你是人类? (或如何防止垃圾邮件)

发布于 2024-07-05 13:56:26 字数 177 浏览 5 评论 0原文

您知道哪些机制可以防止您的网站被匿名垃圾邮件发送者滥用。

例如,假设我有一个网站,人们可以在其中投票。 但我希望有人一直向顶部发送垃圾邮件。 所以我发现(a)创建一个帐户并只允许投票一次,(b)验证码以减少垃圾邮件。 您还知道哪些其他方法以及它们的效果如何?

What mechanisms do you know that prevent your site from being abused by anonymous spammers.

For example, let's say that I have a site where people can vote something. But I don't want someone to spam something all the way to the top. So I found (a) creating an account and only allowed to vote once and (b) CAPTCHA to decrease spam. What other methods do you know and how good do they work?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(11

紫南 2024-07-12 13:56:26

这是人类计算的研究领域。

这里有一段来自 Luis von Ahn 的精彩视频:
http://video.google.com/videoplay?docid=-8246463980976635143

This is the study area of Human Computation.

there is an excellent video from Luis von Ahn here:
http://video.google.com/videoplay?docid=-8246463980976635143

許願樹丅啲祈禱 2024-07-12 13:56:26

对于最佳非基于图像的验证码?问题的答案中有一些想法,如果你还没有看到它。

There's a few ideas in the answers to the Best non-image based CAPTCHA? question if you haven't seen it already.

别闹i 2024-07-12 13:56:26

我通常使用两者的组合:匿名用户可以自由浏览所有内容,但如果他想投票,那么他必须注册。

在注册过程中,根据情况,我使用选择通过邮件(以完成注册并确认至少邮箱存在)和/或验证码。

从那时起,您可以决定用户是否可以多次投票,或任何其他规则。

顺便说一句,我不喜欢基于 IP 的限制:在很多情况下,大型组织的网络为其所有用户使用很少的 IP,因此阻止可以投票的用户的风险很高。

I normally use a combination of the two: anonmous user is free to browse everything, but if he wants to vote, then he has to register.

In the registration process, depending on the situation, I use an optin thru mail (to complete registration and confirm that at least the mailbox exists) and/or a CAPTCHA.

From that point on you can decide if the user can vonte more than once, or any other rule.

Btw I'm not a fan of the IP-based constraints: there are a lot of situation in which big organization's network use few IP for all their users, so the risk to block users that could vote is high.

橘虞初梦 2024-07-12 13:56:26

我注意到的一件大事是,无论你做什么,你都希望你的系统是独一无二的。 您希望攻击者必须为您的特定站点定制他们的自动化程序,而不是仅仅向其扔一个几乎可以在任何地方运行的预先存在的脚本。 它甚至不必是加密安全的; 它只需要让您的网站与正常网站有所不同即可。

这并不意味着您不能或不应该使用预构建的验证码小部件之类的东西。 绝对要使用其中之一作为起点! 这只是意味着您必须在某个地方对其进行自定义,以便发生超出正常范围的额外事情,并且会破坏任何通常可以击败它的现有脚本。

如果您的网站变得足够大,以至于有攻击者专门针对它,那么您简单的小定制可能不再有效,您可能会做一些更特别的事情并考虑真正的密码学等等。 但这是“好”问题之一。

The big thing I've noticed is that whatever you do, you want your system to be unique. You want an attacker to have to tailor their automation program for your specific site, rather than just throw a pre-existing script at it that will work almost anywhere. It doesn't even have to be cryptographically secure; it just has to make your site a little different from the norm.

This doesn't mean you can't or shouldn't use something like a pre-built captcha widget. Absolutely do use one of those as a staring point! It just means you have to customize it somewhere so that something extra happens that is outside the norm and will break any pre-existing script that could normally defeat it.

If your site gets big enough that you have attackers targeting it specifically, then your simple little customization probably won't hold up anymore and you might have do something a little more special and think about real cryptography and all that. But that's one of those things that's a "good" problem to have.

影子是时光的心 2024-07-12 13:56:26

对于验证码系统,我衷心推荐 reCAPTCHA

传统的计算机生成的验证码将通过开发足够智能的系统最终被打破。 例如,有人声称破解了以前被认为牢不可破的 Google CAPTCHA,破解率高达 30%命中率。 根据定义,reCAPTCHA 仅向您显示光学字符识别无法识别的图像。

同时,您的用户的努力将转向共同利益 - 他们通过识别无法自动识别的单词来帮助数字化书籍。

请参阅此处了解更多说明并进行尝试。

For a CAPTCHA system, I heartily recommend reCAPTCHA.

Traditional computer-generated CAPTCHAs will eventually be broken by developing a sufficiently intelligent system. For instance, here's someone who claims to break the Google CAPTCHA, formerly considered unbreakable, with a 30% hit rate. reCAPTCHA, by definition, shows you only images that cannot be recognized by optical character recognition.

And at the same time, your users' effort will be directed towards the common good - they help digitize books by recognizing words that cannot be recognized automatically.

See here for further explanation and to try it out.

夏有森光若流苏 2024-07-12 13:56:26
  • 限制每个 IP 地址每次的投票数
  • 阻止匿名代理。
  • 对于投票:如何在“每个会话的基础上”对表单必须返回的值进行混洗。 “1”表示第一项,“2”表示第二项。 那么“77”表示第一项,“812”表示第二项,...可能是幕后的一些简单数学运算,但它阻止用户一遍又一遍地发送相同的 HTTP 查询。
  • 对我来说非常有效的方法是:使用 AJAX 表单,而不是简单的 HTTP 表单。 从技术上来说,造假选票并不复杂,但我编写了一个简单的博客软件,它唯一的垃圾邮件保护机制是通过 AJAX 提交评论 - 到目前为止没有垃圾邮件。
  • Limit the number of votes per IP address per time
  • Block anonymizing proxies.
  • For voting: How about shuffling the value that has to be returned by the form on a "per session basis". Once "1" means the first item, "2" means the second. Then "77" means the first item, "812" means the second, ... could be some simple maths behind the scene, but it prevents users from just sending the same HTTP query over and over again.
  • What's worked for me very well: Use AJAX forms, not simple HTTP forms. Technically it's not much more complicated to fake votes, but I have written a simple blog software and it's only SPAM protection mechanism is to submit the comments via AJAX - no SPAM so far.
楠木可依 2024-07-12 13:56:26

我是“隐藏字段”验证码的粉丝。 我不记得我在哪里读到过它,但想法是这样的:

  • 正常创建表单
  • 添加一个额外的字段但隐藏它(即周围 div 上的 style="display:none" 或表行)
  • 提交后,如果该字段为空,则执行适当的操作(例如发送电子邮件); 如果该字段已填写,则它是机器人提交者。

唯一出现这种情况的情况是用户的浏览器不处理 CSS(或者将其关闭),这种情况非常罕见。

I'm a fan of the "hidden field" CAPTCHA. I don't remember where I read about it, but the idea is this:

  • create your form as normal
  • add an extra field but hide it (i.e. style="display:none" on the surrounding div or table row)
  • after submission, if the field is blank, do the appropriate action (eg send an email); if the field has been filled in, then it's a robot submitter

The only case where this falls down is if the user's browser doesn't handle CSS (or they have it switched off), which is very rare.

熟人话多 2024-07-12 13:56:26

收取选票费用,就像他们在一些电视“选秀”节目中所做的那样,然后一路收到垃圾邮件到银行!

说真的,这是一个非常棘手的问题,有一天(也许很快,如果你听雷·库兹韦尔的话),计算机将进行测试以筛选人类。 我添加到列表中的答案有明显的缺点,但只是为了枚举:审核(让人类进行测试)和基于 IP 的跟踪(限制主机的投票数量)。

Charge for votes, like they do on some television "talent" shows, and get spammed all the way to the bank!

Seriously, this is a really tough problem, and someday (maybe soon, if you listen to Ray Kurzweil), computers will do testing to screen out humans. The answers I'm adding to the list have obvious drawbacks, but just for the sake of enumeration: moderation (have humans do the testing), and IP-based tracking (limit the number of votes from a host).

旧时浪漫 2024-07-12 13:56:26

stackoverflow 有一些功能可以帮助实现这一点; 我认为您可以采取的最有用的步骤是禁用匿名用户和新帐户投票的能力。 这样,任何人都无法注册数百个帐户并利用自己的一票来压倒其他用户。 我想说,在一段时间内要求一些职位或会员资格都是不错的选择。

有人会说您可以允许每个 IP 地址投一票来帮助解决这个问题,但我玩过很多游戏,其中拥有几乎无限数量代理的恶意用户违反了基于 IP 地址的安全性。 这是一种威慑,但精明的用户会轻松绕过它。

stackoverflow has a few features that help with this; I think the single most useful step you can take is disabling the ability of anonymous users and new accounts to vote. This way, no one can sign up for hundreds of accounts and use their one vote to overpower other users. I'd say requiring a few posts or membership for a certain period of time are both decent options.

Some would say you could allow one vote per IP address to help address this, but I've played plenty of games where malicious users with a nigh-infinite number of proxies defied IP address-based security. It's a deterrent, but a savvy user will get around it easily.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文