: Prevent malicious bots from posting spam I remember a site closed due to misuse and I wonder if bots have a part of it. If the bot is POSTing something to my site what are ways I can combat
I remember a site closed due to misuse and I wonder if bots have a part of it. If the bot is POSTing something to my site what are ways I can combat it? I was thinking of setting some cookies and having the cookies changed via JavaScript + timestamp and sign (so yesterday's cookies can't be used today and next week).
I'm sure most people/bots would just use another site instead of enabling JavaScript in their bot.
What else can I do? I'm thinking daily POST limit and a honeypot for generic bots who just randomly post spam.
More posts by @Shakeerah822
3 Comments
Sorted by latest first Latest Oldest Best
As John Conde mentioned in his #1 ) and you mentioned, honeypot can work very well for most cases and most web sites. If it ever gets done in by a bot you can just do one of the other methods John mentioned as well. But honestly if your site is low or average traffic this should do the trick.
Example, one of my favorites:
<form action="/process-form">
<input name="email" placeholder="Enter Your Email">
<input name="email_address" placeholder="Enter Your Email" style="display:none;">
<input type="submit" value="Submit"></form>
Now when the form is submitted, an extremely high percentage of bots will fill out both "email" and "email_address" but humans will only fill out the one they see, "email" and not "email_address". So in your `/process-form' code you just have to check if email_address is (not) empty for verification.
Simple and effective.
John Conde outlines a lot of good approached. The problem with choosing an anti-bot/anti-spam technique is balancing effectiveness and convenience. It would be really inconvenient to have to fill out a CAPTCHA every time you want to post a comment or message, but if you only require a CAPTCHA on signup, then sometimes that doesn't deter spammers.
Some of the passive techniques are a good alternative, since they don't require any human action. The problem is that bots are getting more and more sophisticated, and if bots can solve CAPTCHAs, then they can certainly process JS and CSS. So you'll need to exercise a little ingenuity, such as using less-obvious CSS to hide your bot-trap fields.
But based on your question, I think you probably realize that the point isn't to create a bot-proof site, but just to create enough of a deterrent that bot users will simply choose other easier targets. So what is required here will vary from site to site, and will likely require some trial and error testing. I would try the least obtrusive techniques first.
Lastly, another way you can de-spam your site is to use peer moderation to remove any bot-submitted comments or manually submitted spam that slips through.
You could do several things including:
Putting a fake field that only bots will see. Then if that field is submitted with the rest of the form you can ignore it (and ban them if desired). You can also trap bad bots who follow a hidden link.
Use a CAPTCHA like reCAPTCHA
Use a field that requires the user to answer a question like what is 5 + 3. Any human can answer it but a bot won't know what to do since it is auto-populating fields based on field names. So that field will be either incorrect or missing in which case the submission will be rejected.
Use a token and put it into a session and also add it to the form. If the token is not submitted with the form or doesn't match then it is automated and can be ignored.
Look for repeated submissions from the same IP address. If your form shouldn't get too many requests but suddenly is it probably is being hit by a bot and you should consider temporarily blocking the IP address.
Use Askimet. It is great at identifying spam.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.