If actual money or personal information is on the line, then you need more security than just one heuristic. (The previous rule of thumb assumes you're protecting a forum or comment form. The rule of thumb for the type of auto-form filling bots is that if a human has to intercede to overcome an individual site, then they've lost all the money (in the form of their time) they would have made by spreading their spam advertisements. Therefore, any form that comes in with that checkbox value set allows you to know it wasn't filled by a human. The secret is that no human will see the checkbox, but most bots fill forms by inspecting the page and manipulating it directly, not through actual vision. Roll your own mechanism here and be creative. But you default it to unchecked and hide it through css: position it off page, put it in a container with a zero height or zero width, position a div over top of it with a higher z-index.
Make it have a label like 'Do you agree to the terms and conditions of using our services?' perhaps even with a link to some serious looking terms. My favorite mechanism is a hidden checkbox.
However, there are more erhm providers out there who would harbor no such objections.
Amazon would strenuously object if you were to use their service for malicious purposes, and it has the downside of costing money and creating a paper trail. Amazon offers a service called Mechanical Turk that tackles things like this. There are stories of attackers paying for people to crack captchas for spamming purposes without the workers realizing they're participating in illegal activities. But captchas have their problems and are discouraged by the World-Wide Web compendium, mostly for reasons of ineffectiveness and inaccessibility.Īnd lest we forget, an attacker can always deploy human intelligence to defeat a captcha. Hari krishnan points out the use of captcha, the most prevalent and successful of which (to my knowledge) is reCaptcha. Many bots are capable of consuming and interacting with the javascript now. As user166390 points out in the comments, the bot can just submit information directly to the server, bypassing the javascript (see simple utilities like cURL and Postman). This is one problem that a lot of people have encountered.
0 kommentar(er)
