Grow your CSS skills. Land your dream job.

Captcha and Spam blocking

  • # April 1, 2008 at 1:56 pm

    What is your experience with captcha? Did you write your own? Find a nice library for it?

    I made a little website for my wedding coming up, and I put a little online guestbook http://www.alexandmariewedding.com/guestbook.php up there. About a week or two later I got nailed by spammers… like 200 some odd messages in a few hours. So I made my own little "captcha" but it is terrible. I literally have 3 images that it randomly selects from, and the php behind it is pretty hard coded, one id field passed in indicates which image was being used… so with 5 minutes anyone could break it, but I haven’t had a spam message since I put that up there. Does this ring true with other people’s experiences?

    I don’t suggest this sort of approach for a website that may get some actual traffic… but it worked for me. How have all of you handled this situation in the past?

    o-d
    # April 1, 2008 at 2:17 pm

    i’d prefer to ask aritmetichal operations. Like 4 + 3 = ? but i make question tag loaded with ajax. this makes hard for spammer to get the question. indeed one or another way, there are bunch of sites use no-spam-protextion. so spammers wont be much interested on protected sites even its very simple.

    # April 1, 2008 at 2:52 pm

    I think captcha is not so user-friendly, therefore I prefer using css to block spam. The very simple trick to do that can be found here.

    # April 2, 2008 at 5:27 am

    Ultimately what ever you do is an up hill struggle, using CSS to stop Spam bots is not a bright move, and of course would be an accessibility nightmare (as are visual only Captchas) and potentially if your in the EU and a commercial outfit might find a kind lawyer chasing you for money.

    The second issue is known captchas can be broken, for example the CAPTCHA being used on this forum has already been broken and therefore is really useless. Also the lack of audio version would again raise the accessibility issue again, when designing and thinking about CAPTCHA you might be interested in the 10 steps to solve a CAPTCHA by Dark SEO (he also has a post on PHPBB3 captcha by the way).

    I prefer logic puzzles, for example a simple version is to present a maths puzzle, one + 3 equals or 4 plus 1 = notice the changing from words to symbols, throw in some French or odd variances. A good example I saw was the human only maths by using human derived groups to do the maths so:
    There are 5 tigers and three lions and two wolves how many animals are in the cat family?

    Because the question is done server side it will be rendered in any browser without accessibility issues. These can of course be broken but by personalising the questions and groups a spammer will have to write a program specific fo your site.

    One other alternative used by companies like StumbleUpon and FaceBook is recaptch which is an attempt to digitalise old books, this is also much harder for computers to break as at least one part is unsolvable (or rather it has no answer) for more information check out http://recaptcha.net/

    box
    # April 2, 2008 at 6:36 am

    I don’t use any form of captcha on my forms for accessibility reasons. I also HATE being faced with them myself, so I don’t like to impose something that I dislike on to my visitors.
    Spam is a nuisance, that’s a given – but for me a captcha system is tantamount to passing my spam problem on to my site visitors and let them sort it out. It’s not their problem, it’s mine – so it’s my responsibility to find a way to combat it without lessening their web browsing experience. I haven’t found a fool-proof method for this, but I do use Google Apps to process my form-mail addresses – and Google’s spam filter is one of the best I’ve come across and has proven to be intelligent enough to filter the spam and allow genuine messages to get through. The result of this method is that I don’t have a spam problem with my forms (unless I happen to look in my spam bin!!).

    # April 2, 2008 at 8:14 am
    "box" wrote:
    but I do use Google Apps to process my form-mail addresses – and Google’s spam filter is one of the best I’ve come across and has proven to be intelligent enough to filter the spam and allow genuine messages to get through. The result of this method is that I don’t have a spam problem with my forms (unless I happen to look in my spam bin!!).

    The downside to this method is you are effectively allowing Google to blacklist your server, given that the originator is one of the factors used when determining if the content is spam, and unless you are doing some funky trick you are effectively spamming yourself by forwarding the mails to your Google account. This might not be a problem but it may become one if you then set up something like PHPList or other bulk mailer software as you may well find your legitimate mails from your domain blocked by major email providers because of all the previous spam from that server!

    box
    # April 2, 2008 at 8:42 am
    "tnash" wrote:
    "box" wrote:
    but I do use Google Apps to process my form-mail addresses – and Google’s spam filter is one of the best I’ve come across and has proven to be intelligent enough to filter the spam and allow genuine messages to get through. The result of this method is that I don’t have a spam problem with my forms (unless I happen to look in my spam bin!!).

    The downside to this method is you are effectively allowing Google to blacklist your server, given that the originator is one of the factors used when determining if the content is spam, and unless you are doing some funky trick you are effectively spamming yourself by forwarding the mails to your Google account. This might not be a problem but it may become one if you then set up something like PHPList or other bulk mailer software as you may well find your legitimate mails from your domain blocked by major email providers because of all the previous spam from that server!

    I’m not sure I follow, I setup A google-apps account to handle all emails for the domain the form is on. This involves altering all MX records to Googles own. I’m not forwarding mail to google, google handles the mail completely. This has proven to be very effective and I do receive legitimate mails regularly and seemingly without issue.
    The spam I receive is not from the online form itself, its from the forms email address being lifted by spam bots and other black-art devices that I can’t even begin to comprehend.
    If this is still a negative system for bulk mailers (which I don’t use…yet) then I’ll bow to your knowledge in this area, but from experience with this system for online submission forms, it does seem to work well and for me, a better alternative to any captcha device.

    # April 2, 2008 at 9:43 am

    I perhaps should have explained better what I meant.

    You have a form, joe spammer fills it in and hits send.
    The form is sent from your server mydomain.com either using sendmail or some other command to address blahblah@yourdomain.com

    In reality your server is sending a mail not to itself but to google hosted apps.

    Google receives the email it looks at who sent it, what it doesn’t see is joe spammer server but yours, so while you may be claiming it was sent via joe the spammer the headers say the originator was your IP.

    Next time you send a mail Google goes oh look I seen that IP on spam before and marks it with a penalty the IP address alone is not enough to mark it fully as spam but is one of the negative points.

    Not a problem at the moment, but say you run a forum on your site and you send a message to the 1000 members. Google now gets 350 emails within a couple of seconds from your server which it already associates with spam. Now you have a problem

    box
    # April 2, 2008 at 9:57 am

    Ahhhh, I see. Well, at the moment spammers can’t submit the forms I use without filling it all in in the right manner, so should be alright. And I don’t get any spam this way, so that’s doing it’s job.
    The forum problem will be something I would have to research more if I should ever need to use one – but in that sense, a forum post wouldn’t be using a captcha system anyway??
    You raised interesting points though, and should I need any bulk mail systems I’ll send you a cheeky PM to pick your brains ;)

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

*May or may not contain any actual "CSS" or "Tricks".