当前位置: 文江博客话题详情

不使用验证码阻止垃圾评论

发布于 2024-08-08 04:31:31 字数 31 浏览 4 评论 0原文

有哪些非验证码方法可以阻止我的评论中的垃圾邮件?

原文

What are some non-captcha methods for blocking spam on my comments?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(18

醉生梦死 2024-08-15 04:31:31

根据我的经验,目前最有效的方法是通过CSS使用户不可见的蜜罐输入字段(最好使用几种不同的方法,例如visibility:hidden、设置大小为0像素和绝对定位)远离浏览器窗口);如果它们无论如何都被填满,您可以假设它是垃圾邮件机器人。

此博客描述了我自己尝试过的一种相当复杂的方法(到目前为止 100% 成功) ),但我怀疑您可以通过跳过所有具有哈希字段名称的内容并仅添加一些简单的蜜罐字段来获得相同的结果。

In my experience the currently most effective methods are honeypot input fields that are made invisible to users via CSS (best use several different methods, such as visibility:hidden, setting a size of 0 pixels, and absolute positioning far outside the browser window); if they're filled anyway you can assume it's a spambot.

This blog describes a rather complex method that I've tried out myself (with 100% success so far), but I suspect that you could get the same result by skipping all the stuff with hashed field names and just add some simple honeypot fields.

回复 原文
微凉 2024-08-15 04:31:31

1) 在表单中添加session相关信息 示例:

<input type="hidden" name="sh" value="<?php echo dechex(crc32(session_id())); ?>" />

然后在回发时,检查session是否有效。

2) 仅限 JavaScript。在提交时使用 Javascript 注入。示例:

<input type="hidden" id="txtKey" name="key" value="" />
<input type="submit" value="Go" onclick="document.getElementById('txtKey').value = '<?php echo dechex(crc32(session_id())) ?>';" />

3) 每个 IP、用户或会话的时间限制。这非常简单。

4)随机化字段名称:

<?php
   $fieldkey = dechex(crc32(mt_rand().dechex(crc32(time()))));
   $_SESSION['fieldkey'] = $fieldkey;
?>
<input type="text" name="name<?php echo $fieldkey; ?>" value="" />
<input type="text" name="address<?php echo $fieldkey; ?>" value="" />

然后您可以在服务器端检查它。

1) Adding session-related information into the form Example:

<input type="hidden" name="sh" value="<?php echo dechex(crc32(session_id())); ?>" />

then at postback, check whether session is valid or not.

2) Javascript-only. Use Javascript injection at Submission. Example:

<input type="hidden" id="txtKey" name="key" value="" />
<input type="submit" value="Go" onclick="document.getElementById('txtKey').value = '<?php echo dechex(crc32(session_id())) ?>';" />

3) Time-limit per IP, User or Session. this is quite straightforward.

4) Randomizing field names:

<?php
   $fieldkey = dechex(crc32(mt_rand().dechex(crc32(time()))));
   $_SESSION['fieldkey'] = $fieldkey;
?>
<input type="text" name="name<?php echo $fieldkey; ?>" value="" />
<input type="text" name="address<?php echo $fieldkey; ?>" value="" />

Then you can check it over at the server side.

回复 原文
江挽川 2024-08-15 04:31:31

Akismet 有一个 API。有人为其编写了一个包装类(BSD liscense): http://cesars .users.phpclasses.org/browse/package/4401.html

还有一个贝叶斯过滤器类(还有 BSD Liscense)
http://cesars.users.phpclasses.org/browse/package/4236.html

Akismet has an API. Someone wrote a wrapper class (BSD liscense) for it over at: http://cesars.users.phpclasses.org/browse/package/4401.html

There's also a Bayesian filter class (BSD Liscense as well)
http://cesars.users.phpclasses.org/browse/package/4236.html

回复 原文
挽袖吟 2024-08-15 04:31:31

这是在不使用验证码的情况下阻止垃圾邮件机器人或暴力攻击的简单技巧。

将其放入您的表单中:

<input type="hidden" name="hash" value="<?php echo md5($secret_key.time()).','.time(); ?>" />

将其放入您的 php 代码中

$human_typing_time = 5;/** page load (1s) + submit (1s) + typing time (3s) */
$vars = explode(',', $_POST['hash']);
if(md5($secret_key.$vars[1]) != $vars[0] || time() < $var[1] + $human_typing_time){
    //bot?
    exit();
}

根据表单的权重,您可以增加或减少 $ human_typing_time。

This is simple trick to block spam bot or brute force attack without using captcha.

Put this in your form:

<input type="hidden" name="hash" value="<?php echo md5($secret_key.time()).','.time(); ?>" />

Put this in your php code

$human_typing_time = 5;/** page load (1s) + submit (1s) + typing time (3s) */
$vars = explode(',', $_POST['hash']);
if(md5($secret_key.$vars[1]) != $vars[0] || time() < $var[1] + $human_typing_time){
    //bot?
    exit();
}

Depend on weight of form you can increase or decrease $human_typing_time.

回复 原文
少跟Wǒ拽 2024-08-15 04:31:31

还有蜜罐理论。我喜欢将蜜罐与其他形式的垃圾邮件减少结合起来以获得最佳效果。

http://www.projecthoneypot.org/

There is the Honey Pot Theory as well. I enjoy coupling honey pots with other forms of spam reduction for best results.

http://www.projecthoneypot.org/

回复 原文
半岛未凉 2024-08-15 04:31:31

另一种常见的方法是向用户提出一个简单的问题(“火是热的还是冷的?”“2 加 7 是多少?”等)。它有点像验证码,但对于使用屏幕阅读器的视力障碍用户来说更容易访问。我想一定有一个 WordPress 插件可以做到这一点,因为我经常在 WordPress 博客上看到它。

Another common approach is to give the user a simple question ("is fire hot or cold?" "what is 2 plus 7?" etc.). It is a little captcha-like, but it is more accessible to users with vision disabilities using screen readers. I think there must be a WordPress plugin that does this, because I see it very frequently on WordPress blogs.

回复 原文
|煩躁 2024-08-15 04:31:31

正如很多人已经提议的那样:使用蜜罐输入字段。但您还需要做两件事。
首先,随机化哪个输入字段是蜜罐的名称/ID。存储会话中有用字段的状态(以及表单令牌,用于抵御 CSRF 攻击)。例如,您需要获取以下字段:姓名、电子邮件、消息。在您的表格中,您将拥有
“token”是您的令牌,“jzefkl46”是此表单的名称,“ofdizhae”是电子邮件,“45sd4s2”是消息,“fgdfg5qsd4”是蜜罐。
在用户会话中,您可以使用类似的内容,

array("forms" => array("your-token-value" => array("jzefkl46" => "name",
                                                   "ofdizhae" => "email",
                                                   "45sd4s2" => "message",
                                                   "fgdfg5qsd4" => honey"));

只需在获取表单数据时将其重新关联即可。

第二件事,由于机器人有很多机会避开你的蜜罐场(25%的机会),所以增加蜜罐的数量。使用 10 或 20 个机器人,您会增加机器人的难度,同时不会在 html 中产生太多开销。

As lot of people already proposed : use a honey pot input field. But there are two other things you need to do.
First, randomize the name / id of which input field is the honey pot. Store the state of usefull fields in session (as well as a form token, used against CSRF attacks). For exampe, you have these fields to get : name, email, message. In your form, you will have
"token" which is your token, "jzefkl46" which is name for this form, "ofdizhae" for email, "45sd4s2" for message and "fgdfg5qsd4" for honey pot.
In the user session, you can have something like

array("forms" => array("your-token-value" => array("jzefkl46" => "name",
                                                   "ofdizhae" => "email",
                                                   "45sd4s2" => "message",
                                                   "fgdfg5qsd4" => honey"));

You just have to re-associate it back when you get your form data.

Second thing, as the robot has lot of chances to avoid your honey pot field (25% chances), multiply the number of pots. With 10 or 20 of them, you add difficulty to the bots while not having too much overhead in your html.

回复 原文
来日方长 2024-08-15 04:31:31

Sblam! 是一个类似于 Akismet 的开源过滤器。

它使用朴素贝叶斯过滤,检查发送者的IP和多个分布式黑名单中的链接,检查HTTP请求的正确性,并使用JS的存在作为提示(但不是要求)。

Sblam! is an open-source filter similar to Akismet.

It uses naive bayesian filtering, checks sender's IP and links in multiple distributed blacklists, checks correctness of HTTP requests, and uses presence of JS as a hint (but not requirement).

回复 原文
风月客 2024-08-15 04:31:31

常规验证码现在可以被垃圾邮件机器人解决。

考虑一下“文本验证码”:逻辑或常识问题,例如“什么是” 1+1?”或“卡斯塔德将军的白马是什么颜色?”这个问题甚至可以是静态的(每次尝试都是同样的问题)。

文本逻辑验证码

(取自http://matthewhutchinson.net/2010/4/21/actsastextcaptcha)< /code>

我认为 Jeff Atwood 甚至在他的博客上使用了这样的验证。 (如果我错了,请纠正我)

一些资源:

Regular CAPTCHAs are spam-bot solvable now.

Consider instead "text CAPTCHAs" : a logic or common knowledge question, like "What's 1 + 1 ?" or "What color is General Custard's white horse?" The question can even be static (same question for every try).

Text Logic CAPTCHA

(Taken from http://matthewhutchinson.net/2010/4/21/actsastextcaptcha )

I think Jeff Atwood even uses a validation like this on his blog. (Correct me if I'm wrong)

Some resources:

回复 原文
云淡风轻 2024-08-15 04:31:31

您可以尝试使用第三方,例如 Akismet。 API 密钥免费供个人使用。此外,Zend Framework 为此提供了一个

You could try looking at using a third party like Akismet. API keys are free for personal use. Also, The Zend Framework has a package for this.

回复 原文
吹梦到西洲 2024-08-15 04:31:31

大多数机器人只是填写整个表格并将其发送给您。一个简单有效的技巧是创建一个通常借助 JavaScript 隐藏的普通字段。在服务器端只需检查该字段是否已填写即可。如果是这样——那么它肯定是垃圾邮件。

Most bots simply fill out the whole form and send it to you. A simple trick that works is to create a normal field that you usually hide with the aid of javascript. On the server side just check whether this field has been filled. If so -- then it is spam for sure.

回复 原文
悲歌长辞 2024-08-15 04:31:31

禁止链接。没有链接,垃圾邮件就没用。

[编辑] 作为一种中间方式,只允许链接到“好的”网站(通常是您自己的)。其中只有少数,因此您可以根据用户的请求添加它们,也可以在验证链接之前保留评论。好的时候再添加。

过一段时间后,您可以将其关闭并自动拒绝带有链接的评论并等待用户投诉。

Disallow links. Without links, spam is useless.

[EDIT] As a middle way, only allow links to "good" sites (usually your own). There are only a handful of them, so you can either add them at the request of your users or hold a comment until you verified the link. When it's good, add it.

After a while, you can turn this off and automatically reject comments with links and wait for users to complain.

回复 原文
稀香 2024-08-15 04:31:31

我通过一个简单的数学问题减少了网站上大约 99% 的垃圾邮件,如下所示:

什么是 2+4 [TextBox]

如果用户回答“6”,他们将能够提交问题/评论。

对我有用,类似的解决方案对编码恐怖的杰夫·阿特伍德也适用!

I have reduced about 99% of spam on my website through a simple mathematical question like the following:

What is 2+4 [TextBox]

The user will be able to submit the question/comment if they answer "6".

Works for me and similar solution works for Jeff Atwood from Coding Horror!

回复 原文
人│生佛魔见 2024-08-15 04:31:31

在我的博客上,我有一种折衷的验证码:如果帖子包含链接,我只使用验证码。我还使用蜜罐输入字段。到目前为止,这几乎 100% 有效。时不时就会有垃圾邮件发送者向每个不包含链接的表单提交一些内容(通常是“不错的网站!”)。我只能假设这些人认为我会向他们发送电子邮件以了解他们是谁(使用只有我看到的电子邮件地址)。

On my blog, I have a kind of compromise captcha: I only use a captcha if the post contains a link. I also use a honeypot input field. So far, this has been nearly 100% effective. Every now and then there will be a spammer that submits something to every form which contains no links (usually something like "nice site!"). I can only assume that these people think I will e-mail them to find out who they are (using the e-mail address that only I see).

回复 原文
方圜几里 2024-08-15 04:31:31

除了使用蜜罐字段之外,我们还可以自动禁止该 IP(这不适用于动态 IP),尤其是机器人发回的任何链接。

along with using honey pot fields, we can ban there IP automatically (which don't work for dynamic IPs) and especially any links posted back by bots.

回复 原文
假情假意假温柔 2024-08-15 04:31:31

Akismet 是一个不错的选择,他们会检查您的帖子是否有垃圾邮件,并且工作效率非常高。
您只需要加载他们的库即可。
http://akismet.com/development/

Akismet is a good alternative, they check your posts for spam and works very efficiently.
You just need to load their librabry.
http://akismet.com/development/

回复 原文
给妤﹃绝世温柔 2024-08-15 04:31:31

查看一些 wp 反垃圾邮件插件以获取示例和想法,

有许多不错的反垃圾邮件无需使用验证码。

我推荐一些:hashcash、nospamnx、typepad antispam。
所有这些都使用不同的方法来阻止垃圾邮件,我都使用它们。 hashcash+nospamnx 阻止几乎所有垃圾邮件机器人。打字板反垃圾邮件可阻止大多数人工输入的垃圾邮件。

这些也是好的:spambam、wp-spamfree、anti-captcha、bad-behaviour、httpbl 等,

也带有简单的 .htaccess,可以阻止任何不是来自您自己网站的机器人直接 POST(检查引荐来源网址)

,或者只是外包您的评论系统可以讨论并高枕无忧。

checkout some wp antispam plugins for examples and ideas

there're many nice antispam without using captcha.

some i'd recommend: hashcash, nospamnx, typepad antispam.
all these using different methods blocking spam and i use them all. hashcash+nospamnx block almost all spambot. and typepad antispam block most human typed spam.

these are also good ones: spambam, wp-spamfree, anti-captcha, bad-behaviour, httpbl, etc

also with simple .htaccess that block any bot direct POST that do not come from your own site (check referer)

or, simply outsource your comment system to disqus and sleep tight.

回复 原文
~没有更多了~

关于作者

输什么也不输骨气

暂无简介

0 文章
0 评论
792 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

花开柳相依

文章 0 评论 0

zyhello

文章 0 评论 0

故友

文章 0 评论 0

对风讲故事

文章 0 评论 0

Oo萌小芽oO

文章 0 评论 0

梦明

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文