[thelist] are bots submitting my form?

Christian Heilmann codepo8 at gmail.com
Fri Jan 13 09:37:40 CST 2006


> Yes, it's a good chance bots are submitting your form.  What you are seeing
> is not at all unusual, and as I understand it, they are hoping to discover
> the email address to which the form content is being sent.  Once they have
> the email address, of course, they can sell it to spammers.
>
> The best way I know of to stop this is to use a required field which asks
> the user to enter the contents of an image.  You may have seen this
> before.... the page displays an image with a distorted word in it and then
> asks you to enter what it says.  It's distorted to prevent bots from screen
> scraping the value.  Unless the value is entered correctly the form will not
> submit.

The problem is that the form is submitted empty, and this is because
there is NO server side validation _whatsoever_ on the page - simply
turn off JavaScript and send the form to see what I mean.

The solution to that is just not rely on JavaScript exclusively -
which is never a viable option.

As to the validity of CAPTCHAS (which are those images you are asked
to enter), they are not a stop for spammers either, more of a nuisance
for real visitors of your site.

Proof how you can crack captchas:
http://sam.zoy.org/pwntcha/

The w3c on inaccessibility of CAPTCHAS:
http://www.w3.org/TR/2005/NOTE-turingtest-20051123/

Introduction to CAPTCHAS and some alternatives (I think even from this list)
http://www.wait-till-i.com/index.php?p=203

--
Chris Heilmann
Blog: http://www.wait-till-i.com
Writing: http://icant.co.uk/
Binaries: http://www.onlinetools.org/



More information about the thelist mailing list