0

I have the following code for a demo button:

= form_tag(new_demo_path, :method => "put", id: "demo-form") do
  = hidden_field_tag :time, (Time.now.to_f * 1000)
  .cannot-see-me= text_field_tag :name, params[:name]
  = submit_tag button_title, :name => nil, :id => 'start_demo_btn', :class => button_class, onclick: "$('#please-wait').modal({keyboard: false, backdrop: 'static'});"

If the user click too fast it won't do anything (to avoid bots) there is also a hidden field that (once filled in) will avoid the demo environment from being generated.

For some reason googlebot is still able to create demo environments... Is there something in the submit_tag or form_tag I can include to instruct it not to click the button?

rept
  • 2,086
  • 1
  • 26
  • 44

2 Answers2

0

Based on another post: How to prevent robots from automatically filling up a form?

You can track the time between the page load, the button click and then the new page that loads. If you have to fill out a form, a bot will to that way faster than humans.

Another method would be to use robots.txt to deny access to this page. Every major bot respects this file.

A third method would be to create an access control list (e.g. sessions) and display the button only to people who are logged in.

Community
  • 1
  • 1
lyinch
  • 135
  • 2
  • 7
  • I already do 2 things on that link: honeypot field and tracking the time, see OP. How can I define in robots.txt that a button cannot be clicked? Is that possible? – rept Feb 15 '15 at 11:12
  • No, but you can disallow the page from being crawled for all user agents. But that still doesn't solve the problem, if you have a bot, which doesn't follow the robots.txt. – lyinch Feb 15 '15 at 15:30
  • Which page? The 'start demo' button is on my main page, I definitely want that page to be crawled, but that specific button can't be pushed. – rept Feb 15 '15 at 15:31
  • If you load a new page after the button has been pushed, you could check if it's a bot or not based on the user agent. And then according to this either start your demo or give out an error response/redirect. – lyinch Feb 15 '15 at 15:40
  • That's a possibility but I'm hopeful to find a way to instruct the bot not to click the button. – rept Feb 15 '15 at 17:01
0

Using JavaScript or the likes on buttons is highly insecure as a bot is going to bypass it (since bots usually don't interpret JavaScript). I would recommend using a combination of fake form fields (tripwires for any bots - any content in these fields is a sure indicator of a bot), sanity checks (i. e. whether or not the content is plausible), timestamping (anything that is submitted too fast or too slowly also indicates a bot), MySQL (for blacklisting IP addresses and e-mail addresses as well as flood protection), content analysis, DNSBLs to keep out IP addresses of known spammers, and (optionally) even verification e-mails. That keeps out any bots, and even if traps at a particular stage are avoided, there are other traps that are going to trigger.

Plus you can proactively edit the list of spam words that show up to strengthen your defenses in case your early-stage traps are avoided (requires logging of any incoming messages).

This avoids using a Captcha that very often cannot be properly deciphered, plus with application/xhtml or application/xhtml+xml it cannot be implemented due to the peculiarities of the XHTML DOM. The other methods work independently of the type of markup language used, plus the entire thing remains barrier-free.

Robidu
  • 576
  • 3
  • 17