Antispam measures on websites
Spam on Internet website become a big issue. Nice functionalities like “send the article(product) to a friend” become open email relays. Message boards become lists of porn, hazard and drug advertisement sheets. Contact forms on websites become direct email spam route to website owners.
What are our web-developers options to forbid this? Lets identify how big our problem is and then we can decide what anti-spam technique to use to prevent these problems.
Just to note, this article is about anti-spam not about security against password brute force attacks or similar.
Passing security code
implementation level:
fairly easy
User friendly
invisible to user
Level of security
Basic
This protects your page only from direct submissions. Unfortunately nowadays spam robots visit your site with submission form and do use cookies so they keep the session. Amount of spam filtered using this technique is rather small.
functionality and implementation description
on page where user input is expected, scripting language generated random unique key. This key is inserted to user session and at the same time printed to form which is being submitted with user input. Before taking action like sending email or inserting data to database, security code in user session is compared with th one submitted within user input. If it doesn’t match action is not taken.
JavaScript catching human activity
implementation level:
rather easy
User friendly
invisible to user
Level of security
High
Since spam robots usually don’t handle JavaScript this gives very good protection against. However if this technique is used more and more it is expected than spam robot will be given JavaScript knowledge sooner or later. For now you can feel safe to use it.
functionality and implementation description
JavaScript is interpreted at user end in user browser. Therefore it can catch user activity. When your website is browsing robot, it doesn’t use regular web-browser, it just makes queries to web server and parses results.
Implementation could be something like example in first technique with one modification, security key in html form is empty and gets filled by JavaScript on mouse click event or form submit event. This way the security key gets passed to data receiving with user input only on “human” action.
Human user input (captcha)
implementation level:
rather difficult
User friendly
moderate
Some people may have a problem to resolve puzzle, mainly captha is sometimes giving users problems.
Level of security
High
If you use simple nice clear captcha which is more user friendly you keep the risk that captcha can be parsed and recognized by robots. Using more secure captcha can make it really dificult for users to be able to recognize characters in it. Also captcha may have voice presentation of characters, this is read to user by robot which means it can be also recognized by robot. So voice presentation actually makes captcha less secure.
functionality and implementation description
This technique verify that data is submitted by human by asking for puzzle which only human can solve. These could be asking questions like “how many ears regular human has?” or giving textual simple mathematical problem e.g. “how much is 2+2?”, or visual input like captcha where letters or/and numbers are showing random format in form of picture. User submitting form must resolve the problem and type it in the form which is being submitted. Data receiving script then verify the question and considers data submitted by human if answer matches.
How to decide which of these techniques to use and how difficult to make them?
If you have well known high traffic website or developing web platform, cms or other system to base or use in other websites see below. If you are not then you are protecting against general spammers not targeting particularly your website. i recommend you to use JavaScript as custom implementation. It is easy to implement and doesn’t give visitors any troubles. As you are not in particular interest of spammers you’ll be reached only by automated crawlers submitting everything everywhere. Since you use custom implementation they won;t be able to understand where your security key lays in source and won’t be able to understand your system automatically. Be aware of using some similar ready solutions as when they become popular spammers can ad logic to overcome them. Only other general way to overcome your custom implementation would be to include and run JavaScript engine to process JavaScript functionality in your page, but I believe these is far away yet.
If you are developing system that may be potentially in particular interest of spammers then I would implement captcha as this seems to be only option at the moment. Be careful to implement good captcha system that is using engine which has not been understood as recognizable yet. Also use one that can be read and understood well by your visitors. provide a lot of help for Internet beginners.
| JavaScript is interpreted at user end in user browser. Therefore it can catch user activity. When your website is browsing robot, it doesn’t use regular web-browser, it just makes queries to web server and parses results. Implementation could be something like example in first technique with one modification, security key in html form is empty and gets filled by JavaScript on mouse click event or form submit event. This way the security key gets passed to data receiving with user input only on “human” action. |
Published by Stan Kuhn in: Security and anti-spam