Click here to get back home

An unobtrusive partial alternative to CAPCHA
 HomeNewsGroups | Search | About
Login Password
Register Now!
 comp.infosystems.www.authoring.html    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
An unobtrusive partial alternative to CAPCHA Ben Bacarisse 05-08-2008
Posted by Ben Bacarisse on May 8, 2008, 10:33 pm
Please log in for more thread options
 A while back I suggested a method of using timestamps to filter out at
least some automatic form postings. Now that I have tried it for
about 10 months, I thought it might useful to report back.

Briefly, the current time is encoded in a hidden form field when the
page containing it is served. The script that processes the form
checks the (new) current time against that in the form and rejects the
submission if it is either too fast or too slow. Unless the user
is super fast they see no effect at all. There are no accessibility
issues unless one sets the maximum permitted time too low. I currently
allow submissions from 5 seconds up to an hour after the form was
sent. Results suggest that this upper limit can safely be increased.

Even if a user is "caught", in both cases one can re-present the
form. In the case of a slow submission one would regenerate the time
stamp[1] and the user need only hit submit again.

Of course, the time stamp must be protected so that tampering could be
detected, although no examples of altered or missing timestamps showed
up in this test (which it hardly surprising, why would a bot alter
some mysterious hidden field?).

The method does seem to work well. The people seeing the submissions
report very little "spam" and there have been no complaints from users
being inconvenienced. I have not been able to study the submissions
that got through to count the failures, so all I have to go on is the
reports of "very little" spam and counts of blocked submissions.

Of the 1369 submissions in 42 weeks 518 were blocked by this method.
159 of these for being too fast and a surprising 359 for being too
slow -- way too slow. Only two of these are at all close to the one
hour cut-off time. I image many bots queue up the forms for
submission later. It seems they also keep trying without requesting
the form again since there are increasing time values later in the
test period.

The 5 second minimum look about right. The spread for fast reply
rejections was:

0s: 16
1s: 72
2s: 38
3s: 26
4s: 7

I can supply code if anyone else wants to try it.

[1] The ideal setting would be exactly 5 seconds (the minimum
submission time) old. A submit would then be accepted no matter how
fast the user was.

--
Ben.

Posted by David Quinton on May 9, 2008, 1:54 am
Please log in for more thread options
 On Fri, 09 May 2008 03:33:13 +0100, Ben Bacarisse

>A while back I suggested a method of using timestamps to filter out at
>least some automatic form postings.

Thanks for this, Ben. very interesting and thorough research.
--
Locate your Mobile phone: <http://www.bizorg.co.uk/news.html>
Great gifts: <http://www.ThisBritain.com/ASOS_popup.html>

Posted by Pavel Lepin on May 9, 2008, 2:37 am
Please log in for more thread options

> A while back I suggested a method of using timestamps to
> filter out at least some automatic form postings. Now
> that I have tried it for about 10 months, I thought it
> might useful to report back.

That's a brilliant idea, thanks a lot for your research. I'm
going to adopt this method for filtering out the
spambots... unless you consider this your IP and are going
to patent this. But that would be very, very evil of
you. :-)

--
I'm not dead, just pinin' for the fnords.

Posted by Ben Bacarisse on May 9, 2008, 7:52 am
Please log in for more thread options

>> A while back I suggested a method of using timestamps to
>> filter out at least some automatic form postings. Now
>> that I have tried it for about 10 months, I thought it
>> might useful to report back.
>
> That's a brilliant idea, thanks a lot for your research. I'm
> going to adopt this method for filtering out the
> spambots... unless you consider this your IP and are going
> to patent this. But that would be very, very evil of
> you. :-)

... and would be inconsistent with reporting it here. It is simple to
implement and almost entirely invisible to users so, although it is
only partially effective, I hope it does get used. That was the point
of the post.

Thank you for your kind words.

--
Ben.

Posted by Brian Cryer on May 9, 2008, 3:56 am
Please log in for more thread options
>A while back I suggested a method of using timestamps to filter out at
> least some automatic form postings. Now that I have tried it for
> about 10 months, I thought it might useful to report back.
>
> Briefly, the current time is encoded in a hidden form field when the
> page containing it is served. The script that processes the form
> checks the (new) current time against that in the form and rejects the
> submission if it is either too fast or too slow. Unless the user
> is super fast they see no effect at all. There are no accessibility
> issues unless one sets the maximum permitted time too low. I currently
> allow submissions from 5 seconds up to an hour after the form was
> sent. Results suggest that this upper limit can safely be increased.
<snip>

Fascinating Ben. This is an area where I have an active interest, so I may
borrow your idea (no need for code, but the concept is priceless.) I know
its not a complete answer to spam, but it all helps.

One thing I would say is that I wouldn't advertise the idea. Once spammers
catch on to it it shouldn't take them much effort to get round it. That
said, most spammers seem to be absolute idiots so the idea may be sound for
many years to come.
--
Brian Cryer
www.cryer.co.uk/brian


Similar ThreadsPosted
Alternative to Frames November 17, 2004, 8:19 pm
Alternative to TSEP October 1, 2006, 10:46 pm
Alternative to WebRing? October 11, 2006, 6:41 am
Alternative methods to IMG May 9, 2007, 5:15 am
alternative to FrontPage please February 4, 2008, 3:45 am
No simple alternative to EMBED March 13, 2005, 6:38 pm
EMBED-command - HTML 4.01 Transitional alternative? July 17, 2004, 7:42 pm
Alternative to CMS Encore Pro and CityDesk using the power of Visual Web Developer March 18, 2007, 8:25 pm
Alternative to CMS Encore Pro and CityDesk using the power of Visual Web Developer March 18, 2007, 8:26 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap