[thelist] are bots submitting my form?
Christian Heilmann
codepo8 at gmail.com
Fri Jan 13 09:37:40 CST 2006
> Yes, it's a good chance bots are submitting your form. What you are seeing
> is not at all unusual, and as I understand it, they are hoping to discover
> the email address to which the form content is being sent. Once they have
> the email address, of course, they can sell it to spammers.
>
> The best way I know of to stop this is to use a required field which asks
> the user to enter the contents of an image. You may have seen this
> before.... the page displays an image with a distorted word in it and then
> asks you to enter what it says. It's distorted to prevent bots from screen
> scraping the value. Unless the value is entered correctly the form will not
> submit.
The problem is that the form is submitted empty, and this is because
there is NO server side validation _whatsoever_ on the page - simply
turn off JavaScript and send the form to see what I mean.
The solution to that is just not rely on JavaScript exclusively -
which is never a viable option.
As to the validity of CAPTCHAS (which are those images you are asked
to enter), they are not a stop for spammers either, more of a nuisance
for real visitors of your site.
Proof how you can crack captchas:
http://sam.zoy.org/pwntcha/
The w3c on inaccessibility of CAPTCHAS:
http://www.w3.org/TR/2005/NOTE-turingtest-20051123/
Introduction to CAPTCHAS and some alternatives (I think even from this list)
http://www.wait-till-i.com/index.php?p=203
--
Chris Heilmann
Blog: http://www.wait-till-i.com
Writing: http://icant.co.uk/
Binaries: http://www.onlinetools.org/
More information about the thelist
mailing list