House of Fusion
Search over 2,500 ColdFusion resources here
  
Home of the ColdFusion Community

Mailing Lists
Home /  Groups /  ColdFusion Talk (CF-Talk)

Capture Alternatives

  << Previous Post |  RSS |  Sort Oldest First |  Sort Latest First |  Subscribe to this Group Next >> 
Hi all,
Richard Cooper
11/13/06 08:34 A
Here's how Ben Nadel is doing it:
Matt Williams
11/13/06 09:22 A
Ben,
Munson, Jacob
11/13/06 05:15 P
Jacob,
Ben Nadel
11/13/06 05:21 P
Jacob,
Ben Nadel
11/13/06 06:02 P
Sounds like a plan.
Munson, Jacob
11/13/06 06:17 P
Math IS the universal language after all :-)
Bobby Hartsfield
11/14/06 08:57 A
> I just implemented a solution exactly like this
Bobby Hartsfield
11/14/06 09:04 A
Bobby,
Ben Nadel
11/14/06 11:48 A
Bobby,
Ben Nadel
11/14/06 12:19 P
Great thanks!
Bobby Hartsfield
11/14/06 12:35 P
I missed this thread.
Rick Root
11/14/06 02:18 P
Rick,
Ben Nadel
11/14/06 02:29 P
Ben Nadel wrote:
Rick Root
11/14/06 03:05 P
Richard Cooper wrote:
Rick Root
11/14/06 03:18 P
You're not a british cop?
Crow T. Robot
11/14/06 09:36 P
Nope... not an American girl either.
Bobby Hartsfield
11/14/06 10:00 P
Ray Champagne wrote:
Rick Root
11/15/06 08:40 A
woohoo - go microformats!
Nick Tong - TalkWebSolutions.co.uk
11/15/06 08:51 A
Good point (and idea) Rick
Bobby Hartsfield
11/15/06 08:52 A
Bobby,
Ben Nadel
11/16/06 08:33 A
Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Richard Cooper
11/13/2006 08:34 AM

Hi all, Has anyone come up with any alternatives to using form captures for preventing spam bots? Ideally I'd like a solution that is relatively seamless to the users requiring little/no extra involvement. R

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Sandra Clark
11/13/2006 08:58 AM

I do a few things and its been working quite well.  It involves 3 features. 1) Set up a blacklist and a whitelist for posting. 2) Set some session variables on the form itself to prevent automated posting from other sites. Check those variables on the processing page. (if the page is prevented because of this, and if the user email and/or ip is not in the blacklist, then log those two bits onto the blacklist 3) Check subject, contents for bad words on a bad word list.  If the words are in the bad words list, check the blacklist.  If they are on the blacklist, discard. IF they are not, put them on the blacklist.  (Bad word list must be updated fairly often, see 5) 4) BlackList/White List   a) Check the blacklist, for either the email or the ip. (in checking my db when I was getting hit, spammers will tend to use the same email address and the same ip address, just not always the at the same time.  If they are on the blacklist, stop processing and proceed.   b) If they aren't on the blacklist, check the whitelist for ip and email), if they are whitelisted, then post, send out subscriptions, nothing else is needed. 5) If the poster is neither on the black list or the white list, then post it and send the blog master an email with the posting.  Have two links on the post.  If the posting is spam, the blogmaster can click the blacklist link and blacklist them. This removes the post from the db and puts the information onto the blacklist. Take care to use this for spam only and not for comments you simply don't like.  If the post is good, then whitelist it and this will then send subscription emails out for people who wanted to be notified on the blog article. It's a bit more complex than a captcha, but its invisible to most users.  I do tend to send out an email to first time posters, explaining the situation, but haven't gotten any complaints on that.  It involves some of your time patrolling, but I've found that instead of getting 100 spam comments on my site per day, I'm getting maybe 2-3 a week that slip by and that usually involves me just putting more stuff in my bad words list.  Its also highly accessible (since it involves no extra user involvement). Sandra Clark ============================== http://www.shayna.com Training in Cascading Style Sheets and Accessibility Hi all, Has anyone come up with any alternatives to using form captures for preventing spam bots? Ideally I'd like a solution that is relatively seamless to the users requiring little/no extra involvement. R

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bobby Hartsfield
11/13/2006 09:01 AM

There was yet another Slashdot article about it yesterday and someone mentioned this. I haven't tried it but if you are having an issue that could quickly put it to the test, I'd give it a shot. ...just put an empty, hidden field in your form. When you process the form, make sure it is still empty. The poster suggested that bots fill in all fields that they can find. That makes a LITTLE sense but I think I'd hide the field with CSS and not give it an actual type of 'hidden'. Hi all, Has anyone come up with any alternatives to using form captures for preventing spam bots? Ideally I'd like a solution that is relatively seamless to the users requiring little/no extra involvement. R

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ben Nadel
11/13/2006 09:55 AM

Matt, thanks for posting my solution. And just to follow up... On Friday morning, when I was switching over and debugging, I got about 8 SPAM comments in total posted to the site (those spammers are relentless). Since I worked out the bugs Friday afternoon, I have gotten ZERO spam posts. So, either the spammers take the weekend off, or the system is working very nicely. ..................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ Here's how Ben Nadel is doing it: http://www.bennadel.com/index.cfm?dax=blog:397.view ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Munson, Jacob
11/13/2006 05:15 PM

Ben, I'd appreciate a follow up post later this week (on your blog) to see if this is still working.  I built CFFormProtect (hosted at riaforge) with the goal of making form protection brain dead simple for users.  But just letting them fill out the form without a human verification would be awesome.  And it would also solve the accessibility problem that captcha presents (or would it?).  However, I have to think that this method would be easily bypassed by the bots in the near future. > Matt, thanks for posting my solution. And just to follow > up... On Friday > morning, when I was switching over and debugging, I got about 8 SPAM > comments in total posted to the site (those spammers are relentless). > Since I worked out the bugs Friday afternoon, I have gotten ZERO spam > posts. So, either the spammers take the weekend off, or the system is > working very nicely. "EMF <idahopower.com>" made the following annotations. ------------------------------------------------------------------------------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ==============================================================================

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ben Nadel
11/13/2006 05:21 PM

Jacob, I am pretty sure that this has accessibility issues as it relies on CSS and the "visibility" of a button. Not sure how accessibility and CSS mix. I will definitely follow up with a post at the end of the week. I am sure that bots will be able to overcome this, but the issue is, how long will it take someone to actually care enough to write a bot for this problem??? I guess the more popular my solution becomes the sooner, but not even close to there yet.   ..................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ Ben, I'd appreciate a follow up post later this week (on your blog) to see if this is still working.  I built CFFormProtect (hosted at riaforge) with the goal of making form protection brain dead simple for users.  But just letting them fill out the form without a human verification would be awesome.  And it would also solve the accessibility problem that captcha presents (or would it?).  However, I have to think that this method would be easily bypassed by the bots in the near future. > Matt, thanks for posting my solution. And just to follow up... On > Friday morning, when I was switching over and debugging, I got about 8 > SPAM comments in total posted to the site (those spammers are > relentless). > Since I worked out the bugs Friday afternoon, I have gotten ZERO spam > posts. So, either the spammers take the weekend off, or the system is > working very nicely. "EMF <idahopower.com>" made the following annotations. ------------------------------------------------------------------------ ------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ======================================================================== ======

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Munson, Jacob
11/13/2006 05:48 PM

The problem with your solution is that the user has to click the submit button.  A lot of people just hit enter.  You could simulate a button click using JS in the onsubmit, but this gets back to the non-JS browser problem.  This anti-spam stuff is HARD!  :)  Always a cat and mouse game... Also, like you alluded, I'd guess that blind people's screen readers will see all of the buttons including the hidden ones and confuse the hell out of them.  But I could be wrong... ----- Excess quoted text cut - see Original Post for more ----- "EMF <idahopower.com>" made the following annotations. ------------------------------------------------------------------------------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ==============================================================================

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ben Nadel
11/13/2006 06:02 PM

Jacob, Very true. What I could do though, is once the browser loads, I could use Javascript to set a hidden value... This value might override the test. This would work on the basis that spam bots never run Javascript, only users. And then, if a user doesn't have Javascript, they just have to click the button (as they did anyway). We shall see... I am gonna go the week just to see the strength of the solution before I do anything else. ..................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ The problem with your solution is that the user has to click the submit button.  A lot of people just hit enter.  You could simulate a button click using JS in the onsubmit, but this gets back to the non-JS browser problem.  This anti-spam stuff is HARD!  :)  Always a cat and mouse game... Also, like you alluded, I'd guess that blind people's screen readers will see all of the buttons including the hidden ones and confuse the hell out of them.  But I could be wrong... ----- Excess quoted text cut - see Original Post for more ----- "EMF <idahopower.com>" made the following annotations. ------------------------------------------------------------------------ ------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ======================================================================== ======

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Munson, Jacob
11/13/2006 06:17 PM

Sounds like a plan. As far as accessibility goes, when I released CFFormProtect I was chastised by Sandra Clark because it blocks blind people from submitting forms.  This is true, but I think you have to consider your audience. In my case, most people that use my forms are CF developers, and I could be wrong, but I don't think any of those are blind.  However, if your form gets 1000 spam messages for every 1 legitimate message, you'll never see comments from your users.  So Sandra suggested using an approval queue, but personally I HATE those. ----- Excess quoted text cut - see Original Post for more ----- ------------------------------------------------------------------------------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ============================================================================== "EMF <idahopower.com>" made the previous annotations.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Richard Cooper
11/14/2006 08:29 AM

Both suggestions seem good ways of preventing spam bots, but in the UK now all websites need to be accessible by law so this does raise some problems. Although Sandra's option is accessible I'm not keen on human maintenance side of it. How do spam bots work? I'm guessing they work like search engines looking for new pages & forms within these pages. Then parse out all of the fields and then submit to the action page directly rather than actually filling out the form. Is that right? If that's the case can it not be checked that the form was actually submitted from within the site? Also is there a spam bot & a submit bot? Is there some time lapse between the two, enough perhaps to check for encrypted time from load to submit. i.e. if the form isn't submitted within 30 minutes of loading then don't accept it and make the user resubmit? Lastly, I haven't used this but would the scriptProtect function in Application.cfc have any relevance here?

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Tom Chiverton
11/14/2006 08:53 AM

> Both suggestions seem good ways of preventing spam bots, but in the UK now > all websites need to be accessible by law Not all. Some. The best accessible CAPTCHA I've seen is asking you to add two random numbers (0<number<10). -- Tom Chiverton Helping to appropriately integrate intuitive synergies **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF.  A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bobby Hartsfield
11/14/2006 08:57 AM

Math IS the universal language after all :-) .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com > Both suggestions seem good ways of preventing spam bots, but in the UK now > all websites need to be accessible by law Not all. Some. The best accessible CAPTCHA I've seen is asking you to add two random numbers (0<number<10). -- Tom Chiverton Helping to appropriately integrate intuitive synergies **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF.  A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.  If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ray Champagne
11/14/2006 09:00 AM

I just implemented a solution exactly like this and am waiting for the results to assess it's effectiveness.  Does anyone out there use this as a solution?  Care to share your assessment? Thanks, Ray > > > Both suggestions seem good ways of preventing spam bots, but in the UK now > > all websites need to be accessible by law > > Not all. Some. > > The best accessible CAPTCHA I've seen is asking you to add two random numbers ----- Excess quoted text cut - see Original Post for more ----- and Wales > under registered number OC307980 whose registered office address is at St > James's Court Brown Street Manchester M2 2JF.  A list of members is available for > inspection at the registered office. Any reference to a partner in relation to > Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. > > CONFIDENTIALITY > > This email is intended only for the use of the addressee named above and may be > confidential or legally privileged.  If you are not the addressee you must not read > it and must not use any information contained in nor copy it nor inform any > person other than Halliwells LLP or the addressee of its existence or contents.  If > you have received this email in error please delete it and notify Halliwells LLP IT > Department on 0870 365 8008. > > For more information about Halliwells LLP visit www.halliwells.com.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bobby Hartsfield
11/14/2006 09:04 AM

> I just implemented a solution exactly like this Exactly like which one? .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com I just implemented a solution exactly like this and am waiting for the results to assess it's effectiveness.  Does anyone out there use this as a solution?  Care to share your assessment? Thanks, Ray > > > Both suggestions seem good ways of preventing spam bots, but in the UK now > > all websites need to be accessible by law > > Not all. Some. > > The best accessible CAPTCHA I've seen is asking you to add two random numbers ----- Excess quoted text cut - see Original Post for more ----- and Wales > under registered number OC307980 whose registered office address is at St > James's Court Brown Street Manchester M2 2JF.  A list of members is available for > inspection at the registered office. Any reference to a partner in relation to > Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. > > CONFIDENTIALITY > > This email is intended only for the use of the addressee named above and may be > confidential or legally privileged.  If you are not the addressee you must not read > it and must not use any information contained in nor copy it nor inform any > person other than Halliwells LLP or the addressee of its existence or contents.  If > you have received this email in error please delete it and notify Halliwells LLP IT > Department on 0870 365 8008. > > For more information about Halliwells LLP visit www.halliwells.com. > > >

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ray Champagne
11/14/2006 10:28 AM

Oh, sorry, I was replying to this, but I see that probably wasn't all that clear: >The best accessible CAPTCHA I've seen is asking you to add two random > numbers > > (0<number<10). I meant the simple Math one. Ray ----- Excess quoted text cut - see Original Post for more ----- St ----- Excess quoted text cut - see Original Post for more ----- must ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bobby Hartsfield
11/14/2006 11:41 AM

Ahh ok gotcha. I'm not too fond of that one either. Most people assume I support/use catchas just because I wrote one but you'll not see anywhere that I've actually used them... not even my own :) I'm more interested in methods that are more or less invisible to the user like Sandra's black/white lists. I'd REALLY love for someone with a serious spam issue to try the hidden form field method and see how it works out... and then of course post their findings for the rest of us. Just so you don?t have to dig for it... here it is again. Place a normal type="text" field in your form and leave it empty at all times. (maybe even give it ajuicy name like 'email' or 'emailaddress' or possibly even a random name each time...) Then use a style to make its display:none or visibility:hidden. On the processing page, as long as the field is empty, process the form, else don?t Apparently 'most' bots like to fill in every field they find in the form and the majority of them won't parse the styles. You could also just put the field in a div with a message like "Leave this field empty" inside the div as well then hide the div. That way, if the field shows to an actual human, they will see the message to leave it empty in order to submit. I need to get a 'fake' blog or something up just to get spammers to start using it so I have somewhere to test out new methods of blocking them lol .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Oh, sorry, I was replying to this, but I see that probably wasn't all that clear: >The best accessible CAPTCHA I've seen is asking you to add two random > numbers > > (0<number<10). I meant the simple Math one. Ray ----- Excess quoted text cut - see Original Post for more ----- St ----- Excess quoted text cut - see Original Post for more ----- must ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ben Nadel
11/14/2006 11:48 AM

Bobby, I like that. I will implement that on my blog today as a test. That would cover: 1. Non-javascript users 2. Blind people 3. Not making the user think Awesome! ..................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ Ahh ok gotcha. I'm not too fond of that one either. Most people assume I support/use catchas just because I wrote one but you'll not see anywhere that I've actually used them... not even my own :) I'm more interested in methods that are more or less invisible to the user like Sandra's black/white lists. I'd REALLY love for someone with a serious spam issue to try the hidden form field method and see how it works out... and then of course post their findings for the rest of us. Just so you don't have to dig for it... here it is again. Place a normal type="text" field in your form and leave it empty at all times. (maybe even give it ajuicy name like 'email' or 'emailaddress' or possibly even a random name each time...) Then use a style to make its display:none or visibility:hidden. On the processing page, as long as the field is empty, process the form, else don't Apparently 'most' bots like to fill in every field they find in the form and the majority of them won't parse the styles. You could also just put the field in a div with a message like "Leave this field empty" inside the div as well then hide the div. That way, if the field shows to an actual human, they will see the message to leave it empty in order to submit. I need to get a 'fake' blog or something up just to get spammers to start using it so I have somewhere to test out new methods of blocking them lol ..:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Oh, sorry, I was replying to this, but I see that probably wasn't all that clear: >The best accessible CAPTCHA I've seen is asking you to add two random   >numbers > > (0<number<10). I meant the simple Math one. Ray ----- Excess quoted text cut - see Original Post for more ----- St ----- Excess quoted text cut - see Original Post for more ----- must ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bobby Hartsfield
11/14/2006 11:51 AM

Great. Let me know how it works out. I don?t really have anywhere with any serious spam issues to test it. .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Bobby, I like that. I will implement that on my blog today as a test. That would cover: 1. Non-javascript users 2. Blind people 3. Not making the user think Awesome! ...................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ Ahh ok gotcha. I'm not too fond of that one either. Most people assume I support/use catchas just because I wrote one but you'll not see anywhere that I've actually used them... not even my own :) I'm more interested in methods that are more or less invisible to the user like Sandra's black/white lists. I'd REALLY love for someone with a serious spam issue to try the hidden form field method and see how it works out... and then of course post their findings for the rest of us. Just so you don't have to dig for it... here it is again. Place a normal type="text" field in your form and leave it empty at all times. (maybe even give it ajuicy name like 'email' or 'emailaddress' or possibly even a random name each time...) Then use a style to make its display:none or visibility:hidden. On the processing page, as long as the field is empty, process the form, else don't Apparently 'most' bots like to fill in every field they find in the form and the majority of them won't parse the styles. You could also just put the field in a div with a message like "Leave this field empty" inside the div as well then hide the div. That way, if the field shows to an actual human, they will see the message to leave it empty in order to submit. I need to get a 'fake' blog or something up just to get spammers to start using it so I have somewhere to test out new methods of blocking them lol ...:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Oh, sorry, I was replying to this, but I see that probably wasn't all that clear: >The best accessible CAPTCHA I've seen is asking you to add two random   >numbers > > (0<number<10). I meant the simple Math one. Ray ----- Excess quoted text cut - see Original Post for more ----- St ----- Excess quoted text cut - see Original Post for more ----- must ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ben Nadel
11/14/2006 12:19 PM

Bobby, This new technique is now live. (ex. http://bennadel.com/index.cfm?dax=blog:402.comment). I will post any spam issues that I have now.   ..................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ Great. Let me know how it works out. I don't really have anywhere with any serious spam issues to test it. ..:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Bobby, I like that. I will implement that on my blog today as a test. That would cover: 1. Non-javascript users 2. Blind people 3. Not making the user think Awesome! ....................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ Ahh ok gotcha. I'm not too fond of that one either. Most people assume I support/use catchas just because I wrote one but you'll not see anywhere that I've actually used them... not even my own :) I'm more interested in methods that are more or less invisible to the user like Sandra's black/white lists. I'd REALLY love for someone with a serious spam issue to try the hidden form field method and see how it works out... and then of course post their findings for the rest of us. Just so you don't have to dig for it... here it is again. Place a normal type="text" field in your form and leave it empty at all times. (maybe even give it ajuicy name like 'email' or 'emailaddress' or possibly even a random name each time...) Then use a style to make its display:none or visibility:hidden. On the processing page, as long as the field is empty, process the form, else don't Apparently 'most' bots like to fill in every field they find in the form and the majority of them won't parse the styles. You could also just put the field in a div with a message like "Leave this field empty" inside the div as well then hide the div. That way, if the field shows to an actual human, they will see the message to leave it empty in order to submit. I need to get a 'fake' blog or something up just to get spammers to start using it so I have somewhere to test out new methods of blocking them lol ....:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Oh, sorry, I was replying to this, but I see that probably wasn't all that clear: >The best accessible CAPTCHA I've seen is asking you to add two random >numbers > > (0<number<10). I meant the simple Math one. Ray ----- Excess quoted text cut - see Original Post for more ----- St ----- Excess quoted text cut - see Original Post for more ----- must ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bobby Hartsfield
11/14/2006 12:35 PM

Great thanks! .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Bobby, This new technique is now live. (ex. http://bennadel.com/index.cfm?dax=blog:402.comment). I will post any spam issues that I have now.   ...................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ Great. Let me know how it works out. I don't really have anywhere with any serious spam issues to test it. ...:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Bobby, I like that. I will implement that on my blog today as a test. That would cover: 1. Non-javascript users 2. Blind people 3. Not making the user think Awesome! ........................ Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ Ahh ok gotcha. I'm not too fond of that one either. Most people assume I support/use catchas just because I wrote one but you'll not see anywhere that I've actually used them... not even my own :) I'm more interested in methods that are more or less invisible to the user like Sandra's black/white lists. I'd REALLY love for someone with a serious spam issue to try the hidden form field method and see how it works out... and then of course post their findings for the rest of us. Just so you don't have to dig for it... here it is again. Place a normal type="text" field in your form and leave it empty at all times. (maybe even give it ajuicy name like 'email' or 'emailaddress' or possibly even a random name each time...) Then use a style to make its display:none or visibility:hidden. On the processing page, as long as the field is empty, process the form, else don't Apparently 'most' bots like to fill in every field they find in the form and the majority of them won't parse the styles. You could also just put the field in a div with a message like "Leave this field empty" inside the div as well then hide the div. That way, if the field shows to an actual human, they will see the message to leave it empty in order to submit. I need to get a 'fake' blog or something up just to get spammers to start using it so I have somewhere to test out new methods of blocking them lol .....:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Oh, sorry, I was replying to this, but I see that probably wasn't all that clear: >The best accessible CAPTCHA I've seen is asking you to add two random >numbers > > (0<number<10). I meant the simple Math one. Ray ----- Excess quoted text cut - see Original Post for more ----- St ----- Excess quoted text cut - see Original Post for more ----- must ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Munson, Jacob
11/14/2006 11:50 AM

----- Excess quoted text cut - see Original Post for more ----- I really like this idea.  Right now I don't have any protection on my blog's comment entry form, I think I'll give this a try (I /do/ have the math thing on my "Contact me" form, but my comments are unprotected). ----------- "EMF <idahopower.com>" made the following annotations. ------------------------------------------------------------------------------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ==============================================================================

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Matt Robertson
11/15/2006 04:23 PM

> I'd REALLY love for someone with a serious spam issue to try the hidden form > field method and see how it works out... and then of course post their > findings for the rest of us. Someone may beat me to it but I'll take that on myself.  That one client of mine has an enormous problem.  made worse by the fact that it is a solicitation for web links.  You can imagine where the links go to, and how popular such a form is with the 'wrong' kind of people. -- --m@Robertson-- Janitor, MSB Web Systems mysecretbase.com

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bobby Hartsfield
11/15/2006 07:29 PM

Ben Nadel has it on his blog now but the more the better :-) .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com > I'd REALLY love for someone with a serious spam issue to try the hidden form > field method and see how it works out... and then of course post their > findings for the rest of us. Someone may beat me to it but I'll take that on myself.  That one client of mine has an enormous problem.  made worse by the fact that it is a solicitation for web links.  You can imagine where the links go to, and how popular such a form is with the 'wrong' kind of people. -- --m@Robertson-- Janitor, MSB Web Systems mysecretbase.com

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Munson, Jacob
11/14/2006 11:01 AM

> I just implemented a solution exactly like this and am waiting for the > results to assess it's effectiveness.  Does anyone out there > use this as a > solution?  Care to share your assessment? I did the math thing on my blog contact form: http://www.techfeed.net/blog/contact.cfm I haven't gotten any spam from it since I put it up, but I don't like that it makes the user think.  It's effective, but the #1 rule for good web design is, "Don't make your users think." That's why I developed CFFormProtect, because I figure it's a lot easier/quicker to click on two lions than to do a math problem.  I know 8+9 isn't hard, but I tell you, I seriously have to think about those simple problems sometimes!  It's been 4 years since I graduated from college, I'm allowed to be mathematically challenged by now, aren't I? ;) ------------------------------------------------------------------------------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ============================================================================== "EMF <idahopower.com>" made the previous annotations.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ray Champagne
11/14/2006 11:11 AM

I check the answer via javascript before uploading then give them an alert that they are wrong and HINT: this is the answer: X.  So, even if they get it wrong, they get the answer given to them.  I know that if they have js turned off it won't matter, but I really don't care about those minute amount of people who have js turned off and can't add two single-digit numbers correctly.   I will check out your project, though.  Can you re-link it if you already have?  (I jumped in here late, sorry) I agree making the user think sucks, but it's not like it's that hard to do, takes what, like an extra three-four seconds? ----- Excess quoted text cut - see Original Post for more ----- ---------------------------------------------------------------------------- -- > This transmission may contain information that is privileged, confidential and/or > exempt from disclosure under applicable law. If you are not the intended > recipient, you are hereby notified that any disclosure, copying, distribution, or > use of the information contained herein (including any reliance thereon) is > STRICTLY PROHIBITED. If you received this transmission in error, please > immediately contact the sender and destroy the material in its entirety, whether ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Tom Chiverton
11/14/2006 11:26 AM

> I check the answer via javascript before uploading then give them an alert > that they are wrong and HINT: this is the answer: X.  So, even if they get Very nice, I like that :-) -- Tom Chiverton Helping to autoschediastically integrate 24/7 meta-services **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF.  A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Matt Robertson
11/14/2006 11:26 AM

Interesting.  I am implementing a captcha for a client who is ridiculously flooded with porn spam.  But I bet once I bring up the issue of accessibility we will re-think the solution.  I like the math concept. I have another client who insisted against my recommendations that he wanted a string-based defense.  He couldn't have any sort of user roadblock.  So I built a little bit that queries a db, loops ofver it and compares each stored forbidden string against form input.  If there is a failure I return a 500 error via cfheader. The string he chose to do most of the work is "http://".  To my surprise he reported that he has basically stopped every bit of form spam thanks to this one element. -- --m@Robertson-- Janitor, MSB Web Systems mysecretbase.com

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Munson, Jacob
11/14/2006 11:29 AM

It sounds like you are doing the math JS similar to my method on my blog, but I'm not providing the answer.  That's a good idea. > I will check out your project, though.  Can you re-link it if > you already have? http://cfformprotect.riaforge.org/ > I agree making the user think sucks, but it's not like it's > that hard to do, > takes what, like an extra three-four seconds? I agree, it's not hard.  It's just an annoyance.  Honestly, I like the math problem more than the obfuscated text captcha that most people use. I can't tell you how many times I've had to resubmit forms because I got the text wrong.  That's just stupid, making your user go through that much trouble. If I were to rank the various methods by how annoying they are to users, here's how I'd do it (1 is most annoying): 6. No spam protection 5. Approval queue 4. Hidden button or form field (Ben Nadel's idea, assuming it works) 3. Click matching images (cfformprotect) 2. Math Problem 1. Obfuscated text CAPTCHA The only reason I put Ben's idea below the approval queue is because it might not be accessible to blind users. ---------- ------------------------------------------------------------------------------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ============================================================================== "EMF <idahopower.com>" made the previous annotations.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
James Holmes
11/14/2006 08:56 AM

Hopefully (for myself included) that's the case - because people have started suing the owners of sites they can't access and they are winning the cases. >This is true, but I think you have to consider your audience. > In my case, most people that use my forms are CF developers, and I could > be wrong, but I don't think any of those are blind. -- CFAJAX docs and other useful articles: http://www.bifrost.com.au/blog/

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Rick Root
11/14/2006 02:18 PM

I missed this thread. Did anyone mention image.cfc's captcha capability? http://www.opensourcecf.com/imagecfc/captcha/ rick

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ben Nadel
11/14/2006 02:29 PM

Rick, I think that was covered. The main goal of this particular thread is get people to be able to submit forms without having to think at all or have special browser capabilities: - doing math - reading an image - clicking an image - javascript enabled - has a blind-accessible page ..................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ I missed this thread. Did anyone mention image.cfc's captcha capability? http://www.opensourcecf.com/imagecfc/captcha/ rick

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Rick Root
11/14/2006 03:05 PM

Ben Nadel wrote: > > I think that was covered. The main goal of this particular thread is get > people to be able to submit forms without having to think at all or have > special browser capabilities: Ah, yes if you're blind, you're pretty much SOL with most captcha solutions out there.  Try buying something from ticketmaster if you're blind. You can't.  At least not from ticketmaster.com Rick

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Richard Cooper
11/14/2006 03:05 PM

I think I'm going to go for Bobbies suggestion. It seems the easiest to implement Quick question though, would any of my previous ideas work? * Check the form was actually submitted from within the site? Perhaps via CGI. although I'm sure that may have issues as well. * A field that checks when loaded vs submit time? Are the spam bots the submit bots, or is there a delay between the two. * The scriptProtect function in Application.cfc? Is this applciable

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Rick Root
11/14/2006 03:18 PM

Richard Cooper wrote: > > Quick question though, would any of my previous ideas work? > > * Check the form was actually submitted from within the site? Perhaps via CGI. although I'm sure that may have issues as well. CGI.HTTP_REFERER can be spoofed quite easily. > * A field that checks when loaded vs submit time? Are the spam bots the submit bots, or is there a delay between the two. Not sure how you'd do this unless you were using session vars.  You could put the form load time into a hidden form var - but have it encrypted with a key that only you know, and unencrypt the code on the server and then do a datediff.  That would prevent people from submitting your form from a script.. they'd have to dynamically pull your form every time. > * The scriptProtect function in Application.cfc? Is this applciable Not really, no. rick

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Munson, Jacob
11/14/2006 03:33 PM

> > * Check the form was actually submitted from within the > site? Perhaps via CGI. although I'm sure that may have issues as well. > > CGI.HTTP_REFERER can be spoofed quite easily. What I did for this was generate a session variable on the form page, and then check for it in the processor.  This doesn't work if users have cookies turned off, but they won't be able to submit the form anyway unless they turn them on.  Anti-cookie people are paranoid freaks, anyway.  ;) The more we talk about it, the more I think using these 3 things might be the killer solution: 1.  Session var to verify submission came from the form 2.  Hidden empty form field, to throw off spammers that auto-fill all fields 3.  Time difference between form load time and submission I just thought of another problem with #3, though.  A lot of people use form auto-fillers, like the google toolbar.  If your form is simple enough that their autofill gets all the data, they'll submit the form too fast. "EMF <idahopower.com>" made the following annotations. ------------------------------------------------------------------------------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ==============================================================================

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Munson, Jacob
11/14/2006 03:25 PM

> * Check the form was actually submitted from within the site? > Perhaps via CGI. although I'm sure that may have issues as well. This is a good idea, but I don't think it will stop all spammers. You're correct that some spammers directly access the submission form. When I first put my math question on my blog's contact form, the spam didn't stop at all.  The reason was because the spam bots weren't using the form at all, just sending data to my form processor. > * A field that checks when loaded vs submit time? Are the > spam bots the submit bots, or is there a delay between the two. I've heard of this technique, and I'd think it would work in most cases. The only problem I can see is if you have server side form validation, the user gets an error, goes back and quickly modifies a field and then resubmits. > * The scriptProtect function in Application.cfc? Is this applciable I've never used that, but I don't think it will help.  Here's a paragraph from livedocs: "The ScriptProtect attribute lets you protect one or more variable scopes from cross-site scripting attacks, where a client attempts to get your application to send malicious code back to a user's browser. In these attacks, user input (for example, from form fields or from URL variables) sets a CF variable which is destined for user output. The submitted data includes malicious code, such as JavaScript or an applet or object reference, which then executes on the user's system." ------------------------------------------------------------------------------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ============================================================================== "EMF <idahopower.com>" made the previous annotations.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ray Champagne
11/14/2006 03:35 PM

Here's a question that hasn't been answered, maybe 'cause there isn't one: we talk all day about protecting ourselves from these gnarly bastages, is there any way to fight back?   I'd love to see a way for me to block them, then fire back with my own script - it might not solve anything, but man, it would feel good... ----- Excess quoted text cut - see Original Post for more ----- ---------------------------------------------------------------------------- -- > This transmission may contain information that is privileged, confidential and/or > exempt from disclosure under applicable law. If you are not the intended > recipient, you are hereby notified that any disclosure, copying, distribution, or > use of the information contained herein (including any reliance thereon) is > STRICTLY PROHIBITED. If you received this transmission in error, please > immediately contact the sender and destroy the material in its entirety, whether ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Munson, Jacob
11/14/2006 03:45 PM

----- Excess quoted text cut - see Original Post for more ----- Yes, there is a group based out of the UK (I think) that has a denial of service type attack to stop spammers.  I think it might still be in development, but the idea is this: 1. you send them spam message you received 2. they grab any URLS from the message 3. they kick off DOS attacks on the server using a distributed network of clients. I can see tons of problems with this idea, but I tip my hat to them for trying to nail these suckers.  I don't have a URL, but google might find it for you. ------------------------------------------------------------------------------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ============================================================================== "EMF <idahopower.com>" made the previous annotations.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bobby Hartsfield
11/14/2006 09:29 PM

Other than trapping bots into submitting forms meant for them just so you can flag content and or IPs... no not really. I do have a trap for email crawlers that sees quite a bit of action from bots though :-) http://acoderslife.com/botfun/emls.cfm ps... its Bobby not Bobbie ;-) .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Here's a question that hasn't been answered, maybe 'cause there isn't one: we talk all day about protecting ourselves from these gnarly bastages, is there any way to fight back?   I'd love to see a way for me to block them, then fire back with my own script - it might not solve anything, but man, it would feel good... ----- Excess quoted text cut - see Original Post for more ----- ---------------------------------------------------------------------------- -- > This transmission may contain information that is privileged, confidential and/or > exempt from disclosure under applicable law. If you are not the intended > recipient, you are hereby notified that any disclosure, copying, distribution, or > use of the information contained herein (including any reliance thereon) is > STRICTLY PROHIBITED. If you received this transmission in error, please > immediately contact the sender and destroy the material in its entirety, whether ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bobby Hartsfield
11/14/2006 10:00 PM

Nope... not an American girl either. .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com You're not a british cop? ----- Excess quoted text cut - see Original Post for more ----- ---------------------------------------------------------------------------- ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Rick Root
11/15/2006 08:40 AM

Ray Champagne wrote: > Here's a question that hasn't been answered, maybe 'cause there isn't one: > we talk all day about protecting ourselves from these gnarly bastages, is > there any way to fight back?   > > I'd love to see a way for me to block them, then fire back with my own > script - it might not solve anything, but man, it would feel good... One worthwhile thing is to make what they're doing less valuable. Anywhere you dynamically convert URLs to links.. in message boards, blogs, etc... add the rel="nofollow" attribute. One of the reasons spammers do what they do is to increase search engine visibility... the more sites that link to you, the better your search engine ranking will be. However, most of the major search engines will *NOT* count links with the rel="nofollow" attribute. http://blog.searchenginewatch.com/blog/050118-204728 I'm doing this in blogcfm (and I think in cfmbb too) It doesn't stop them from spamming you, but if everyone did it, it wouldn't be worthwhile to the spammers to do it.  At least, not for the purpose of increasing search engine visibility. Rick

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Nick Tong - TalkWebSolutions.co.uk
11/15/2006 08:51 AM

woohoo - go microformats! ----- Excess quoted text cut - see Original Post for more -----

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bobby Hartsfield
11/15/2006 08:52 AM

Good point (and idea) Rick .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Ray Champagne wrote: > Here's a question that hasn't been answered, maybe 'cause there isn't one: > we talk all day about protecting ourselves from these gnarly bastages, is > there any way to fight back?   > > I'd love to see a way for me to block them, then fire back with my own > script - it might not solve anything, but man, it would feel good... One worthwhile thing is to make what they're doing less valuable. Anywhere you dynamically convert URLs to links.. in message boards, blogs, etc... add the rel="nofollow" attribute. One of the reasons spammers do what they do is to increase search engine visibility... the more sites that link to you, the better your search engine ranking will be. However, most of the major search engines will *NOT* count links with the rel="nofollow" attribute. http://blog.searchenginewatch.com/blog/050118-204728 I'm doing this in blogcfm (and I think in cfmbb too) It doesn't stop them from spamming you, but if everyone did it, it wouldn't be worthwhile to the spammers to do it.  At least, not for the purpose of increasing search engine visibility. Rick

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Munson, Jacob
11/15/2006 10:12 AM

> Anywhere you dynamically convert URLs to links.. in message boards, > blogs, etc... add the rel="nofollow" attribute. > > I'm doing this in blogcfm (and I think in cfmbb too) FYI, BlogCFC does this as well. ------------ "EMF <idahopower.com>" made the following annotations. ------------------------------------------------------------------------------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ==============================================================================

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Al Musella, DPM
11/14/2006 06:04 PM

One thing that I have done that helped tremendously:    I run a brain cancer web site.  The feedback form would usually get about  50 real responses a day - and about 500 spams a day. One problem I have is that there is no tolerance for false negatives - these are very important messages. I first put a hidden field in the feedback form with a timecode and on the action page figured out how much time elapsed.  I save each message to a database along with how long it took them to fill out and submit the form.    On my admin page, I display the emails - marking the suspect ones in red.  Suspect being less than 1 second or more than an hour.      99% of the time this works.. but I still have to skim the suspect ones. I have had real messages that took over 24 hours to post - (but never one that took less than 1 second). I then added a  question:  Is this brain tumor related? and have a radiogroup defaulting to no.  When you submit it, I warn you that we only accept brain tumor related questions and let you try again. I record the message in the database anyway...  this one question has caught 100% of the spam so far.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Munson, Jacob
11/15/2006 10:14 AM

----- Excess quoted text cut - see Original Post for more ----- You have spam messages come through that take more than an hour to post? "EMF <idahopower.com>" made the following annotations. ------------------------------------------------------------------------------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ==============================================================================

Top  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Brad Wood
11/15/2006 04:47 PM

Could someone explain to me which method was the hidden form one (we talked about so many)?   Is that where you put a form field in which actually is type="hidden" or where you put in a type="text" field in a div which is hidden, mark it "leave me blank" and ASSUME the BOT will try to populate it? ~Brad > I'd REALLY love for someone with a serious spam issue to try the hidden form > field method and see how it works out... and then of course post their > findings for the rest of us.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Munson, Jacob
11/15/2006 05:42 PM

> Could someone explain to me which method was the hidden form one (we > talked about so many)?   > > Is that where you put a form field in which actually is > type="hidden" or > where you put in a type="text" field in a div which is hidden, mark it > "leave me blank" and ASSUME the BOT will try to populate it? The latter, a text field hidden by CSS. "EMF <idahopower.com>" made the following annotations. ------------------------------------------------------------------------------ This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ==============================================================================

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bobby Hartsfield
11/15/2006 07:33 PM

http://www.houseoffusion.com/groups/CF-Talk/thread.cfm/threadid:48814#260340 .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Could someone explain to me which method was the hidden form one (we talked about so many)?   Is that where you put a form field in which actually is type="hidden" or where you put in a type="text" field in a div which is hidden, mark it "leave me blank" and ASSUME the BOT will try to populate it? ~Brad > I'd REALLY love for someone with a serious spam issue to try the hidden form > field method and see how it works out... and then of course post their > findings for the rest of us.

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Ben Nadel
11/16/2006 08:33 AM

Bobby, I know it has only been a few days, but I am going out of town tomorrow so I thought I would share results now. I have implemented your suggestions and so far ZERO spam has gotten through. Here is a walk through of the final solution: http://www.bennadel.com/index.cfm?dax=blog:405.view Hope it stays that way :D This is my third attempt at this type of anti-spamming, and I have to say, this is the one that makes me the most comfortable. ..................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ http://www.houseoffusion.com/groups/CF-Talk/thread.cfm/threadid:48814#26 0340 ..:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bobby Hartsfield
11/16/2006 09:52 AM

That's good news. I hope it keeps on keepin on :-) .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Bobby, I know it has only been a few days, but I am going out of town tomorrow so I thought I would share results now. I have implemented your suggestions and so far ZERO spam has gotten through. Here is a walk through of the final solution: http://www.bennadel.com/index.cfm?dax=blog:405.view Hope it stays that way :D This is my third attempt at this type of anti-spamming, and I have to say, this is the one that makes me the most comfortable. ...................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ http://www.houseoffusion.com/groups/CF-Talk/thread.cfm/threadid:48814#26 0340 ...:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com

Top  |   Parent  |   Reply  |   Original Post  |   RSS Feed  |   Subscribe to this Group
Author:
Bobby Hartsfield
11/24/2006 11:31 PM

What's the word Ben? Everything still working out for you? .:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com Bobby, I know it has only been a few days, but I am going out of town tomorrow so I thought I would share results now. I have implemented your suggestions and so far ZERO spam has gotten through. Here is a walk through of the final solution: http://www.bennadel.com/index.cfm?dax=blog:405.view Hope it stays that way :D This is my third attempt at this type of anti-spamming, and I have to say, this is the one that makes me the most comfortable. ...................... Ben Nadel Certified Advanced ColdFusion MX7 Developer www.bennadel.com Need ColdFusion Help? www.bennadel.com/ask-ben/ http://www.houseoffusion.com/groups/CF-Talk/thread.cfm/threadid:48814#26 0340 ...:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com


<< Previous Thread Today's Threads Next Thread >>

Search cf-talk

April 20, 2014

<<   <   Today   >   >>
Su Mo Tu We Th Fr Sa
     1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30       

Designer, Developer and mobile workflow conference