1

For one of my websites I am making a comment box. In the past I have had a lot of trouble with spam bots. I have used captchas to protect my websites against these bots however some bots managed to bypass these captchas by using external services. I have also tried by checking the http agents however this turned out to be unreliable.

I am now looking for a way to protect my website against bots by using Javascript. I have tried to simply check if javascript is enabled and if so then I would display the form:

<script type="text/javascript">
document.write('<the form to display>');
</script>

However I believe this would be too simple as bots are getting smarter in executing Javascript. Could someone show me an example or guide me into the right direction how I could protect my website against bots by using Javascript?

user3398797
  • 429
  • 1
  • 7
  • 16
  • 1
    I heard about a simply means using an input box that was looking for something like password or alternate-email; except it was hidden using CSS ... as the bots filled this in, you would get an idea it's not a person. – rfornal Dec 09 '14 at 20:53
  • 1
    I'd go with a Honeypot implementation. Example here: http://stackoverflow.com/questions/16861325/honeypot-implementation – kmdsax Dec 09 '14 at 20:54
  • I've read an article not more than a day ago about this : http://www.usertesting.com/blog/2014/04/09/think-your-site-needs-captcha-try-these-user-friendly-alternatives/. There is a list of pros and cons on multiple alternatives. – Karl-André Gagnon Dec 09 '14 at 20:55
  • Well you could use some form of bootstrapping where your domain is basically a blank page with a bit of _JavaScript_ which ajaxes in your encrypted payload, decrypts it and writes the document.... or you could use what the people above have said (Y). Also idk if bots request images, but you could have some small picture sent with no-cache header which updates a session variable – Paul S. Dec 09 '14 at 20:55
  • The new Google reCaptcha implementation is less intrusive and looks promising. Requires the user clicks a checkbox thats it. – user692942 Dec 09 '14 at 21:41
  • i cut down the spam on a busy public site simply by removing the action attrib of the comment form, and setting it with JS. simple, but it reduced spam from about 30/day to 3-5/week... – dandavis Dec 09 '14 at 22:14
  • See this related answer in terms of [bot detection using javascript](http://stackoverflow.com/a/24471222/1647538) – hexalys Apr 29 '15 at 02:46

1 Answers1

0

I recommend using a "slide to submit" option, as described here. I use it because it doesn't add a barrier to your legitimate users, but should be fairly difficult for a bot. Keep in mind though, if someone is dedicated, they will get past you. You're just trying to make it too hard for the automated ones.

Edit: I gave a quick answer that ignored impaired users. I work in an industry that is, by its very nature, limited to sighted and non-motion-impaired users. The above solution only works under those conditions.

If you have non-sighted users, you can consider using a "honeypot", but as mentioned here (can't include link), they tend to be confusing/impossible for people using screen readers. You can offer audio CAPTCHAs, but they are solved and can't be relied upon(can't include link). This paper discusses some CAPTCHA alternatives, but they are mostly overkill for a comment box. You may want to consider the new Google alternative, the "I'm not a robot" reCAPTCHA (can't include link), however, I think it works by taking into account the way the user interacts with the site, and someone using assistive technology might not have standard patterns when interacting with the site. There is, as far as I know, no accepted way to have CAPTCHA technology in a completely accessible way for impaired users.

Sorry I can't cite everything, I got downvoted for suggesting an industry-standard practice, so now I can't include more than two links. I get that accessibility is important, guy who downvoted me, but shooting everything down without offering an alternative is not helpful.

Sam H.
  • 4,091
  • 3
  • 26
  • 34
  • 2
    use that motion-based stuff only if you don't care about your blind or physically disabled users. – dandavis Dec 09 '14 at 22:16