Killing Blog Spam without Captcha

There are a few alternatives to Captcha - there is a nice trick that Damien Katz recently blogged about. It's ultimately doomed, because a spammer can easily adapt, but it is neat and it's working for now.

I've been mulling over a couple of ideas with Geert who was thinking of implementing the first for his Paste Bin site.

1. Use unpredictable form field names

When the user clicks on the "add comment" button, a comment form is presented with the usual fields: Name, Email, Website and Comment. The form fields however do not have predictable names. Instead, the fields are generated from some user-derived secret - maybe something stored in the users session. The important thing is that the field names are predictable to the server, but unpredictable to the user.

The server can then easily work out which field values relate to which input field, but the only thing you have to go on as far as HTTP stream goes is visually what labels are next to what fields, and there are plenty of ways to obscure this in HTTP. You can even alter the field ordering at runtime to make life even harder.

In order to submit the spam now, the spamming tool will need to manage cookies, visit a set of pages, and then guess which field names relate to which fields. This could be used in conjunction with fields hidden using CSS to make the guesswork near impossible.

2. Process the form with JavaScript

If the onsubmit process requires some JavaScript computation then the spammer will need to include a JavaScript engine in their toolkit for the post to be accepted. While it's possible that spammers could do this, maybe we can use this to slow them down to the point where it becomes less of a problem.

We dynamically create a short bit of Javascript that asks the posters browser to compute the factorials of some small prime. We can adjust the size of the prime to dictate the length of the required computation. The computation can be happening in the background while the post is being written.

I suspect that this method is slightly flawed because spammers will be using some bot-net to perform the attack, so slowing the submit rate down by 2 or 3 orders of magnitude isn't a big deal, they'll just use bigger bot-nets.

However the annoyance of having to include a Javascript engine in the spamming toolkit could easily stop all but the most persistent spammers.

Tags : blogging javascript

Responses[5]

Posted by Joe Walker on 18 January 2007 06:45:58 GMT #

Re: Killing Blog Spam without Captcha

Comment from Anonymous on 18 January 2007 09:47:06 GMT #

What do you think about this Idea? http://www.afghanmania.com/en/contact/ There as image with a math test for example "3+7", and you have to enter the result

Re: Killing Blog Spam without Captcha

Comment from Dion Almaer on 18 January 2007 14:39:35 GMT #

We put in a "you need javascript to submit this" wordpress plugin on Ajaxian.com. Within a day we had bots submitting spam. They already have javascript support. :(

Re: Killing Blog Spam without Captcha

Comment from Doug Karr on 19 January 2007 02:34:47 GMT #

I totally knocked out Contact Form Spam by simply adding a challenge question to the plugin. This type of approach could be easily implemented for comment forms as well. WordPress Contact Form Plugin with Spam Protection

Re: Killing Blog Spam without Captcha

Comment from d on 11 February 2007 14:41:58 GMT #

I may try this out on a site or two that want to remove their capcha proof image verification because it is quite big on a small page. Thanks you.

Re: Killing Blog Spam without Captcha

Comment from Jonah Dempcy on 07 May 2008 22:56:43 BST #

Good ideas. I'm really frustrated with CAPTCHA-- while it's a working system, how many untold person-hours are wasted entering this nonsense? I noticed Alexa had some pretty advanced obfuscation to prevent people from ripping their content. I think similar schemes could be devised to prevent comment spam. That way only developers' time is wasted devising these schemes, but users save time by not having to enter nonsense characters.

Add a comment Send a TrackBack

2008 July (2) June (0) May (2) April (1) March (5) February (2) January (1)	2007 December (4) November (3) October (2) September (0) August (3) July (2) June (1) May (2) April (8) March (11) February (4) January (7)
2006 December (4) November (2) October (4) September (3) August (7) July (3) June (3) May (10) April (3) March (4) February (5) January (3)	2005 December (1) November (7) October (8) September (10) August (5) July (7) June (11) May (6) April (2)

Re: Killing Blog Spam without Captcha Comment from Anonymous on 25 July 2008 05:51:55 BST #
Title
Body	HTML : b, strong, i, em, blockquote, br, p, pre, a href="", ul, ol, li, sub, sup
Name
E-mail address
Website
Remember me	Yes No
E-mail addresses are not publicly displayed, so please only leave your e-mail address if you would like to be notified when new comments are added to this blog entry (you can opt-out later).

Username
Password
Remember me