0

My web service landing page includes a registration form, On one hand, I want to block registration bots with a captcha field in this form, but on the other hand, a captcha field makes the form ugly. So what I need is to include this captcha field only when my server detects bot behavior.

How can I recognize a bot and block it effectively? (captcha or not) IP address?(what about clients in NAT?) session? user agent?

P.S. My definition of bot is any trials to repeatedly create new accounts on a single client. So blocking user agents that are defined as 'bots' is not the way to go, because spammers can write scripts to drive browsers, or use fake user agent strings.

Answers to this question mentioned some trick using hidden fields that is expected to be blank, but that trick doesn't convince me to be very effective: How websites like Facebook are protected against bot without any captcha

Community
  • 1
  • 1
NeoWang
  • 17,361
  • 24
  • 78
  • 126
  • They point about bots is, that they CANT be detected by your server (or any artificial thing). Sadly you will need to use captcha. – ToBe Feb 13 '14 at 15:33
  • IP checks are bad (because of NAT as you mentioned) you will likely do more harm. – ToBe Feb 13 '14 at 15:34
  • Perhaps a combination of IP/UserAgent/session? It's not possible to block all bots, but at least we can try to make writing a bot harder... – NeoWang Feb 13 '14 at 15:47
  • 1
    It may work, but it is risky bussiness. You will very likely also hit legit users. On the other hand, if you only show a captcha in these cases, the legit users arent hit too hard. Might be an idea. – ToBe Feb 13 '14 at 15:48

1 Answers1

1

There are multiple common strategies. Check my answer on a similar question here. A mixture of strategies usually works best. But be aware that you really shouldn't obsess too much. Simple strategies usually work just fine. On the other hand, if someone is so hell bent on harming your site, and develop custom bots only to defeat your protection, even Captcha is ineffective as there are multiple very powerful libraries for optical character recognition. Plus, it would probably be easier for them to just DDoS you then to come up with custom bots.

Community
  • 1
  • 1
kaqqao
  • 12,984
  • 10
  • 64
  • 118