« My talk at the RubyFools Conference | Main | [WebAppSec] Sign-in seals against phishing »
Friday
Apr042008

[WebAppSec] The idea of negative CAPTCHAs

DateFriday, April 4, 2008 at 11:31AM

Spam and automatic submitters really are a problem. One idea to defend this are CAPTCHAs. CAPTCHAs are noisy images and the user (usually) has to recognize the text in the image and enter it in a field. Although some weak algorithms are already broken, this is a good way to keep junk content away. But as automatic recognition gets better, the CAPTCHAs get more sophisticated, and thus harder to read for humans. CAPTCHAs are annoying.
 
Negative CAPTCHAs
The idea of negative CAPTCHAs is not to ask a user to proof that he's human, but reveal that a spam/login robot is a robot (bot). Most bots are really dumb, they crawl the web and enter their junk in every form's field they can find. Negative CAPTCHAs take advantage of that and include a "honeypot" field in the form which will be hidden from the human user by CSS or JavaScript. Ned Batchelder has several ideas how to do that in his original post.
 
On the server side, you will check the value of the field: If it contains any text, it must be a bot. Then, you can either ignore the post or return a positive result, but not saving the post to the database. This way the bot will be satisfied and moves on. You can do this with annoying users, as well.
 
Next step 
This is the basic idea of negative CAPTCHAs, you can make them more sophisticated with Ned's help.

AuthorHeiko | Comment5 Comments |

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (5)

I really like this idea. Although I do find it slightly funny I have to fill out a Captcha to post this message. :)

April 4, 2008 | Unregistered CommenterEric Anderson

Interesting. I wonder how long this technique will remain effective?

April 4, 2008 | Unregistered CommenterJames H.

I posted about exactly that at my website.

http://www.akitaonrails.com/2007/7/18/brigando-contra-spambots

Even with akismet I was getting a big amount of spams. So I decided to go the honeypot approach.

In my case, I don't know if the bots actually decide if a field is worth filling. So I used a field which I assumed most of them would like to fill, which is the 'email'.

Publishing the email of a user in ones website only allows for spams to capture it and use to spam even more, so I think 'email fields could be considered bad'.

I left the field with a CSS class to hide it and whenever someone fills it in, I silently ignore it. Even then a few spams still go through, I don't know how.

I do hate image captchas, they are annoying.

April 4, 2008 | Unregistered CommenterAkitaOnRails

[...] and brought to my attention by Heiko Webers’ RoR Security Project.) Posted by iqag Filed in Development, Interweb, Security and [...]

April 4, 2008 | Unregistered CommenterNegative CAPTCHA « Iqag

I just added a user visible field called URL with the text "if you are a spammer enter your website here, your message will then get deleted"
All bots fill it out :-)
Idiot users also fill it out, which is a good thing too.

April 5, 2008 | Unregistered CommenterGeorge

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.

Notify me of follow-up comments via email.