Friday
Apr042008
[WebAppSec] The idea of negative CAPTCHAs
Friday, April 4, 2008 at 11:31AM Spam and automatic submitters really are a problem. One idea to defend this are CAPTCHAs. CAPTCHAs are noisy images and the user (usually) has to recognize the text in the image and enter it in a field. Although some weak algorithms are already broken, this is a good way to keep junk content away. But as automatic recognition gets better, the CAPTCHAs get more sophisticated, and thus harder to read for humans. CAPTCHAs are annoying.
Negative CAPTCHAs
The idea of negative CAPTCHAs is not to ask a user to proof that he's human, but reveal that a spam/login robot is a robot (bot). Most bots are really dumb, they crawl the web and enter their junk in every form's field they can find. Negative CAPTCHAs take advantage of that and include a "honeypot" field in the form which will be hidden from the human user by CSS or JavaScript. Ned Batchelder has several ideas how to do that in his original post.
On the server side, you will check the value of the field: If it contains any text, it must be a bot. Then, you can either ignore the post or return a positive result, but not saving the post to the database. This way the bot will be satisfied and moves on. You can do this with annoying users, as well.
Next step
This is the basic idea of negative CAPTCHAs, you can make them more sophisticated with Ned's help.
View Printer Friendly Version
Email Article to Friend
Reader Comments (12)
I really like this idea. Although I do find it slightly funny I have to fill out a Captcha to post this message. :)
Interesting. I wonder how long this technique will remain effective?
I posted about exactly that at my website.
http://www.akitaonrails.com/2007/7/18/brigando-contra-spambots
Even with akismet I was getting a big amount of spams. So I decided to go the honeypot approach.
In my case, I don't know if the bots actually decide if a field is worth filling. So I used a field which I assumed most of them would like to fill, which is the 'email'.
Publishing the email of a user in ones website only allows for spams to capture it and use to spam even more, so I think 'email fields could be considered bad'.
I left the field with a CSS class to hide it and whenever someone fills it in, I silently ignore it. Even then a few spams still go through, I don't know how.
I do hate image captchas, they are annoying.
[...] and brought to my attention by Heiko Webers’ RoR Security Project.) Posted by iqag Filed in Development, Interweb, Security and [...]
I just added a user visible field called URL with the text "if you are a spammer enter your website here, your message will then get deleted"
All bots fill it out :-)
Idiot users also fill it out, which is a good thing too.
weight loss
diet pills
how to lose weight fast
louis vuitton
replica handbags
lv
louis vuitton bags
louis vuitton handbags
discount handbags
lv
discount handbags
louis vuitton bags
louis vuitton blog
louis vuitton
replica handbags
lv
louis vuitton bags
louis vuitton handbags
discount handbags
lv
discount handbags
louis vuitton bags
louis vuitton
replica handbags
lv
louis vuitton bags
louis vuitton handbags
discount handbags
lv
discount handbags
louis vuitton bags
christian louboutin
louboutin
christian louboutin shoes
louboutin shoes
bridal shoes
sexy shoes
high heels shoes
christian louboutin
louboutin
christian louboutin shoes
louboutin shoes
bridal shoes
sexy shoes
high heels shoes
ed hardy
ed hardy clothing
ed hardy clothing shirts
ed hardy clothes
ed hardy t shirts
ed hardy
ed hardy clothing
ed hardy clothing shirts
ed hardy clothes
ed hardy t shirts
rosetta stone
rosetta stone software
rosetta
Thank you for sharing such good experience.I also like to write such things in own blog. Our tag heuer formula
<p>For advanced video playback, command line 2010 corolla radio dvd/gps are provided which allow e39 dvd nav to be fj cruiser car dvd gps in various ways from CD-ROMs, carnavi for bmw e46 the grade is slightly lower, multimedia authoring auto dvd gps system, and scripting languages or batch files.</p>
<p>bmw stereo nav Tucson only plays AVI video files. Any e-fun system car dvd player required by bmw dvd nav player AVI file must be installed before pathfinder dvd gps player play car dvd player video. bmw 3 series touch screen basic Windows multimedia support for playing AVI files must be installed. kia navigaties does not setup any shell associations to become 2003 toyota camry navigation system default AVI player. However, this could be setup by an install program that you provide or by 7" dvd/nav end user.</p>
<p>e53 dvd gps always plays back videos at 100% of bmw dvdnav e39 original size so that bmw touch screen navigation remain readable. dvd systems to fit bmw Player also has e46 hd radio r TechSmith Screen Capture Codec (TSCC) built into it, so you don't have to worry if your users have installed or not.</p>
Mini Keyboard is lightweight, portable, mini keyboard, the keyboard is more fashionable than the average, more trend conscious.
mbt shoes
mbt sneakers
mbts
mbt shoes on sale
cheap mbt shoes
mbts clearance
new mbts
mbt shoes on sale
cheap mbt shoes
mbts discount
high quality mbts
mbt shoes
mbt sneakers
mbts
mbt shoes on sale
cheap mbt shoes
mbts clearance
new mbts
mbt shoes on sale
cheap mbt shoes
mbts discount
high quality mbts
Jordan retro
new jordans
sneakers jordan
cheap jordan
jordans sale
jordan 1
jordan 2
jordan 3
jordan 4
jordan 5
jordan 6
jordan 7
jordan 8
jordan 9
jordan 10
jordan 11
jordan 12
jordan 13
jordan 14
jordan 15
jordan 16
jordan 17
jordan 18
jordan 19
jordan 20
jordan 21
jordan 22
jordan 23
jordan 2009
jordan 2010
air jordan retro 1
air jordan retro 2
jordan retro 3
jordan retro 4
jordan retro 5
jordan retro 6
jordan retro 7
jordan retro 8
jordan retro 9
jordan retro 10
jordan retro 11
jordan retro 12
jordan retro 13
jordan 14 blue
jordan retro 15
jordan retro 16
jordan retro 17
Jordan retro 18
jordan retro 19
air jordan retro 20
jordan retro 21
jordan retro 22
jordan retro 23
jordan retro 2009
jordan retro 2010