How to stop bots from submitting web forms

Question

I'm making a website that requires the user to sign up and log in. My friend keeps making bots with mechanize. The bot signs up for the site multiple times. When the bot makes tonnes of users, the users are added to a database table.

I've made a program to stop an entry that has example in it since the bot just has a variable like:

name = 0

and keeps adding 1 to the name variable.

I think he has a while loop like this:

import mechanize
br = mechanize.Browser()
br.open("http://www.example.com/")
br.set_handle_robots(False) # Ignores the robots.txt file

name = 0
person = 'example',name

while True:
    br.select_form( 'signup' )
    br.form[ 'fullname' ] = person
    br.submit()
    name = name + 1

So he basically has this program running non stop until the program crashes.

I want to be able to stop this with either javascript or php.

I've searched for an answer to this but all of the methods that I've tried have failed. I've tried making a timer to see how long the person was on the page since a bot is only on a webpage for about a second. I've made the timer in php and javascript and they both failed.

I've considered captcha but the bot can still send private messages and I don't think the user will stay on the site if they have to fill in a captcha everytime they want to message a friend. And I don't want to have a captcha on the sign up form because it doesn't look to attractive.

I've ran out of ideas to stop this. It's been going on for a couple ofmonths and it's really slowed downthe development of the site as i have to keep checking for any entries that my program may have missed.

Does anyone know of any other ways to stop a bot.

Answer 1

Google have released their new "reCAPTHA" technology, which with a mere check of a box. Bots can get around this, but it's very difficult to do so. By using this, you can reduce the risk of your friend's bot. To the extent of my knowledge, Mechanize does not currently have a way around this.

Answer 2

The simplest solution to me would seem to be to implement login with a third party such as Facebook and don't offer a standard login form at all.

Alternatively, you could implement a system to store a user's IP address when they create an account, together with a counter, and if more than a certain number of accounts get created from that IP address within a certain time period, then take corrective action, such as suspending those accounts.

I have a feeling it might also be possible to create a custom filter using fail2ban that would do the job - that way if a user tried to sign up too many times in a certain period they could be blocked for a given length of time.

Answer 3

Add email confirmation on sign-up, along with a unique email address constraint in your application or persistence layer.

Combine this with adeneo's suggestion of using a hidden field and you'll reduce bot registrations. Note, you can use a unique field name + value each time, making it more difficult to attack.

Note, many of the suggestions given so far are to foil generic attacks. It's a different thing altogether to deal with somebody specifically attacking your site by evaluating its weaknesses.