无需验证码即可阻止垃圾邮件

发布于 2024-09-24 04:24:32 字数 95 浏览 7 评论 0原文

我想阻止垃圾邮件发送者使用我的网站。但我觉得验证码很烦人。我所说的不仅仅是“输入文本”类型,而是任何需要用户浪费时间来证明自己是人类的东西。

我在这里能做什么?

I want to stop spammers from using my site. But I find CAPTCHA very annoying. I am not just talking about the "type the text" type, but anything that requires the user to waste his time to prove himself human.

What can I do here?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(9

放血 2024-10-01 04:24:32

要求 Javascript 发布数据会阻止相当数量的垃圾邮件机器人,同时不会干扰大多数用户。

您还可以使用一个巧妙的技巧:

<input type="text" id="not_human" name="name" />
<input type="text" name="actual_name" />
<style>
   #not_human { display: none }
</style>

大多数机器人都会填充第一个字段,因此您可以阻止它们。

Requiring Javascript to post data blocks a fair amount of spam bots while not interfering with most users.

You can also use an nifty trick:

<input type="text" id="not_human" name="name" />
<input type="text" name="actual_name" />
<style>
   #not_human { display: none }
</style>

Most bots will populate the first field, so you can block them.

一城柳絮吹成雪 2024-10-01 04:24:32

我结合了一些到目前为止看起来相当成功的方法:

  1. 提供一个名为 email 的输入字段并使用 CSS 隐藏它
    显示:无。提交表单后检查该字段是否为
    空的。机器人往往会用虚假的电子邮件地址填充此内容。

  2. 提供另一个隐藏的输入字段,其中包含页面的时间
    已加载。检查加载和提交页面之间的时间是否
    填写表格所需的最短时间较大。我用
    5 到 10 秒之间。

  3. 然后检查 GET 参数的数量是否符合您的预期。
    如果您的表单操作是 POST 并且您的表单的基础 URL
    提交页面是index.php?p=guestbook&sub=submit,那么你
    预计有 2 个 GET 参数。机器人尝试添加 GET 参数,这样
    检查会失败。

  4. 最后,检查是否设置了 HTTP_USER_AGENT,机器人有时不会设置,
    HTTP_REFERER 是表单页面的 URL。机器人
    有时只是 POST 到提交页面导致 HTTP_REFERER
    最后

我的大部分信息来自 http://www.braemoor.co.uk/software/ antispam.shtmlhttp://www.nogbspam.com/

I combine a few methods that seem quite successful so far:

  1. Provide an input field with the name email and hide it with CSS
    display: none. When the form is submitted check if this field is
    empty. Bots tend to fill this with a bogus emailaddress.

  2. Provide another hidden input field which contains the time the page
    is loaded. Check if the time between loading and submitting the page
    is larger the minimum time it takes to fill in the form. I use
    between 5 and 10 seconds.

  3. Then check if the number of GET parameters are as you would expect.
    If your forms action is POST and the underlying URL of your
    submission page is index.php?p=guestbook&sub=submit, then you
    expect 2 GET parameters. Bots try to add GET parameters so this
    check would fail.

  4. And finally, check if the HTTP_USER_AGENT is set, which bots sometimes don't set,
    and that the HTTP_REFERER is the URL of the page of your form. Bots
    sometimes just POST to the submission page causing the HTTP_REFERER
    to be something else.

I got most of my information from http://www.braemoor.co.uk/software/antispam.shtml and http://www.nogbspam.com/.

万劫不复 2024-10-01 04:24:32

集成 Akismet API 以自动过滤用户的帖子。

Integrate the Akismet API to automatically filter your users' posts.

满栀 2024-10-01 04:24:32

如果您正在寻找 .NET 解决方案,Ajax 控件工具包有一个名为 NoBot 的控件

NoBot 是一种控件,尝试提供类似验证码的机器人/垃圾邮件防护,而无需任何用户交互。 NoBot 的优点是完全隐形。 NoBot 可能最适合低流量网站,在这些网站中,博客/评论垃圾邮件是一个问题,并且不需要 100% 的有效性。

NoBot 采用了几种不同的反机器人技术:

  • 强制客户端的浏览器执行可配置的 JavaScript 计算并在回发过程中验证结果。 (例如:计算可能是一个简单的数字计算,或者也可能涉及 DOM,以进一步确保涉及浏览器)
  • 在请求表单和可以回发表单之间强制执行可配置的延迟。 (例如:人类不太可能在两秒内完成表单)
  • 对单位时间内每个 IP 地址可接受的请求数量实施可配置的限制。 (例如:人类不可能在一分钟内提交相同的表单超过五次)

更多讨论和演示在此 Jacques-Louis Chereau 在 NoBot 上发表的博客文章

<ajaxToolkit:NoBot
  ID="NoBot2"
  runat="server"
  OnGenerateChallengeAndResponse="CustomChallengeResponse"
  ResponseMinimumDelaySeconds="2"
  CutoffWindowSeconds="60"
  CutoffMaximumInstances="5" />

If you're looking for a .NET solution, the Ajax Control Toolkit has a control named NoBot.

NoBot is a control that attempts to provide CAPTCHA-like bot/spam prevention without requiring any user interaction. NoBot has the benefit of being completely invisible. NoBot is probably most relevant for low-traffic sites where blog/comment spam is a problem and 100% effectiveness is not required.

NoBot employs a few different anti-bot techniques:

  • Forcing the client's browser to perform a configurable JavaScript calculation and verifying the result as part of the postback. (Ex: the calculation may be a simple numeric one, or may also involve the DOM for added assurance that a browser is involved)
  • Enforcing a configurable delay between when a form is requested and when it can be posted back. (Ex: a human is unlikely to complete a form in less than two seconds)
  • Enforcing a configurable limit to the number of acceptable requests per IP address per unit of time. (Ex: a human is unlikely to submit the same form more than five times in one minute)

More discussion and demonstration at this blogpost by Jacques-Louis Chereau on NoBot.

<ajaxToolkit:NoBot
  ID="NoBot2"
  runat="server"
  OnGenerateChallengeAndResponse="CustomChallengeResponse"
  ResponseMinimumDelaySeconds="2"
  CutoffWindowSeconds="60"
  CutoffMaximumInstances="5" />
情绪操控生活 2024-10-01 04:24:32

我会小心地使用 CSS 或 Javascript 技巧来确保用户是一个真正的现实生活中的人,因为你可能会引入可访问性问题、跨浏览器问题等。更不用说垃圾邮件机器人可能相当复杂,因此使用可爱的小 CSS 显示无论如何,技巧可能都不起作用。

我会调查 Akismet。

此外,您还可以在验证用户数据的方式上发挥创意。例如,假设您有一个需要用户电子邮件和地址的注册表单。您可以相当严格地验证电子邮件地址,甚至确保域实际上已设置为接收邮件,并且该域上有一个与所提供的内容匹配的邮箱。您还可以使用 Google Maps API 尝试对地址进行地理定位并确保其有效。

为了更进一步,您可以实现“硬”和“软”验证错误。如果邮件地址与正则表达式验证字符串不匹配,那么这就是硬失败。无法检查域的 DNS 记录以确保其接受邮件或邮箱存在,属于“软”失败。当您遇到软失败时,您可以要求验证码验证。这有望减少您必须推动验证码验证的次数,因为如果您在网站上获得足够的活动,有效的人应该至少在某些时候输入有效的数据!

I would be careful using CSS or Javascript tricks to ensure a user is a genuine real life human, as you could be introducing accessibility issues, cross browser issues, etc. Not to mention spam bots can be fairly sophisticated, so employing cute little CSS display tricks may not even work anyway.

I would look into Akismet.

Also, you can be creative in the way you validate user data. For example, let's say you have a registration form that requires a user email and address. You can be fairly hardcore in how you validate the email address, even going so far as to ensure the domain is actually set up to receive mail, and that there is a mailbox on that domain that matches what was provided. You could also use Google Maps API to try and geolocate an address and ensure it's valid.

To take this even further, you could implement "hard" and "soft" validation errors. If the mail address doesn't match a regex validation string, then that's a hard fail. Not being able to check the DNS records of the domain to ensure it accepts mail, or that the mailbox exists, is a "soft" fail. When you encounter a soft fail, you could then ask for CAPTCHA validation. This would hopefully reduce the amount of times you'd have to push for CAPTCHA verification, because if you're getting enough activity on the site, valid people should be entering valid data at least some of the time!

决绝 2024-10-01 04:24:32

我意识到这是一篇相当老的帖子,但是,我遇到了一个有趣的解决方案,称为“蜜罐验证码”,它很容易实现并且不需要 JavaScript:

提供一个隐藏文本框!

  • 大多数垃圾邮件机器人会很乐意填写隐藏的文本框,让您可以礼貌地忽略它们。
  • 大多数用户甚至永远不会知道其中的区别。

为了防止使用屏幕阅读器的用户落入陷阱,只需在文本框上贴上“如果您是人类,请留空”或其他类似的标签即可。

田田!非侵入式垃圾邮件拦截!这是文章:

http:// www.campaignmonitor.com/blog/post/3817/stopping-spambots-with-two-simple-captcha-alternatives

I realize this is a rather old post, however, I came across an interesting solution called the "honey-pot captcha" that is easy to implement and doesn't require javascript:

Provide a hidden text box!

  • Most spambots will gladly complete the hidden text box allowing you to politely ignore them.
  • Most of your users will never even know the difference.

To prevent a user with a screen reader from falling into your trap simply label the text box "If you are human, leave blank" or something to that affect.

Tada! Non-intrusive spam-blocking! Here is the article:

http://www.campaignmonitor.com/blog/post/3817/stopping-spambots-with-two-simple-captcha-alternatives

念﹏祤嫣 2024-10-01 04:24:32

由于很难 100% 避免它,因此我建议阅读 这篇 IBM 文章 发表于 2 年前,标题为“真正的 Web 2.0:对抗网络垃圾邮件”,其中对访问者行为和控制工作流程进行了良好而简洁的分析

网络垃圾邮件有多种形式,包括:

  • 维基百科上的垃圾文章和破坏文章
  • 博客上的垃圾评论
  • 论坛、问题跟踪器和其他讨论网站上发布垃圾邮件
  • 引荐垃圾邮件(当垃圾邮件网站假装将用户引荐给目标时)
    列出引荐来源网址的网站)
  • 社交网络上的虚假用户条目

处理 Web 垃圾邮件非常困难,但是 Web 开发人员
忽视了他或她的垃圾邮件预防措施
危险。在这篇文章中,以及在
稍后的第二部分,我介绍
技术、技术和服务
打击多种网络垃圾邮件。

另外还链接了一个非常有趣的“...hashcash 技术,除了电子邮件之外,还可以最大程度地减少 Wiki 等上的垃圾邮件。"

Since it is extremely hard to avoid it at 100% I recommend to read this IBM article posted 2 years ago titled 'Real Web 2.0: Battling Web spam', where visitor behavior and control workflow are analyzed well and concise

Web spam comes in many forms, including:

  • Spam articles and vandalized articles on wikis
  • Comment spam on Weblogs
  • Spam postings on forums, issue trackers, and other discussion sites
  • Referrer spam (when spam sites pretend to refer users to a target
    site that lists referrers)
  • False user entries on social networks

Dealing with Web spam is very difficult, but a Web developer
neglects spam prevention at his or her
peril. In this article, and in a
second part to come later, I present
techniques, technologies, and services
to combat the many sorts of Web spam.

Also is linked a very interesting "...hashcash technique for minimizing spam on Wikis and such, in addition to e-mail."

放低过去 2024-10-01 04:24:32

一个人类可读的问题告诉用户输入他在名字字段中输入的值的第一个字母和姓氏字段的最后一个字母或类似的内容怎么样?

或者显示一些用 JavaScript 填充的隐藏字段,其中包含引用者等值。检查这些字段与您之前存储在会话中的字段是否相等。
如果值为空,则用户没有 javascript。那么它就不是垃圾邮件了。但机器人至少会填补其中的一些。

How about a human readable question that tells the user to put in the first letter of the value he put in the first name field and the last letter of the last name field or something like this?

Or show some hidden fields which are filled with JavaScript with values like referer and so one. Check for equality of these fields with the ones you have stored in the session before.
If the values are empty, the user has no javascript. Then it would be no spam. But a bot will at least fill in some of them.

狼性发作 2024-10-01 04:24:32

当然你应该选择 Honeypot 或 BOTCHA 之一。

Surely you should select one thing Honeypot or BOTCHA.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文