Typically, for a site with resources of any value to protect, you need a 3-pronged approach:
Throttle responses from authenticated users only, disallow anonymous posts.
Minimize (not prevent) the few trash posts from authenticated users - e.g. reputation-based.
Use server-side heuristic logic to identify spam-like behavior, or better non-human-like behavior.
Of course, a human moderator can also help, but then you have other problems - namely, flooding (or even drowning) the moderator, and some sites prefer the openness...
阻止人们对用户输入网站进行垃圾邮件攻击的最基本工具是链接上的“nofollow”标签。 大多数垃圾评论发送者对 Google 的果汁感兴趣,而不是真正让他们的东西被看到,因此 nofollow 消除了这种激励。
The most fundamental tool to keep people from spambotting a user input site is the "nofollow" tag on links. Most comment-spammers are interested in Google juice rather than actually having their stuff seen, so nofollow removes the incentive.
然而,这在像 SO 这样的网站上很棘手,因为创始目标之一是最小化摩擦并允许匿名用户做出贡献。 我想这就是节流和投票发挥作用的地方。
I am a fan of limiting logins by using a credit card or cell phone SMS (like Craigslist and Gmail). These methods don't cost much (<$1), but can be highly effective in keeping spam accounts under control.
However, this is tricky on a site like SO because one of the founding goals is to have minimum friction and allow anonymous users to contribute. I guess that's where the throttling and voting comes into play.
For now, reputation systems are harder to beat. The community sites of the near future will need to rely on its higher-ranking members to remove the spam.
The trend for spam is to become continually more indistinguishable from legitimate content, and for each new generation of mechanical filters to die of innefectiveness like overused antibiotics.
Even reputation systems will become useless as the spammers start maintaining sock-puppet farms to create their own high-ranking members, and when the community fights back the spammers will feed the churn of sock-puppets as if it was just another cost of doing business.
If you're going to build a site that takes user content, you'll either need to subscribe to the treadmill of neverending CAPTCHA-successors, or find a way to remove the incentive to spam your site in the first place.
Robots are quite hard to defeat. On one website I was involved with, we didn't even use Captcha - just a field labelled "Leave this field blank". Robots always failed that really simple test.
The bigger problem is mass-human solving. There are lots of implementations whereby users solve screen-scraped captchas in return for something, like videos or images (you know what I mean). This means that there's a real human solving the captcha, so emotive, facial and more complex patterns are meaningless.
Multi-step processes will discourage this behaviour, but at the cost of making things harder for genuine visitors, which is sad when we're all trying to design websites that are more usable.
The bar will keep being raised with problems that computers are bad at and humans are good at. Something like recognising emotions in a human face is something humans are particularly good at.
Another option could be along the lines of differentiating between disgusting or nice. It's totally subjective, but humans tend to hate rotten food, open wounds, poo, etc.
Negative turing test. Have used this for over a year on WordPress, IP.Board and MediaWiki sites, and have absolutely zero spam. The only catch: you have to think of a question/answer combination that's neither common (otherwise, bots will adapt) nor too domain-specific (otherwise, potential users might not know the answer).
There's a new tool in town - Captcha 2.0, which was developed by an Israeli online security start-up and is specifically designed to detect and fail captcha farms. You can check it out and try it for free at http://www.siteblackbox.com/captchaService.php
发布评论
评论(11)
通常,对于需要保护具有任何价值的资源的网站,您需要采用三管齐下的方法:
当然,人工版主也可以提供帮助,但是您还会遇到其他问题 - 即淹没(甚至淹没)版主,并且有些网站更喜欢开放性......
Typically, for a site with resources of any value to protect, you need a 3-pronged approach:
Of course, a human moderator can also help, but then you have other problems - namely, flooding (or even drowning) the moderator, and some sites prefer the openness...
阻止人们对用户输入网站进行垃圾邮件攻击的最基本工具是链接上的“nofollow”标签。 大多数垃圾评论发送者对 Google 的果汁感兴趣,而不是真正让他们的东西被看到,因此 nofollow 消除了这种激励。
The most fundamental tool to keep people from spambotting a user input site is the "nofollow" tag on links. Most comment-spammers are interested in Google juice rather than actually having their stuff seen, so nofollow removes the incentive.
基于加密货币的验证码 -
http://speedcoin.co/info/captcha/Speedcoin_Captcha.html
Captcha based on Cryptocurrency -
http://speedcoin.co/info/captcha/Speedcoin_Captcha.html
图像识别而不是文本识别。
Image recognition rather than text recognition.
我喜欢通过使用信用卡或手机短信(例如 Craigslist 和 Gmail)来限制登录。 这些方法的成本并不高(<1 美元),但可以非常有效地控制垃圾邮件帐户。
然而,这在像 SO 这样的网站上很棘手,因为创始目标之一是最小化摩擦并允许匿名用户做出贡献。 我想这就是节流和投票发挥作用的地方。
I am a fan of limiting logins by using a credit card or cell phone SMS (like Craigslist and Gmail). These methods don't cost much (<$1), but can be highly effective in keeping spam accounts under control.
However, this is tricky on a site like SO because one of the founding goals is to have minimum friction and allow anonymous users to contribute. I guess that's where the throttling and voting comes into play.
我喜欢“隐形验证码”的概念。 Phil Haack 在此处详细介绍了一种实现。
这是基于机器人、蜘蛛和爬虫不实现 JavaScript 引擎这一事实。 这也可能在不久的将来发生改变。
I like the concept of an 'Invisible Captcha'. Phil Haack details one implementation here.
This banks on the fact that bots, spiders, and crawlers don't implement javascript engines. This too could change in the near future.
目前,声誉系统更难被击败。 不久的将来,社区网站将需要依靠其较高级别的成员来删除垃圾邮件。
垃圾邮件的趋势是与合法内容越来越难以区分,而每一代新一代的机械过滤器都会像过度使用抗生素一样因无效而死亡。
当垃圾邮件发送者开始维护傀儡农场以创建自己的高级成员时,甚至声誉系统也将变得毫无用处,而当社区反击时,垃圾邮件发送者将喂养傀儡的流失,就好像这只是做生意的另一种成本。
如果您要建立一个获取用户内容的网站,您要么需要订阅无休止的验证码后继者的跑步机,要么首先找到一种方法来消除向您的网站发送垃圾邮件的动机。
For now, reputation systems are harder to beat. The community sites of the near future will need to rely on its higher-ranking members to remove the spam.
The trend for spam is to become continually more indistinguishable from legitimate content, and for each new generation of mechanical filters to die of innefectiveness like overused antibiotics.
Even reputation systems will become useless as the spammers start maintaining sock-puppet farms to create their own high-ranking members, and when the community fights back the spammers will feed the churn of sock-puppets as if it was just another cost of doing business.
If you're going to build a site that takes user content, you'll either need to subscribe to the treadmill of neverending CAPTCHA-successors, or find a way to remove the incentive to spam your site in the first place.
机器人很难被击败。 在我参与的一个网站上,我们甚至没有使用验证码 - 只是一个标记为“将此字段留空”的字段。 机器人总是无法通过这个非常简单的测试。
更大的问题是大众解决问题。 有很多实现,用户可以通过解决屏幕抓取的验证码来换取某些东西,例如视频或图像(你知道我的意思)。 这意味着有一个真正的人在解决验证码,因此情感、面部和更复杂的模式是没有意义的。
多步骤流程会阻止这种行为,但代价是让真正的访问者变得更加困难,当我们都试图设计更可用的网站时,这是可悲的。
Robots are quite hard to defeat. On one website I was involved with, we didn't even use Captcha - just a field labelled "Leave this field blank". Robots always failed that really simple test.
The bigger problem is mass-human solving. There are lots of implementations whereby users solve screen-scraped captchas in return for something, like videos or images (you know what I mean). This means that there's a real human solving the captcha, so emotive, facial and more complex patterns are meaningless.
Multi-step processes will discourage this behaviour, but at the cost of making things harder for genuine visitors, which is sad when we're all trying to design websites that are more usable.
计算机不擅长而人类擅长的问题将会不断提高标准。 像识别人脸上的情绪这样的事情是人类特别擅长的。
另一种选择可能是区分恶心或友善。 这完全是主观的,但人类往往讨厌腐烂的食物、开放的伤口、粪便等。
The bar will keep being raised with problems that computers are bad at and humans are good at. Something like recognising emotions in a human face is something humans are particularly good at.
Another option could be along the lines of differentiating between disgusting or nice. It's totally subjective, but humans tend to hate rotten food, open wounds, poo, etc.
负图灵测试。已在 WordPress、IP 上使用此测试一年多.Board 和 MediaWiki 网站,并且垃圾邮件绝对为零。 唯一的问题是:您必须考虑一个既不常见(否则机器人会适应)又不太特定于领域的问题/答案组合(否则潜在用户可能不知道答案)。
Negative turing test. Have used this for over a year on WordPress, IP.Board and MediaWiki sites, and have absolutely zero spam. The only catch: you have to think of a question/answer combination that's neither common (otherwise, bots will adapt) nor too domain-specific (otherwise, potential users might not know the answer).
镇上有一种新工具 - Captcha 2.0,它是由一家以色列在线安全初创公司开发的,专门用于检测验证码农场并使其失败。
您可以在 http://www.siteblackbox.com/captchaService.php< 查看并免费试用/a>
拉兹
There's a new tool in town - Captcha 2.0, which was developed by an Israeli online security start-up and is specifically designed to detect and fail captcha farms.
You can check it out and try it for free at http://www.siteblackbox.com/captchaService.php
Raz