Reputation: 434
Preventing bots from spamming registrations without captchas
I have to prevent bots from spamming requests to the account creation page (per HTTP post requests) but I don't want to use captchas nor do I have access to their IP (it's a tor hidden service).
By the way I can't use javascript (tor browser). Is there any rational way to do this?
Upvotes: 2
Views: 3400
Answers (5)
Reputation: 277
MFA is the answer. I ran into similar issue and end up using MFA (Multi factor authentication) using Google Authenticator. Captcha and honeypot just make it difficult but doesn't solve the problem. Captcha got accessibility issues and honeypot field can be skipped by a determined attacker
Upvotes: 0
Reputation: 6106
You could add blank or prefilled form elements to your form that should not be modified:
<form method="post" action="createaccount.php">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="email" name="email" value="" placeholder="Leave me blank!" style="display: none;" />
<input type="submit" name="submit" />
</form>
And then in your php:
<?php
if($_POST["email"] != "")
{
die("You must be a bot!");
}
?>
This approach does not work well if the bot understands the css though.
More can be found here: http://www.landauer.at/preventing-spam-in-form-submissions-without-using-a-captcha/
Upvotes: 0
Reputation: 86
If it's a bot, than most probably (but not definitively) the POST request is hand-crafted in advance based on your form parameters. In that case, you could generate a random number in a hidden input that you'll verify at POST from "his" session/cookie/whatever.
Best solution is still captcha though.
Upvotes: 1
Reputation: 91734
An alternative solution would be to use a honeypot:
- Add a form field to your form and hide it from the visitors view (position it off-screen for example);
- Add a tekst notifying visitors (screenreaders...) to leave the field empty;
- Bots will most likely fill in all form fields;
- Discard all form submissions that have the honeypot field filled in (not empty).
Upvotes: 3
Reputation: 46365
Perhaps the best thing you can hope to do is measure the speed of typing in the entry boxes of your registration. A human will take a "finite amount of time", while a bot will essentially take "no time" (although they could quickly figure out that you look for this, and adapt). But such a measurement would require "some" client side code to run.
Or you could give the form names (which are invisible to the user) crazy names: call the form field where people have to type their name "ZIP" and a lot of bots will put a number there.
Upvotes: 0
Related Questions
- Preventing Spam
- Stop spam without captcha
- how to stop bots signing up without captcha or email verification
- Defeating spam registrations
- Spam, even with captcha on Php Form
- Optimising against spam without captcha
- How to protect html form from spammers?
- Stop bots without captcha - with a twist
- Blocking spam in a PHP site without bothering the user
- In PHP, approaches to reduce bots submit form and invalid email accounts?