否定验证码 - 帮助我更好地了解垃圾邮件机器人
我必须决定一种技术来防止垃圾邮件机器人注册我的网站。在这个问题中,我主要问的是负面验证码。
我开始了解机器人的许多弱点,但想了解更多。我在某处读到大多数机器人不渲染/支持 javascript。为什么会这样呢?如何测试访问程序无法评估 javascript?
我从这个问题开始 需要简单的建议/想法-使用但安全的验证码 如果您有一些好的验证码想法,请回答这个问题。
然后我在这里得到了关于负面验证码的想法 http://damienkatz.net/2007/01/male_captch.html
但是达米恩有写道,虽然这种技术可能无法在大型社区网站上(长时间)发挥作用,但它对于大多数较小的网站来说效果很好。
那么,有人制作特定于网站的机器人的机会有多大?我想我的网站将会非常受欢迎。考虑到这一技术有多安全?
这里描述了使用复杂蜜罐实现的负验证码 http://nedbatchelder.com/text/stopbots.html
有谁知道如何轻松做到这一点得到实施?有一些插件可用吗?
谢谢,
桑迪潘
I have to decide a technique to prevent spam bots from registering my site. In this question I am mainly asking about negative captchas.
I came to know about many weaknesses of bots but want to know more. I read somewhere that majority of bots do not render/support javascript. Why is it so? How do I test that the visiting program can't evaluate javascript?
I started with this question Need suggestions/ideas for easy-to-use but secure captchas
Please answer to that question if you have some good captcha ideas.
Then I got ideas about negative captchas here
http://damienkatz.net/2007/01/negative_captch.html
But Damien has written that though this technique likely won't work on big community sites (for long), it will work just fine for most smaller sites.
So, what are the chances of somebody making site-specific bots? I assume my site will be a very popular one. How much safe this technique will be considering that?
Negative captchas using complex honeypot implementations here described here
http://nedbatchelder.com/text/stopbots.html
Does anybody know how easily can it be implemented? Are there some plugins available?
Thanks,
Sandeepan
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
实现简单——只需十几行高级语言代码即可阅读网页源代码并发布表单。我见过极其糟糕的机器人,例如用正则表达式解析 HTML 并在 URL 中获取错误的
../
。但显然它运作良好。然而,运行 JavaScript 引擎和实现 DOM 库是一项复杂得多的任务。您必须处理执行
while(1);
的脚本,这些脚本依赖于计时器、外部资源、CSS、嗅探浏览器并执行许多疯狂的操作。您需要快速完成的工作量开始看起来像是编写一个完整的浏览器引擎。它的计算成本也非常高,因此对于垃圾邮件发送者来说可能没有那么有利可图——他们可以拥有每秒悄悄发送 100 页垃圾邮件的愚蠢机器人,或者每秒发送 2 页垃圾邮件并像典型的网络浏览器一样占用受害者计算机的全功能机器人。 。
实现一个简单的特定于站点的黑客攻击有中间立场,例如如果在页面中注意到已知的脚本模式,则填写特定的表单字段。
这是成本/收益的权衡。如果您的网页排名很高,有很多访问者或具有金钱价值的东西,或者对垃圾邮件有用,那么一些垃圾邮件发送者可能会注意到您,并认为解决方法值得他花时间。 OTOH,如果您只有一个个人博客或小型论坛,那么还有数以百万计的其他未受保护的人正在等待收到垃圾邮件。
Simplicity of implementation — you can read web page source and post forms with just dozen lines of code in high-level languages. I've seen bots that are ridiculously bad, e.g. parsing HTML with regular expressions and getting
../
in URLs wrong. But it works well enough apparently.However, running JavaScript engine and implementing DOM library is much more complex task. You have to deal with scripts that do
while(1);
, that depend on timers, external resources, CSS, sniff browsers and do lots of crazy stuff. The amount of work you need to do quickly starts looking like writing a full browser engine.It's also computationally much much expensive, so probably it's not as profitable for spammers — they can have dumb bot that silently spams 100 pages/second, or fully-featured one that spams 2 pages/second and hogs victim's computer like a typical web browser would.
There's middle ground in implementing just a simple site-specific hack, like filling in certain form field if known script pattern is noticed in the page.
It's a cost/benefit trade-off. If you have high pagerank, lots of visitors or something of monetary value, or useful for spamming, then some spammer might notice you and decide workaround is worth his time. OTOH if you just have a personal blog or small forum, there's million others unprotected waiting to be spammed.
创建一个具有固定值的隐藏字段,然后编写一个递增或更改它的js,您将在响应中看到。
Create a hidden field with some fixed value, then write a js which increments or changes it and you will see in the response..