Re: [PHP] send form by email with image spam controler

08/03/2008, 16h44

At 10:08 AM +0100 3/8/08, Alain Roger wrote:
>Hi,
>
>i would like to allow web site users to fill a form when they request
>information.
>the purpose is to have something standardized and later on to archive all
>those request into database.
>to avoid spammer, i was thinking to use a code image which change to each
>page refresh in order to be sure that user is human and not a simple robot
>:-)
>after that, all data should be sent by web site (maybe a particular email
>account or function) to email address info@mywebsite.com.
>
>is there a simple way to do that or a better way ?
>
>moreover where could i find similar example ? especially about image
>checking...

Here's a few.

http://webbytedd.com/aa/assorted-captcha/

BUT, all can be broke by a spammer. There is no solution.

So, make it as simple as can be for those who have problems with that
sort of thing.

Cheers,

tedd

--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

09/03/2008, 13h54

tedd wrote:

> Here's a few.
>
> http://webbytedd.com/aa/assorted-captcha/
>
> BUT, all can be broke by a spammer. There is no solution.
>

How about this one -

http://jessen.ch/articles/captcha

Well, of course it can be broken too - it's only a matter of money and
time, both of which are critical to spammers.

(for the moment it has a limited number of questions and only in
English).

/Per Jessen, ZÃ¼rich

09/03/2008, 14h34

> How about this one -
>
> http://jessen.ch/articles/captcha
>
> Well, of course it can be broken too - it's only a matter of money and
> time, both of which are critical to spammers.
>
> (for the moment it has a limited number of questions and only in
> English).

Interesting. How well does this work? I'm interested because I wrote a
number to text converter which could be used as a CAPTCHA and it was
eventually broken, so I resorted to the more traditional image based
CAPTCHA. For example:

Enter the following in numbers:

Four thousand and twenty two.

And of course the answer is 4022.

--
Richard Heyes
Employ me:
http://www.phpguru.org/cv

09/03/2008, 14h47

Richard Heyes wrote:

>> How about this one -
>>
>> http://jessen.ch/articles/captcha
>>
>> Well, of course it can be broken too - it's only a matter of money
>> and time, both of which are critical to spammers.
>>
> Interesting. How well does this work?

Well - it's an idea I've had for a while, but I only just implemented it
this morning.
The key thing is that in order to read the question, you need to render
the HTML in an engine or browser with javascript support. Just parsing
the page won't you.
Like I said, it can be broken too (given sufficient effort).

> I'm interested because I wrote a number to text converter which could
> be used as a CAPTCHA and it was eventually broken, so I resorted to
> the more traditional image based CAPTCHA. For example:
>
> Enter the following in numbers:
>
> Four thousand and twenty two.
>
> And of course the answer is 4022.

Did you use javascript to do that too? Seems to me it should work just
as well as what I proposed.

/Per Jessen, ZÃ¼rich

09/03/2008, 16h05

On 9 Mar 2008, at 12:47, Per Jessen wrote:
> Richard Heyes wrote:
>>> How about this one -
>>>
>>> http://jessen.ch/articles/captcha
>>>
>>> Well, of course it can be broken too - it's only a matter of money
>>> and time, both of which are critical to spammers.
>>>
>> Interesting. How well does this work?
>
> Well - it's an idea I've had for a while, but I only just
> implemented it
> this morning.
> The key thing is that in order to read the question, you need to
> render
> the HTML in an engine or browser with javascript support. Just
> parsing
> the page won't you.
> Like I said, it can be broken too (given sufficient effort).

It's not much effort - you just need to request a second URL after
you've got the form. It's not hard and really doesn't really put
anything more in the way of a bot than an image-based captcha. In fact
I'd argue that parsing the text in your questions is significantly
easier than doing OCR on an image.

>> I'm interested because I wrote a number to text converter which could
>> be used as a CAPTCHA and it was eventually broken, so I resorted to
>> the more traditional image based CAPTCHA. For example:
>>
>> Enter the following in numbers:
>>
>> Four thousand and twenty two.
>>
>> And of course the answer is 4022.
>
> Did you use javascript to do that too? Seems to me it should work just
> as well as what I proposed.

Text-based captchas will never be a big hurdle for bots. Anything you
can convert from a number or numbers into text can also be parsed back
to the numbers. Fact.

The key thing to remember when securing a form is that if you do
something that's never been seen before it's unlikely that the generic
bots will be able to get past it. If someone decides to target your
site then a text-based captcha will never be good enough, and chances
are nothing you do will work. If someone is willing to put in the
effort you've got no chance.

As an example I used to have a simple text-based captcha on the
comment form on my blog. It was pitifully simple to get past because
all it asked you to do was type 'human' into a text box, but since my
blog is not very popular it's not worth the bad guys investing time to
mod their bots to get past it. I had zero spam comments while that was
in place. I've since switched to Wordpress and I have to say that
Akismet kicks the crap out of any captcha in terms of effectiveness.

-Stut

--
http://stut.net/

09/03/2008, 18h19

Stut wrote:

> On 9 Mar 2008, at 12:47, Per Jessen wrote:
>
>> Like I said, it can be broken too (given sufficient effort).
>
> It's not much effort - you just need to request a second URL after
> you've got the form. It's not hard and really doesn't really put
> anything more in the way of a bot than an image-based captcha. In fact
> I'd argue that parsing the text in your questions is significantly
> easier than doing OCR on an image.

Ah, yes, I see what you mean.

> The key thing to remember when securing a form is that if you do
> something that's never been seen before it's unlikely that the generic
> bots will be able to get past it.

Which will still get rid of most of the attacks. But then so will
something that automatically monitors accesses to your form, and
selective bans IP-addresses (e.g. after too many attempts during N
minutes).

> If someone decides to target your site then a text-based captcha will
> never be good enough, and chances are nothing you do will work. If
> someone is willing to put in the effort you've got no chance.

Absolutely. Same goes for encryption etc.

/Per Jessen, ZÃ¼rich

08/03/2008, 16h44	#1
tedd Messages: n/a Hébergeur:	Re: [PHP] send form by email with image spam controler At 10:08 AM +0100 3/8/08, Alain Roger wrote: >Hi, > >i would like to allow web site users to fill a form when they request >information. >the purpose is to have something standardized and later on to archive all >those request into database. >to avoid spammer, i was thinking to use a code image which change to each >page refresh in order to be sure that user is human and not a simple robot >:-) >after that, all data should be sent by web site (maybe a particular email >account or function) to email address info@mywebsite.com. > >is there a simple way to do that or a better way ? > >moreover where could i find similar example ? especially about image >checking... Here's a few. http://webbytedd.com/aa/assorted-captcha/ BUT, all can be broke by a spammer. There is no solution. So, make it as simple as can be for those who have problems with that sort of thing. Cheers, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com

09/03/2008, 13h54	#2
Per Jessen Messages: n/a Hébergeur:	Re: [PHP] send form by email with image spam controler tedd wrote: > Here's a few. > > http://webbytedd.com/aa/assorted-captcha/ > > BUT, all can be broke by a spammer. There is no solution. > How about this one - http://jessen.ch/articles/captcha Well, of course it can be broken too - it's only a matter of money and time, both of which are critical to spammers. (for the moment it has a limited number of questions and only in English). /Per Jessen, ZÃ¼rich

09/03/2008, 14h34	#3
Richard Heyes Messages: n/a Hébergeur:	Re: [PHP] send form by email with image spam controler > How about this one - > > http://jessen.ch/articles/captcha > > Well, of course it can be broken too - it's only a matter of money and > time, both of which are critical to spammers. > > (for the moment it has a limited number of questions and only in > English). Interesting. How well does this work? I'm interested because I wrote a number to text converter which could be used as a CAPTCHA and it was eventually broken, so I resorted to the more traditional image based CAPTCHA. For example: Enter the following in numbers: Four thousand and twenty two. And of course the answer is 4022. -- Richard Heyes Employ me: http://www.phpguru.org/cv

09/03/2008, 14h47	#4
Per Jessen Messages: n/a Hébergeur:	Re: [PHP] send form by email with image spam controler Richard Heyes wrote: >> How about this one - >> >> http://jessen.ch/articles/captcha >> >> Well, of course it can be broken too - it's only a matter of money >> and time, both of which are critical to spammers. >> > Interesting. How well does this work? Well - it's an idea I've had for a while, but I only just implemented it this morning. The key thing is that in order to read the question, you need to render the HTML in an engine or browser with javascript support. Just parsing the page won't you. Like I said, it can be broken too (given sufficient effort). > I'm interested because I wrote a number to text converter which could > be used as a CAPTCHA and it was eventually broken, so I resorted to > the more traditional image based CAPTCHA. For example: > > Enter the following in numbers: > > Four thousand and twenty two. > > And of course the answer is 4022. Did you use javascript to do that too? Seems to me it should work just as well as what I proposed. /Per Jessen, ZÃ¼rich

09/03/2008, 16h05	#5
Stut Messages: n/a Hébergeur:	Re: [PHP] send form by email with image spam controler On 9 Mar 2008, at 12:47, Per Jessen wrote: > Richard Heyes wrote: >>> How about this one - >>> >>> http://jessen.ch/articles/captcha >>> >>> Well, of course it can be broken too - it's only a matter of money >>> and time, both of which are critical to spammers. >>> >> Interesting. How well does this work? > > Well - it's an idea I've had for a while, but I only just > implemented it > this morning. > The key thing is that in order to read the question, you need to > render > the HTML in an engine or browser with javascript support. Just > parsing > the page won't you. > Like I said, it can be broken too (given sufficient effort). It's not much effort - you just need to request a second URL after you've got the form. It's not hard and really doesn't really put anything more in the way of a bot than an image-based captcha. In fact I'd argue that parsing the text in your questions is significantly easier than doing OCR on an image. >> I'm interested because I wrote a number to text converter which could >> be used as a CAPTCHA and it was eventually broken, so I resorted to >> the more traditional image based CAPTCHA. For example: >> >> Enter the following in numbers: >> >> Four thousand and twenty two. >> >> And of course the answer is 4022. > > Did you use javascript to do that too? Seems to me it should work just > as well as what I proposed. Text-based captchas will never be a big hurdle for bots. Anything you can convert from a number or numbers into text can also be parsed back to the numbers. Fact. The key thing to remember when securing a form is that if you do something that's never been seen before it's unlikely that the generic bots will be able to get past it. If someone decides to target your site then a text-based captcha will never be good enough, and chances are nothing you do will work. If someone is willing to put in the effort you've got no chance. As an example I used to have a simple text-based captcha on the comment form on my blog. It was pitifully simple to get past because all it asked you to do was type 'human' into a text box, but since my blog is not very popular it's not worth the bad guys investing time to mod their bots to get past it. I had zero spam comments while that was in place. I've since switched to Wordpress and I have to say that Akismet kicks the crap out of any captcha in terms of effectiveness. -Stut -- http://stut.net/

09/03/2008, 18h19	#6
Per Jessen Messages: n/a Hébergeur:	Re: [PHP] send form by email with image spam controler Stut wrote: > On 9 Mar 2008, at 12:47, Per Jessen wrote: > >> Like I said, it can be broken too (given sufficient effort). > > It's not much effort - you just need to request a second URL after > you've got the form. It's not hard and really doesn't really put > anything more in the way of a bot than an image-based captcha. In fact > I'd argue that parsing the text in your questions is significantly > easier than doing OCR on an image. Ah, yes, I see what you mean. > The key thing to remember when securing a form is that if you do > something that's never been seen before it's unlikely that the generic > bots will be able to get past it. Which will still get rid of most of the attacks. But then so will something that automatically monitors accesses to your form, and selective bans IP-addresses (e.g. after too many attempts during N minutes). > If someone decides to target your site then a text-based captcha will > never be good enough, and chances are nothing you do will work. If > someone is willing to put in the effort you've got no chance. Absolutely. Same goes for encryption etc. /Per Jessen, ZÃ¼rich

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email