
	/*-------------------------------
	anti_spam.php
	---------------------------------*/
	
	/*
	#######################################################################
	
	Spam protection
	Damjan Krstevski - SkyDriver
	2010
	
	#######################################################################
	*/
	
	
	/* start up the session */
	session_start();
	
	/*
		Generating random variables for values of the text boxes.
		To generate random variable you can use anything
	*/
	
	/* Name of the author */
	$author = md5(rand());
	$_SESSION["author"] = $author;
	
	/* E-Mail of the author */
	$email = md5(rand());
	$_SESSION["email"] = $email;
	
	/* Titlte of the message */
	$title = md5(rand());
	$_SESSION["title"] = $title;
	
	/* The message */
	$message = md5(rand());
	$_SESSION["message"] = $message;
	
	/* Hidden text box */
	$hidden = md5(rand());
	$_SESSION["hidden"] = $hidden;

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
	
    <title>Anti spam protection</title>
    
</head>

<body>
    
	<form name="frm_add" action="anti_spam_add.php" method="post">
    
    	Author: <!-- Author name -->
        <input type="text" name="<?php echo $_SESSION["author"]; ?>" /> <br />
        
        e-Mail: <!-- Author e-mail-->
        <input type="text" name="<?php echo $_SESSION["email"]; ?>" /> <br />
        
        Title: <!-- Message title -->
        <input type="text" name="<?php echo $_SESSION["title"]; ?>" /> <br />
        
        <!--
        This text box will be visibility: hidden, don't show this text box
        The people can't view this text box.
        If this text box value == "" then the author is a human,
        but if this text box have a value != "" then the author is a bot.
        -->
        <input type="text" name="<?php echo $hidden; ?>" value="" style="visibility: hidden;" /> <br />
        
        Message <!-- The message -->
        <textarea name="<?php echo $_SESSION["message"]; ?>" rows="20" cols="100"></textarea> <br />
        
        <!-- Submit button -->
        <input type="submit" name="submit" value="Add post" />
    </form>

</body>

</html>


/*----------------------------------------------------------------------------*/

<?php

	/*-------------------------------
	anti_spam_add.php
	---------------------------------*/
	
	
	/*
	#######################################################################
	
	Spam protection
	Damjan Krstevski - SkyDriver
	2010
	
	#######################################################################
	*/
	
	session_start();
	
	/*
	So, in this file, we will check the session
	
	If the sessions are isset
	Then you will get the values from the session
	
	If the sessions are not isset
	Then you will exit the script ().
	*/
	
	//-----------------------------------------------------------------
	
	/*
	Check author session
	*/
	if( !isset($_SESSION["author"]) ) { exit; }
	else
	{
		/* Get the name of the author */
		$author = $_POST[$_SESSION["author"]];
	}
	
	/*
	Check eMail session
	*/
	if( !isset($_SESSION["email"]) ) { exit; }
	else 
	{
		/* Get the e-mail of the author */
		$email = $_POST[$_SESSION["email"]];
	}
	
	/*
	Check the title session
	*/
	if( !isset($_SESSION["title"]) ) { exit; }
	else
	{
		/* Get the title od the post*/
		$title = $_POST[$_SESSION["title"]];
	}
	
	/*
	Check the message session
	*/
	if( !isset($_SESSION["message"]) ) { exit; }
	else 
	{
		/* Get the message */
		$message = $_POST[$_SESSION["message"]];
	}
	
	/*
	Chech the hidden text box
	*/
	if( !isset($_SESSION["hidden"]) ) { exit; }
	else 
	{
		/* Get the message */
		$hidden = $_POST[$_SESSION["hidden"]];
	}
	
	if($hidden != "") { exit; }
	
	/*
	Unset the session
	Don't forget to unset the sessions.
	*/
	unset($_SESSION["author"]);
	unset($_SESSION["email"]);
	unset($_SESSION["title"]);
	unset($_SESSION["message"]);
	unset($_SESSION["hidden"]);
	 
	session_destroy();
	
	/* To view the results */
	echo "Author: " . $author . "<br/>";
	echo "E-Mail: " . $email . "<br/>";
	echo "Title: " . $title . "<br/>";
	echo "Message: " . $message . "<br/>";
	
	/* To add the post into MySQL,
	open connection with the database
	select db
	insert query 
	close connection
	*/

?>

YuriyHorobey 0 Newbie Poster

14 Years Ago

Hi,
I do not know if your friend is real author of the idea, because it is not new.
(I've read similar articles at least couple of times in different places, but I will not argue -- maybe he is the original author).

Yor solution will protect form from only the simplest spam bots.

Why?

1) Every professional bot is customized for particular web software (like particular blog or forum engine)
2) So it is not problem to parse your form and figure out names of the inputs basing on their position relative to according labels.
For example if I want to figure out what is input name for 'Autor' field I will parse it with the following regexp 'Autor:\s*<input .*? name="(.*?)"'. So now I know your 'encrypted' input name for author field, so can spam you )
3) All the hidden fields spam bot will just parse, copy nam-values and include into spam request.

So what can be done about this?

--Java script + CSS for positioning inputs and/or creation of fields.

<form>
Author: <input name=”encrypted_name_for_email” class=”move_it_down_one_line”><br>
email: <input name=”encrypted_name_for_author” class=”move_it_up_one_line”>
</form>

Parsing such a form spam bot will consider first input to be ‘author’ and second to be an ‘email’, this you can check on server side and reject such a request.

You can still use hidden fields generated by JavaScript and filled with JavaScript. For example you can send cookie from server with some unique key, then use JS to generate hidden field and set its value to this key then check this on server side.

But what can be done if spam bot is developed as Mozilla FF addon? It will request your form, wait for all the JS to run, then insert spam data into empty visible inputs (all the CSS applied, no matter where they come from) and submit this to you?

Well, I stop here ) this is not an article anyway – just couple of my thoughts.

Edited 14 Years Ago by YuriyHorobey because: n/a

Krstevski 7 Junior Poster

14 Years Ago

Hi, first thank you for your comments :)

Hi,
I do not know if your friend is real author of the idea, because it is not new.
(I've read similar articles at least couple of times in different places, but I will not argue -- maybe he is the original author).

Hmm... I'm not sure, maybe it is not the original author, but the idea of this post is from his tutorial.

Yor solution will protect form from only the simplest spam bots.
Why?
1) Every professional bot is customized for particular web software (like particular blog or forum engine)
2) So it is not problem to parse your form and figure out names of the inputs basing on their position relative to according labels.
For example if I want to figure out what is input name for 'Autor' field I will parse it with the following regexp 'Autor:\s*<input .*? name="(.*?)"'. So now I know your 'encrypted' input name for author field, so can spam you )
3) All the hidden fields spam bot will just parse, copy nam-values and include into spam request.

So what can be done about this?
--Java script + CSS for positioning inputs and/or creation of fields.
<form>
Author: <input name=”encrypted_name_for_email” class=”move_it_down_one_line”><br>
email: <input name=”encrypted_name_for_author” class=”move_it_up_one_line”>
</form>
Parsing such a form spam bot will consider first input to be ‘author’ and second to be an ‘email’, this you can check on server side and reject such a request.
You can still use hidden fields generated by JavaScript and filled with JavaScript. For example you can send cookie from server with some unique key, then use JS to generate hidden field and set its value to this key then check this on server side.
But what can be done if spam bot is developed as Mozilla FF addon? It will request your form, wait for all the JS to run, then insert spam data into empty visible inputs (all the CSS applied, no matter where they come from) and submit this to you?

Well, I stop here ) this is not an article anyway – just couple of my thoughts.

Your post is completely correct.
But this tutorial/snippet is for education, I want to present some ways about spam attacks/protect.

I think that there is not adequate protection from spam bots, must be user friendly, not to encumber the user by filling out the "anti spam" forms. :)

Anyway, the comments and the posts like your I will accept with pleasure. :)

JRM 107 Practically a Master Poster

14 Years Ago

simple random word math problems work well against bots. They are simple and not difficult to figure out like captch forms. Sometimes I have to scroll through 3 or four captch selections before I'm sure that I know what it is.

The funniest one I ever saw, was a simple checkbox that asked if I was a robot.
I don't know how effective it was, but it probably confused most of the bots.

YuriyHorobey 0 Newbie Poster

14 Years Ago

Seems like you guys are not too much into form protection / dealing with bots..

Modern bots even have OCR on board (google for it, = you'll see even freeware OCR + search freelance sites for requests 'build capcha recognition OCR based on such and such platform')

-----------

Code snippets are about giving hints/solutions to certain problems.
Just renaming form fields gives no solution. It can be some solution for your personal project, but I would not recommend this to common open source applications like phpBB. (Popular bots are being customized for popular web software and I have shown that solution described in the article is quite easy to break trough)

---------

But I'm agree -- Captchas are annoying. Especially when there are several of them in one form.

What can be solution for this problem?

I would use little flash movie showing label “press red circle” and several (probably slowly moving) shapes. It is not a problem for human to identify requested shape and it is not additional effort to click it (anyways one has to click a button to submit the form; instead one is requested to click this ‘flash button’ to submit the form).
Flash-to-server communication techniques and protection I am leaving aside.

Edited 14 Years Ago by YuriyHorobey because: typos

Krstevski 7 Junior Poster

14 Years Ago

Something similar solution
http://img594.imageshack.us/img594/8517/choose.jpg

The gold pistol always is on the different position and to submit the form firstly you must to choose the gold pistol. I'm not sure how it works and I mean that is jQuery plugin.

YuriyHorobey 0 Newbie Poster

14 Years Ago

This is protection gains childish bots.
It is quite easy to setup OCR which will brake it in milliseconds.

The point is -- image (button) must be hard to OCR.
Moving shapes in flash movie seems to be the best to me.

JRM 107 Practically a Master Poster

14 Years Ago

The bots don't seem to be able to handle the math problems at all.
It would have to OCR the word problem then covert it into a calculation in order to answer the question.

YuriyHorobey 0 Newbie Poster

14 Years Ago

seems like you're ignoring allmighty google ))))
try -- you'll be surprised )

JRM 107 Practically a Master Poster

14 Years Ago

I don't need to google it. I have used the math problem with good results.
I'm sure there are industrial strength bots out there, but most of them have their limitations.
Between checking against the honeypot project blacklist and simple anti-spam questions, i've virtually eliminated the bot problem.

There is no 100% foolproof way to deter a determined criminal from his target. All we can do is batten down the hatches with the best available tools.

Do you have a better idea? I'm ready to learn.

TechySafi

13 Years Ago

I'm not sure but can BOTs can fake cursor position? How about asking to move cursor on a specific position(randomly generated)?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.