蜜罐技术对抗垃圾邮件的效果如何?
我所说的“蜜罐”或多或少是指这种做法:
#Register form
<style>
.hideme{
display:none;
visibility: hidden;
}
</style>
<form action="register.php">
Your email: <input type="text" name="u-email" />
Choose a password: <input type="text" name="passwd" />
<div class="hideme">
Please, leave this field blank: <input type="text" name="email" /> #the comment is for text-browser users
</div>
<input type="submit" value="Register" autocomplete=off />
</form>
//register.php
<?php
if($_POST['email'] != ''){
die("You spammer!");
}
//otherwise, do the form validation and go on.
?>
更多信息此处。
显然,真实的字段是用随机散列命名的,蜜罐字段可以有垃圾邮件机器人通常填写的不同名称(电子邮件、用户、网站、主页等)。
我喜欢这种技术,因为它不'不会导致用户对验证码感到恼火。
你们中有人有这种技术的经验吗?有效果吗?
By "honeypot", I mean more or less this practice:
#Register form
<style>
.hideme{
display:none;
visibility: hidden;
}
</style>
<form action="register.php">
Your email: <input type="text" name="u-email" />
Choose a password: <input type="text" name="passwd" />
<div class="hideme">
Please, leave this field blank: <input type="text" name="email" /> #the comment is for text-browser users
</div>
<input type="submit" value="Register" autocomplete=off />
</form>
//register.php
<?php
if($_POST['email'] != ''){
die("You spammer!");
}
//otherwise, do the form validation and go on.
?>
more info here.
Obviously, the real fields are named with random hashes, and the honeypot fields can have different names (email, user, website, homepage, etc..) that a spambot usually fills in.
I love this technique because it doesn't cause the user to be annoyed by CAPTCHA.
Do any of you have some experience with this technique? Is it effective?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
老问题,但我想我应该插话,因为我一直在维护 Drupal 的模块(Honeypot),它使用蜜罐垃圾邮件预防方法以及基于时间的保护(用户无法在少于X秒内提交表单,并且X随着每次连续失败的提交而呈指数增长)。使用这两种方法,我听说过很多很多网站(示例),几乎消除了所有自动垃圾邮件。
我使用蜜罐+时间戳比使用任何基于验证码的解决方案取得了更好的成功,因为我不仅阻止了大多数垃圾邮件发送者,而且我也没有惩罚我的用户。
Old question, but I thought I'd chime in, as I've been maintaining a module for Drupal (Honeypot), which uses the Honeypot spam prevention method alongside a time-based protection (users can't submit form in less than X seconds, and X increases exponentially with each consecutive failed submission). Using these two methods, I have heard of many, many sites (examples) that have eliminated almost all automated spam.
I have had better success with Honeypot + timestamp than I have with any CAPTCHA-based solution, because not only am I blocking most spammers, I'm also not punishing my users.
通过以下技术,我可以 100% 阻止垃圾邮件。
如果失败,请运行额外的脚本来收集 IP 地址并将其写入 .htaccess 文件中的拒绝行。
如果失败,仅发出警告,因为这可能是人类。
如果少于 5 秒,则显示错误消息并让他们重试,因为人类可以使用自动填充插件快速编写。
使用 IP 地址拒绝访问非常有效,因为机器人不断尝试使用相同的 IP 潜入(如果他们更改 IP,那么我会将新 IP 放在 htaccess 上,所以没问题)。我每天都会使用 crontab 自动修剪 .htaccess 文件,这样文件就不会太大。我调整了要阻止的 IP 数量,因此具有相同 IP 的同一机器人将被阻止大约一周左右。我注意到僵尸程序使用相同的 IP 连续 3 天进行多次攻击。
第一个#1 技巧阻止了大约 99%,#2 阻止了大约 1%,机器人不会通过这 2 个技巧,因此#3 可能没有必要。
With below technique, I block 100% of spams.
if failed, run extra script to collect IP address and write it in .htaccess file on deny from line.
if failed, warn only because this can be human.
if less than 5 sec, show error message and let them try again because human can write pretty fast with auto-filling plugin.
Deny access with IP address is very effective because bots keep trying to sneak in with same IPs (if they change IP then I put that new IP on htaccess so no problem). I trim .htaccess file daily with crontab automatically so the file won't be too big. I adjust the number of IP to block so same bot with same IP will be blocked for about a week or so. I noticed that same IP is used by bot for 3 days attacking several times.
The first #1 trick blocks about 99% and #2 blocks about 1% and the bot won't go through those 2 so #3 might not be necessary.
大约从 2010 年开始,我就在三种形式上使用了蜜罐验证码,直到最近,它的效果非常好,无需任何修改。我们刚刚做了一些更改,我们认为这些更改将阻止大多数垃圾邮件机器人,至少在它们变得更加复杂之前。粗略地说,我们的设置方式如下:
每个表单上的一个输入字段被隐藏(在 CSS 类属性中指定了 display:none),默认值为“”。对于屏幕阅读器等,隐藏的输入标签明确表明该字段必须留空。默认情况下没有长度,我们使用服务器端代码(在我们的例子中是 ColdFusion,但它可以是任何语言)来停止表单提交(如果该字段中有任何内容)。当我们以这种方式中断提交时,我们会提供与成功相同的用户反馈(“感谢您的评论”或类似内容),因此没有失败的外部指示。
但随着时间的推移,机器人变得聪明起来,我们最简单的形式也遭到了垃圾邮件的攻击。具有前端验证的表单表现良好,我想这是因为它们也不接受任何旧的文本输入,而是要求电子邮件地址的结构类似于电子邮件地址,等等。被证明易受攻击的一种表单只有一个用于评论的文本输入和两个用于联系信息的可选输入(电话号码和电子邮件);重要的是,我认为这些输入都不包含前端验证。
添加验证非常容易,我们很快就会这样做。不过,目前我们已经添加了其他人以“时间陷阱”的方式建议的内容。我们在页面加载时设置一个时间变量,并将该时间戳与提交表单的时间进行比较。目前我们允许在页面上 10 秒后提交,尽管有些人建议 3 秒。我们将根据需要进行调整。在添加前端验证之前,我想看看这对垃圾邮件流量有何影响。
因此,我的经验的快速总结是:蜜罐的工作效果与最初设想的一样好。 (我不记得第一次找到它的地方,但是 这篇文章与我十多年前看到的第一篇文章非常相似。)添加 HTML5 启用的客户端验证。我们认为,如果我们现在对那些过于仓促的提交施加服务器端限制,情况会更好。
最后,我要提到像 reCaptcha 这样的解决方案对我们来说是不可能的。我们花费了大量时间使用 Google 地图 API 开发网络应用程序,该应用程序运行良好,直到 Google 在没有警告和转换建议的情况下更改了他们的 API。我们不会与同一个施虐配偶结婚两次。
I've used the honeypot captcha on three forms since about 2010, and it's been stunningly effective with no modifications until very recently. We've just made some changes that we think will stop most of the spambots, at least until they get more sophisticated. In broad strokes, here's the way we've set it up:
One input field on each form is hidden (display:none specified in the CSS class attribute) with a default value of "". For screen readers and such, the hidden input label makes it clear that the field must be left empty. Having no length at all by default, we use code server-side (ColdFusion in our case, but it could be any language) to stop the form submission if anything at all is in that field. When we interrupt the submission that way, we give the same user feedback as if it was successful ("Thank you for your comment" or something similar), so there is no outward indication of failure.
But over time, the bots wised up and the simplest of our forms was getting hammered with spam. The forms with front-end validation held up well, and I suppose that's because they also don't accept just any old text input, but require an email address to be structured like an email address, and so on. The one form that proved vulnerable had only a text input for comments and two optional inputs for contact information (phone number and email); importantly, I think, none of those inputs included front-end validation.
It will be easy enough to add that validation, and we'll do that soon. For now, though, we've added what others have suggested in the way of a "time trap." We set a time variable when the page loads and compare that timestamp to the time the form is submitted. At the moment we're allowing submission after 10 seconds on the page, though some people have suggested three seconds. We'll make adustments as needed. I want to see what effect this alone has on the spam traffic before adding the front-end validation.
So the quick summary of my experience is this: The honeypot works pretty well as it was originally conceived. (I don't recall where I found it first, but this post is very similar to the first I saw about it more than a decade ago.) It seems even more effective with the addition of client-side validation enabled by HTML5. And we think it will be even better with the server-side limits we've now imposed on those too-hasty submissions.
Lastly, I'll mention that solutions like reCaptcha are off the table for us. We spent significant time developing a web app using Google's map API, and it worked great until Google changed their API without warning and without transition advice. We won't marry the same abusive spouse twice.
然而,它的效果相对较好,如果机器人创建者迎合您的页面,他们会看到这一点(甚至有一个例行设置要检查),并且很可能会相应地修改他们的机器人。
我更喜欢使用 reCaptcha。但上述内容会阻止一些机器人。
It works relatively well, however, if the bot creator caters to your page they will see that (or even have a routine setup to check) and will most likely modify their bot accordingly.
My preference is to use reCaptcha. But the above will stop some bots.