 |
Account Login
|
 |
|
Latest Articles
|
|
|
IRC Channel
|
|
|
Associates
|
|
|
Associates
|
|
|
|
Article Reviews |
|
testing
|
|
|
|
|
|
This is what I do to stop bots
|
|
|
|
Review added by Stryker
on 05-21-2010
|
|
Alright, before I begin, I am terrible at English and grammar.
Say your using a form to forum post method. What I do to secure the form page is phpbb3(or similiar) integration into the page.
//Tells PhpBB we're not hackers. Includes the common.php file from the forums.
define('IN_PHPBB', true);
$phpbb_root_path = './PATH TO FORUMS/';
$phpEx = substr(strrchr(__FILE__, '.'), 1);
include($phpbb_root_path . 'common.' . $phpEx);
// Start session management. This allows us access to some of the user's information when they are logged in.
$user->session_begin();
$auth->acl($user->data);
$user->setup();
//Some common thing's you'll use. $username gives the username, and $userid gives the unique ID of the loggedin user.
$username = $user->data['username'];
$userid = $user->data['user_id'];
if($user->data['user_id'] == ANONYMOUS){
echo '
';
exit();
} else {
}
?>
// The page below will show if user is logged in, if not, the below information will not even load
See my drift?
|
|
|
Nice but an old trick...
|
|
|
|
Review added by SoN9ne
on 02-16-2010
|
|
Well, I have just noticed the dates on the reviews...
This method still works but it is not a good method anymore. I have found it to be more useful and more difficult to bypass by leaving a hash in the form and in their session.
For example, I take an md5 hash of their useragent concated with their IP, I will then save this hash in the form as a hidden field; on submission, I check to ensure that the current useragent and IP match the hash, else I assume foulplay and kick them out.
Still a good post and worth a read.
|
|
|
Nice
|
|
|
|
Review added by SneakyWhoami
on 09-30-2009
|
|
One improvement, if you're not going to be requiring emails, can be to name it "email", not "leave blank". There are a lot of bots out there that look for recognized fields and fill them out (like email fields). A "leave blank" field is less likely to be filled in by a bot.
It will stop automated bots, in spite of any skepticism.
Say I have a forum using SMF. People write bots that successfully target these forums. If you don't allow anonymous posting then this is probably not a problem, BUT the fact remains that there are auto bots that can do this.
Ultimately I guess if someone wrote a bot specifically to target your site, then you are no longer fighting a bot but a human.
So this article makes sense and it works.
If you check any page on howtocreate.co.uk, you can see he's got a hidden link. Click the link and get banned, a nice honeypot.
Google and such don't click the link because it's forbidden under robots exclusion.
Anyway, to nitpick with this article:
the second code block you've got will work in practice but technically it has a bug. The bot can submit useless data ;)
Try entering the value "1", it will get through.
Yes I'm being a smartass.
Somebody just had to come along and say it, didn't they?
|
|
|
Eh.. not really...
|
|
|
|
Review added by dschreck
on 06-11-2009
|
|
This may work to prevent automated scanners... maybe... but if anyone is looking to directly bot a form for a site you're running, they will do it by hand.
Even when I've created automated login systems for Hotmail, Gmail, Yahoo, AOL, MySpace, Facebook - it takes about 30 mins of dev work to figure out all of the required fields you need to pick up and post in as hash strings, and the rest you can just ignored.
This would be one of the fields I'd ignore.
|
|
|
Sure this works?
|
|
|
|
Review added by hjalmar
on 05-24-2009
|
|
I have found that alot of bots ignores an element that is hidden with display: none;
I simply use a technique where you just push the desired element outside of the screen instead with negative values and it has worked like a charm, never got a single spam after that.
So like:
#element{
position: absolute;
left: -9999px;
}
|
|
|
Nice basic start
|
|
|
|
Review added by CoryMathews
on 12-21-2008
|
|
This is a good way to start out but it will easily be broken a large number of times by different bots.
I had this at first but then upgraded it to have a small bit of javascript that updates the field with the time elapsed so after a reasonable amount of time when a real user submits the page it works, but when a bot comes through and submits it in under a set period of time then its no good. This seems to have worked decently so far but I'm sure there are many ways out there much better than this one.
|
|
|
Member's Menu
|
|
|
|
|
All times are GMT. The time now is 11:08 PM.
Join the friendly bunch on IRC...
