如何在没有验证码或集中管理系统(例如 akismet)的情况下防止垃圾邮件

发布于 2024-08-02 04:30:05 字数 437 浏览 6 评论 0原文

有没有人能够成功地阻止其网站上的垃圾邮件,而不给您的访问者带来负担(例如验证码)并且不使用集中式垃圾邮件报告系统(例如 Akismet)

我发现 此 &它看起来很有前途,但不包含详细的部署说明。

我希望展示我的 Web 表单,而不用验证码之类的技术给我的用户带来负担,而且还可以主动自动防止垃圾邮件。

似乎没有关于如何实现这种技术的详细说明/教程。

免责声明

此外,我意识到没有适合防止垃圾邮件的灵丹妙药。但如果只是建立一个非侵入性(用户不可见)的预防系统来阻止 95% 以上的垃圾邮件,那么部署的努力是值得的。

Has anyone been able to successfully prevent spam on their site without placing a burden on your visitor (e.g. CAPTCHA) and without using a centralized spam reporting system (e.g. Akismet)

I've found this & it looks promising, but doesn't contain detailed deployment instructions.

I want to present my web forms without burdening my users with CAPTCHA like technologies, but also actively automate preventing spam.

There doesn't seem to exist a detailed instruction/tutorial on how to implement such a technology.

Disclaimer

Also, I realize there no silver bullet appropriate to preventing spam. But if simply putting in place a non-invasive (invisible to user) prevention system that blocks 95+ % of spam, it would be worth the effort to deploy.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(10

树深时见影 2024-08-09 04:30:05

我基本上在我的网站上使用一种技巧来防止垃圾邮件,而且效果很好(至少在垃圾邮件机器人程序员阅读这篇文章之前是这样;))。

代码如下:

在构建包含表单的站点的脚本中,我实现了:

$_SESSION['lastSiteId'] = 'something Unique';
$_SESSION['lastSiteRequest'] = time();

包含将注释写入数据库的逻辑的脚本包含以下内容:

if($_SESSION['lastSiteId'] == 'something Unique' 
   && $_SESSION['lastSiteRequest'] + 5 < time()){

    insertComment();
}else{
    echo "Please read the article before posting a comment";
}

请记住,这是为您提供想法的伪代码。最后你必须单独实现它...;)

它所做的只是检查重新渲染表单和发送 POST 请求之间是否已经过去了 5 秒以上。

请注意,垃圾邮件机器人工程师没有睡觉。可以肯定的是,如果程序员愿意的话,垃圾邮件机器人可以在发布不需要的输入之前等待几秒钟。
问题是:如果垃圾邮件发送者必须在两次请求之间等待 5 秒,那么可以发送多少垃圾邮件?看,也许这就是预防垃圾邮件的最终解决方案。

将时间测试与 JavaScript 测试(如果可能并且想要的话)以及预填充/未填充隐藏字段技巧相结合,从现在起几年后您应该可以免受垃圾邮件的侵害。

I basically use one trick on my site to prevent Spam and it works great (at least until spambot programmers will read this post ;) ).

Code is like this:

In the script that builds the site which contains the form, I implemented:

$_SESSION['lastSiteId'] = 'something Unique';
$_SESSION['lastSiteRequest'] = time();

The script that contains the logic to write the comments to a database contains this:

if($_SESSION['lastSiteId'] == 'something Unique' 
   && $_SESSION['lastSiteRequest'] + 5 < time()){

    insertComment();
}else{
    echo "Please read the article before posting a comment";
}

Remember this is pseudocode to give you the idea. You have to implement it all alone in the end... ;)

All it does is checking if more than 5 seconds have passed between redering the form and sending a POST Request.

Be warned that spambot engineers are not sleeping. Bets are, that spambots can wait a few seconds before posting unwanted input if the programmer wants it that way.
Question would be: How much spam messages can be send if the Spammer have to wait 5 secs between the requests? See, maybe this IS the final solution to Spam prevention.

Combining time tests with javascript tests (if possible and wanted) plus prefilled/unfilled hidden fields tricks, you should be save from spam a few years from now on.

流年已逝 2024-08-09 04:30:05

Honey Pot 验证码(Phil Haack 的文章)。是用于执行您正在寻找的操作的常用方法。这并不是万无一失的,但真正的情况又是什么呢?

这似乎是您已经探索过的内容。只需尽职调查以了解该解决方案的局限性,如果您仍然发现它满足您的需求,请放心该技术已被其他人充分利用。

Honey Pot captcha (article by Phil Haack). Is the usual method employed to do what you are looking for. It isn't foolproof, but what is really?

This appears to be pretty much what you have already explored. Just do your due diligence to understand what the limitations of the solution are, if you still find it meets your needs, be assured this technique has been put to good use by others.

浅紫色的梦幻 2024-08-09 04:30:05

如果有最终的解决方案,就根本不需要验证码了。但是,如果您的网站大小不足以保证有人手动寻找破解方法,那么通过默默无闻的安全性可能是最好的方法。例如您上面提供的链接,或者就像添加一个名为“City_2”的输入并将其隐藏一样简单。如果输入框已填写,您很可能遇到了垃圾邮件发送者,因为它们会自动填写每个字段 - 只需转储数据并继续...只需我的 2 美分。

If there were an ultimate solution, there would be no need for CAPTCHA's at all. However if the size of your site isn't large enough to warrant someone manually looking for a way to hack it, security through obscurity may be the best way. Such as the link you supplied above, or as easy as adding a input called something like "City_2" and making it hidden. If the input box is filled out, chances are you've got a spammer as they automatically fill in every field- just dump the data and move along... Just my 2 cents.

我最近尝试了一种非常简单的技术。我注意到,当出现一组单选按钮时,垃圾邮件机器人似乎总是选择第一个选项或接受预先检查的任何内容。因此,在我运行的一个网站上,我有一张表格,用户填写了大约六个问题。其中一个问题是“输入类型”,带有用于选择的单选按钮。因此,我添加了一个新的第一选择“我是垃圾邮件发送者”,并用括号注释解释了为什么该选择存在,并将其设为默认值。如果在选中该选项的情况下提交表单,我会返回一条错误消息,而不是通常的确认消息。自从这样做之后,我收到的垃圾邮件数量几乎降到了零。我不知道剩下的是否是采取不同策略的垃圾邮件机器人——也许是在可用的单选按钮中随机选择——或者是否是人类垃圾邮件发送者而不是机器人。

我这样做主要是为了看看它是否有效——坦率地说,因为欺骗垃圾邮件机器人简单地招供并自首很有趣!大多数情况下,我都会将其提出来进行讨论:也许它会有助于提出更好的想法。

如果垃圾邮件发送者认为我的小网站值得特别关注,他们可以使用稍微聪明一点的垃圾邮件机器人轻松击败它。但这对于许多反垃圾邮件计划来说都是如此。

I recently tried one very simple-minded technique. I noticed that when presented with a collection of radio buttons, the spam bots seems to always either choose the first option or accept whatever was pre-checked. So on one web site I run I have a form that users fill out with maybe half a dozen questions. One of the questions is a "type of entry" with radio buttons for the choices. So I added a new first choice, "I am a spammer", with a parenthetical comment explaining why the choice is there, and made it the default. If the form is submitted with that option checked, I return an error message instead of the usual confirmation message. Since doing that, the amount of spam I get has dropped to almost nothing. I don't know if what's left is spam bots that take a different strategy -- randomly choose among available radio buttons perhaps -- or if it's human spammers rather than robots.

Mostly I did this as an experiment to see if it would work -- and frankly because it was fun to trick the spam bots into simply confessing and turning themselves in! Mostly I bring it up for discussion: maybe it will contribute to a better idea.

If a spammer decided that my little site was worth devoting their special attention, they could easily beat this with a slightly smarter spam bot. But that could be said of many anti-spam schemes.

冧九 2024-08-09 04:30:05

摆脱 99% 的垃圾邮件,请参阅此 - http://wordpress-plugins.feifei.us/hashcash /

显然它只能防止自动垃圾邮件,与 Akismet 或其他东西一起使用它可以获得 100% 的保护。

更新:HashCash 是如何运作的?
垃圾邮件发送不需要任何成本(使用僵尸网络是免费的),这就是它有效的原因。所以我们的想法是,如果这个过程的(CPU)成本很高,那么批量垃圾邮件/消息传递将不起作用。更多详细信息在这里 - http://en.wikipedia.org/wiki/Hashcash

版本可以使用 JavaScript 实现。在提交表单之前,脚本将生成一个计算值。这个过程的CPU消耗一定很大。大多数僵尸网络都会避免这样做,因此不会自动发送垃圾邮件。

Get rid of 99% spam, see this - http://wordpress-plugins.feifei.us/hashcash/

Obviously it only prevents automated spam, use it together with Akismet or something else and get a 100% protection.

Update: How HashCash works?
Spamming costs nothing (its free using botnets), that's why it works. So the idea is that if this process can be made (CPU)expensive then bulk spamming/messaging would not work. More details are here - http://en.wikipedia.org/wiki/Hashcash

A simpler version can be implemented using JavaScript. Before submitting the form, the script would produce a computed value. This process has to be CPU expensive. Most botnets would avoid doing so and hence no automatic spam.

行至春深 2024-08-09 04:30:05

This is a very good working solution, I using it in my projects.

It's worth a try...

得不到的就毁灭 2024-08-09 04:30:05

我使用 Akismet,它实际上与电子邮件垃圾邮件过滤器非常相似,但非常强大,因为它不断构建贝叶斯包含使用该服务的每个网站的垃圾邮件组合(每天大约 1800 万条评论)。他们的网络服务非常简单且速度非常快 - 只需通过网络发送评论,他们就会发回“垃圾邮件”或“非垃圾邮件”响应。几乎每个平台都有现有的 Akismet 库

在我的网站上,如果评论通过,我会将其放入数据库中,否则我只是默默地忽略它。

I use Akismet, which is really just very similar to an email spam filter, but quite powerful as it continuously builds a Bayesian profile with the combined spams of every site using the service (about 18 million comments per day). Their web service is extremely simple and very fast - just sent the comment over the wire and they will send back a "spam" or "not spam" response. There are existing Akismet libraries for almost every platform.

On my site, if the comment passes, I put it in the database, otherwise I just silently ignore it.

背叛残局 2024-08-09 04:30:05

关于任何反垃圾邮件系统的一般评论:您所做的任何事情都不会是 100% 安全的。如果您的网站足够大或足够有价值,以至于垃圾邮件发送者决定特别注意破坏它,他们可能会找到一种方法。但这就像他们经常谈论家庭安全一样:当然,一个熟练的专业小偷可以击败普通房主可能买得起的任何警报系统。但你会把笨拙的业余爱好者拒之门外,如果你给专业人士制造了足够多的麻烦,你就会增加他的风险,当他打破它时,你已经回家了,或者邻居会看到他并打电话给他。警察。当我在军队工作时,我们经常讨论安全性和防止合法用户执行其工作之间的平衡。军队的目标不是某种假设的“绝对安全”,而是足以将风险降低到“可接受的水平”,同时将给授权人员带来的不便降到最低。显然,什么构成“可接受”取决于您所保护的内容:我当然希望保护核弹头的人们坚持比我们在雷达系统周围设置更高级别的安全性。疑似遭受袭击的地区(例如中东基地)的安全措施比中美洲基地的安全措施更高。等等。

重点是:您的网站成为目标的可能性有多大?我当然希望我的银行使用更严格的安全措施来保护我的资金,而不是我费心使用的安全措施来防止在我运行的会议网站上提交垃圾邮件摘要。拥有数百万访问者且众所周知的网站可能比拥有数千或数百访问者的不起眼网站需要更好的安全性。多少才算“足够好”?

General comment about any anti-spam system: Nothing you do is going to be 100% secure. If your site is big enough or rewarding enough that a spammer decides to devote special attention to breaking it, they'll probably find a way. But it's like they routinely say about home security: Sure, a skilled, professional thief can beat any alarm system the average home owner is likely to be able to afford. But you'll keep out the clumsy amateurs, and if you make it enough trouble for the professional, you increase the risk for him that by the time he breaks it, you'll have returned home or a neighbor will see him and call the police. When I worked for the military, we routinely talked about the balance between security and preventing the legitimate users from doing their jobs. The goal in the military is not some hypothetical "absolute security", but rather something good enough to reduce the risk to "acceptable levels" consistent with minimum inconvenience to authorized people. Obviously what constitutes "acceptable" depends on what you're protecting: I certainly hope that the people who were protecting nuclear warheads insisted on a higher level of security than we put around radar systems. People in areas where attacks were suspected, like bases in the Middle East, had higher security than we had in middle-America bases. Etc.

Point being: How likely a target is your site? I certainly hope my bank uses tighter security to protect my money than I bother to use to prevent spam abstract submissions on the convention site I run. Sites that have millions of visitors and are well-known probably need better security than obscure sites with thousands or hundreds of visitors. How much is "good enough"?

初心 2024-08-09 04:30:05

在您的表单(评论或联系表单)中,您应该添加一个隐藏输入

并编写一些 php 来检查此输入是否已填写,因此通过选择“if than else”您可以控制

if($_POST['hidden_input'] != ""){
    echo('<p>You are a spambot!!!</p>');    
}

此,因为人们看不到此表单,因此我们无法填写。通过这种方式,机器人确实会填充每个输入,因此如果每个输入都被填充,PHP 会发送此错误消息,并且不会向服务器发送评论或电子邮件,

In your form (comments or also contact form) you should add an hidden input

<input type="text" id="hidden_input" name="hidden_input" style="display:none;"/>

and write a little php to check if this input is filled, so with a selection 'if than else' you can control

if($_POST['hidden_input'] != ""){
    echo('<p>You are a spambot!!!</p>');    
}

This because people can' t see this form, so can' t be filled by us. In this way indeed bot fill every input, so if every input is fill PHP send this error message and it doens' t send to the server comments or emails,

墨小沫ゞ 2024-08-09 04:30:05

向用户询问一个简单、随机的数学问题。如果他们解决了问题,他们就会看到提交按钮。否则,他们不会。这也适用于静态站点。

这是问题输入组

<div class="input-group">
  <input type="text" value="" id="testInput" class="form-control">
  <span class="input-group-btn">
  <button class="btn btn-default" type="button" id="mathTest">Go!</button>
</span>
</div>

这是生成和验证问题的脚本。

<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js" type="text/javascript"></script>
<script type="text/javascript" src="https://ajax.microsoft.com/ajax/jquery.validate/1.7/jquery.validate.js"></script>

< script > jQuery(function($) {
    $("#wj-form").validate();
    var rnuma = Math.floor(Math.random() * 11);
    var rnumb = Math.floor(Math.random() * 11);
    var sum = rnuma + rnumb;
    $("#rnuma").text(rnuma);
    $("#rnumb").text(rnumb);
    $("#mathTest").click(function() {
        if (sum == $("#testInput").val()) {
            $("#wj-form").append('<div class="form-group"><input type="submit" value="Send Message" class="btn btn-primary"></div>');
        } else {
            alert('Sorry, please try again.');
        }
    });
}); < /script>

上面的脚本正是这样做的。确保您没有将提交按钮放在表单中。仅当问题解决时才应附加。我已经在这里实现了这个。确保使用脚本中提到的正确形式 id

但有一点需要注意。如果用户的浏览器上没有运行 JavaScript,则该技巧将不起作用。

Ask users a simple, random, math problem. If they solve it, they see the submit button. Otherwise, they don't. This works on static sites as well.

This is the problem input group

<div class="input-group">
  <input type="text" value="" id="testInput" class="form-control">
  <span class="input-group-btn">
  <button class="btn btn-default" type="button" id="mathTest">Go!</button>
</span>
</div>

Here is the script that generates and validates the problem.

<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js" type="text/javascript"></script>
<script type="text/javascript" src="https://ajax.microsoft.com/ajax/jquery.validate/1.7/jquery.validate.js"></script>

< script > jQuery(function($) {
    $("#wj-form").validate();
    var rnuma = Math.floor(Math.random() * 11);
    var rnumb = Math.floor(Math.random() * 11);
    var sum = rnuma + rnumb;
    $("#rnuma").text(rnuma);
    $("#rnumb").text(rnumb);
    $("#mathTest").click(function() {
        if (sum == $("#testInput").val()) {
            $("#wj-form").append('<div class="form-group"><input type="submit" value="Send Message" class="btn btn-primary"></div>');
        } else {
            alert('Sorry, please try again.');
        }
    });
}); < /script>

The above script does exactly that. Make sure you do not put the submit button in the form. It should be appended only when the problem is solved. I have implemented this here. Make sure you use the correct form id as mentioned in the script.

There is one caveat though. The trick will not work if the user has no javascript running on their browser.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文