5

At my site, I present a form for visitor input. No login is required. I cannot require a login. So anyone browsing the site can submit the form. It also opens up the form to bots. I need to prevent the bots. I had asked the question on the following thread.

Unwanted garbage input from bots?

I did get some useful response. I read a few solutions to the this (captcha and non-captcha).

Mine is not a site where a I get significant traffic. My users are not terribly computer savvy. So I was thinking of doing something like this. I am not a very accomplished programmer and what I am saying here may be very stupid. But I am simply trying to learn, so please bear with me.

Every time I present the form, I generate a unique key (unix time + remote host IP). I store the key in a db table and I send out the form with the key being a hidden field on the form. When a form is submitted, I check to see if the value for the key is in the db table. If it is, I remove the key from the db table and I process the form. If the key is not in the db table, I discard the form and ask the user to do the operation again.

With every submission I also remove stale entries(where the users did not submit the form within a stipulated time). I will need to have some mechanism where I prevent the request for the form, from bots. Say for example, if I have n number of pending requests from a particular host, I ask people to request for the form after a few moments.

Will something like this work?

Community
  • 1
  • 1
rpat
  • 279
  • 2
  • 5
  • 12
  • What platform are you using - PHP, .NET etc? – cbp Mar 10 '11 at 04:04
  • 1
    @rpat, don't worry about the point-collectors, just ask, many people like me are very happy to answer your questions without caring about point-collection. (in general, point-collection leads to pandering and less-than-objective answers. i. e. those that suck up to the OP rather than tell it like it is) – necromancer Mar 10 '11 at 04:11
  • I am on a Perl/CGI platform. Thanks – rpat Mar 10 '11 at 05:51
  • @Sdaz MacSkibbons, on some of the questions (like this one), there were multiple answers and all of them were useful, but there was not one that I could accept as the one that solved my problem. Besides, I have gone back and thanked (if you see my follow-up comments) people who have helped me. – rpat Mar 10 '11 at 06:00

5 Answers5

2

the bots will be able to request the hidden field and submit it anyway. try a non-re-captcha library so that your users don't get overwhelmed (recaptcha is overwhelming due to its extra goal of hijacking your users to do OCR of pretty illegible text).

however, since you ask for a non-captcha solution, i would propose that you measure the time between form request and form submission (with the hidden key). a bot would submit the form within a couple of seconds of request, but a human would not.

if you find that this simple approach does not work for your site then you can try something more complex.

necromancer
  • 23,916
  • 22
  • 68
  • 115
  • Wouldn't bots have to know what the hidden field is for, especially if the forms have a good number of fields? I am guessing that the general approach of bots would be just to submit and not request-submit. Also, about the time measure, a bot could be programmed to wait for a minute between submissions to get around the time stamp. – rpat Mar 10 '11 at 06:16
  • how would the bot know what fields to submit without doing a request-submit? it doesn't cost the bot much to do the request and then submit. and yes, the bot could be programmed to wait but that would slow down a bot a thousand times or more from its task of spamming the world. yes, bots could be programmed to wait asynchronously but i doubt if there are many like that out there because the rest of the world is not stopping them by making them wait, but instead by captchas. bottomline, try the simplest approach and then go to the next level as you find bots getting thru the current level – necromancer Mar 10 '11 at 07:07
  • Thanks. I will try out a simple captcha approach and hopefully, it would be OK for the users. – rpat Mar 10 '11 at 07:43
  • This is more of a question than an answer: what about checking the referrer? Do bots use their own form to post or do they typically use the site's form? – Fer Mar 27 '12 at 09:48
1

What about hashing form field names so the name is different each time? hash(Original field name + time stamp + secret salt) and the just pass the time stamp with the form, it will take ages for the bot to figure it out, especially if the salt is different per user and changes every couple of hours/days. Just an idea I had. Was wondering if you think it would stop bots?

Gilles Lesire
  • 1,237
  • 17
  • 33
  • In order for the legitimate client to send you these fields, however complicated they may be, you will need to give him this information first. Thus the bot could read that (html) info and include it to it's request as well. Am I missing something? – stelios Jul 27 '18 at 18:08
  • 2
    You are correct. However it would require custom code for your site. Still possible of course. But not many would actually bother. Your site won't be targeted anymore by generic bots. 99% of them – Gilles Lesire Jul 28 '18 at 19:04
  • Oh yes, the automated bots would be stopped, true. – stelios Jul 29 '18 at 08:33
1

You could also hide the form and then a user would have to click on a button to reveal it. Much like how twitter does it when you log in.

Jason
  • 2,687
  • 3
  • 29
  • 40
  • 8
    An actual bot probably wouldn't even notice that the form was hidden. – Anomie Mar 10 '11 at 04:14
  • @Anomie well, there's your clue. if the form was submitted without a button-click then it's a bot :D have the button click populate some value in the form. – necromancer Jun 10 '13 at 08:57
1

I wouldn't worry too much about bots submitting your form. It's not gonna happen. If you're terribly fearful then instead of a captcha ask a stupid question like "what is 1+1?" before a submission.

Shai UI
  • 50,568
  • 73
  • 204
  • 309
  • my company had a similar very low traffic site but after a while the bots found us and spammed our form until we captcha-ed it using simplecaptcha. nobot seemed to break the simplecaptcha btw. – necromancer Mar 10 '11 at 04:14
  • Bots do find my form and I do see inputs. I will try out a captcha or what you have suggested. – rpat Mar 10 '11 at 07:46
1

It all depends on how desperately the spammers want to submit junk to your form. Your method will work for the most stupid of bots, but as agks mehx pointed out it's trivial for a bot to load up the form and extract the field if someone bothers to take a minute or so to tweak their bot.

At the other end of the spectrum, there's little you can do to automatically stop the "pay people in certain countries the equivalent of 10¢/hr to spam every board they can find" tactic without locking things down to an extent that also prevents the general public from posting useful comments.

Anomie
  • 92,546
  • 13
  • 126
  • 145