Click here to get back home

An unobtrusive partial alternative to CAPCHA
 HomeNewsGroups | Search | About
Login Password
Register Now!
 comp.infosystems.www.authoring.html    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
An unobtrusive partial alternative to CAPCHA Ben Bacarisse 05-08-2008
Posted by Andrew Heenan on May 9, 2008, 7:05 am
Please log in for more thread options
> Of the 1369 submissions in 42 weeks 518 were blocked by this method.
> 159 of these for being too fast and a surprising 359 for being too
> slow -- way too slow. Only two of these are at all close to the one
> hour cut-off time. I image many bots queue up the forms for
> submission later. It seems they also keep trying without requesting
> the form again since there are increasing time values later in the
> test period.

What does the system do about a failed form?
Does the bounce page say why?
--

Andrew
seo2seo.com
sick-site-syndrome.com

UK Residents:
STOP THE "10p Tax Ripoff"
Sign the petition to stop the government stealing from the
very poorest tell your friends about this petition:
http://petitions.pm.gov.uk/10penceband/



Posted by Ben Bacarisse on May 9, 2008, 7:45 am
Please log in for more thread options
>> Of the 1369 submissions in 42 weeks 518 were blocked by this method.
>> 159 of these for being too fast and a surprising 359 for being too
>> slow -- way too slow. Only two of these are at all close to the one
>> hour cut-off time. I image many bots queue up the forms for
>> submission later. It seems they also keep trying without requesting
>> the form again since there are increasing time values later in the
>> test period.
>
> What does the system do about a failed form?
> Does the bounce page say why?

For a "fast" or a "slow" submission, the page gives the user a message
and re-presents the form (with the user-provided data, of course) and
asks that the user re-submit. When the time-stamp is missing or
corrupt (i.e. the hashed version does not match the plain text
version) I also re-present the form (with a general-sounding failure
message) though the logs show that this has not yet actually happened.

--
Ben.

Posted by Adrienne Boswell on May 9, 2008, 10:03 am
Please log in for more thread options
Gazing into my crystal ball I observed Ben Bacarisse

> A while back I suggested a method of using timestamps to filter out at
> least some automatic form postings. Now that I have tried it for
> about 10 months, I thought it might useful to report back.
>
> Briefly, the current time is encoded in a hidden form field when the
> page containing it is served. The script that processes the form
> checks the (new) current time against that in the form and rejects the
> submission if it is either too fast or too slow. Unless the user
> is super fast they see no effect at all. There are no accessibility
> issues unless one sets the maximum permitted time too low. I
currently
> allow submissions from 5 seconds up to an hour after the form was
> sent. Results suggest that this upper limit can safely be increased.
>
> Even if a user is "caught", in both cases one can re-present the
> form. In the case of a slow submission one would regenerate the time
> stamp[1] and the user need only hit submit again.
>
> Of course, the time stamp must be protected so that tampering could be
> detected, although no examples of altered or missing timestamps showed
> up in this test (which it hardly surprising, why would a bot alter
> some mysterious hidden field?).
>
> The method does seem to work well. The people seeing the submissions
> report very little "spam" and there have been no complaints from users
> being inconvenienced. I have not been able to study the submissions
> that got through to count the failures, so all I have to go on is the
> reports of "very little" spam and counts of blocked submissions.
>
> Of the 1369 submissions in 42 weeks 518 were blocked by this method.
> 159 of these for being too fast and a surprising 359 for being too
> slow -- way too slow. Only two of these are at all close to the one
> hour cut-off time. I image many bots queue up the forms for
> submission later. It seems they also keep trying without requesting
> the form again since there are increasing time values later in the
> test period.
>
> The 5 second minimum look about right. The spread for fast reply
> rejections was:
>
> 0s: 16
> 1s: 72
> 2s: 38
> 3s: 26
> 4s: 7
>
> I can supply code if anyone else wants to try it.
>
> [1] The ideal setting would be exactly 5 seconds (the minimum
> submission time) old. A submit would then be accepted no matter how
> fast the user was.
>

You could enhance it by placing the time into a db, and upon submission,
compare the value in the db. Generate a unique identifier as a hidden
field, and compare that to the one in the db with the time submitted.

--
Adrienne Boswell at Home
Arbpen Web Site Design Services
http://www.cavalcade-of-coding.info
Please respond to the group so others can share


Posted by Jerry Stuckle on May 9, 2008, 11:28 am
Please log in for more thread options
Adrienne Boswell wrote:
> Gazing into my crystal ball I observed Ben Bacarisse
>
>> A while back I suggested a method of using timestamps to filter out at
>> least some automatic form postings. Now that I have tried it for
>> about 10 months, I thought it might useful to report back.
>>
>> Briefly, the current time is encoded in a hidden form field when the
>> page containing it is served. The script that processes the form
>> checks the (new) current time against that in the form and rejects the
>> submission if it is either too fast or too slow. Unless the user
>> is super fast they see no effect at all. There are no accessibility
>> issues unless one sets the maximum permitted time too low. I
> currently
>> allow submissions from 5 seconds up to an hour after the form was
>> sent. Results suggest that this upper limit can safely be increased.
>>
>> Even if a user is "caught", in both cases one can re-present the
>> form. In the case of a slow submission one would regenerate the time
>> stamp[1] and the user need only hit submit again.
>>
>> Of course, the time stamp must be protected so that tampering could be
>> detected, although no examples of altered or missing timestamps showed
>> up in this test (which it hardly surprising, why would a bot alter
>> some mysterious hidden field?).
>>
>> The method does seem to work well. The people seeing the submissions
>> report very little "spam" and there have been no complaints from users
>> being inconvenienced. I have not been able to study the submissions
>> that got through to count the failures, so all I have to go on is the
>> reports of "very little" spam and counts of blocked submissions.
>>
>> Of the 1369 submissions in 42 weeks 518 were blocked by this method.
>> 159 of these for being too fast and a surprising 359 for being too
>> slow -- way too slow. Only two of these are at all close to the one
>> hour cut-off time. I image many bots queue up the forms for
>> submission later. It seems they also keep trying without requesting
>> the form again since there are increasing time values later in the
>> test period.
>>
>> The 5 second minimum look about right. The spread for fast reply
>> rejections was:
>>
>> 0s: 16
>> 1s: 72
>> 2s: 38
>> 3s: 26
>> 4s: 7
>>
>> I can supply code if anyone else wants to try it.
>>
>> [1] The ideal setting would be exactly 5 seconds (the minimum
>> submission time) old. A submit would then be accepted no matter how
>> fast the user was.
>>
>
> You could enhance it by placing the time into a db, and upon submission,
> compare the value in the db. Generate a unique identifier as a hidden
> field, and compare that to the one in the db with the time submitted.
>

Or, better yet, in the session.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================


Posted by Ben Bacarisse on May 9, 2008, 1:23 pm
Please log in for more thread options

> Adrienne Boswell wrote:
>> Gazing into my crystal ball I observed Ben Bacarisse
>>
>>> A while back I suggested a method of using timestamps to filter out at
>>> least some automatic form postings.
<snip>
>> You could enhance it by placing the time into a db,
<snip>
> Or, better yet, in the session.

See my reply to Adrienne Boswell. I don't think you gain much by
using session data. There is no reason not to store the data in the
session, but given the checks I make, I don't think it adds much.

--
Ben.

Similar ThreadsPosted
Alternative to Frames November 17, 2004, 8:19 pm
Alternative to TSEP October 1, 2006, 10:46 pm
Alternative to WebRing? October 11, 2006, 6:41 am
Alternative methods to IMG May 9, 2007, 5:15 am
alternative to FrontPage please February 4, 2008, 3:45 am
No simple alternative to EMBED March 13, 2005, 6:38 pm
EMBED-command - HTML 4.01 Transitional alternative? July 17, 2004, 7:42 pm
Alternative to CMS Encore Pro and CityDesk using the power of Visual Web Developer March 18, 2007, 8:25 pm
Alternative to CMS Encore Pro and CityDesk using the power of Visual Web Developer March 18, 2007, 8:26 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap