Ah ok.. that makes a bit more sense. Even still.. anyone who's going out of their way to program a bot to defeat your specific CAPTCHA mechanism will probably notice the failure in testing. Unless you made a failure behave similar to a success but put them in a situation where ultimately they still can't post messages or access anything useful. I remember reading about either 3D Studio or Maya (one of the 3D modeling programs) and their copy protection method. They, at one point, made I guess an obvious segment of code for the software pirates to 'crack' that appeared to have totally deprotected the program. It turns out that it only sort of de-protected it. They put in multiple mechanisms that were more subtle. The one I'm thinking of apparently made it so that after 250 right mouse clicks, it would render everything in lower and lower qualities of rendering. Or not render at all. OR menus stopped working or something. But it was something that wasn't obvious at all until people really started using the pirated copy for a while. Tricky bastards. I love it. hah -TG = = = Original message = = = The point was to have the hidden fields that the bot would populate and the user wouldn't. So for instance, let's use my example from before. (hideSpamCatcher is a reference to a javascript function that hides the spamcatcher div. <body onload="hideSpamCatcher()"> <form method="post" action="somewhere.php"> <div id="spamcatcher"> <input type="text" name="lastname" id="lastname" /> </div> Name: <input type="text" id="name" name="name" /><br /> Password: <input type="password" id="password" name="password" /><br /> <input type="submit" name="Submit" /> </body> Now, the user comes along and doesn't see the field name. They fill in their username and password and hit submit. The information passed looks like: $_POST['name'] = 'steve'; $_POST['password'] = 'mypassword'; $_POST['lastname'] = ''; All of the fields are submitted and only username and password actually have values. Now the bot comes through, sees the form and submits it by parsing through the code, finding every single field that is an input field and submitting that. They see a field named "lastname" and it thinks it's important enough to populate. Its logics says "I need to provide a last name for this form to submit properly." So it goes and submits every field on the page. The post data looks like: $_POST['name'] = 'john'; $_POST['password'] = 'mybotpassword'; $_POST['lastname'] = 'doe'; It fills in every field. In essence, it was tricked into doing so because the field had a provacative name and the bot didn't know any better. So how does this help? You can do a check to make saure that $_POST['lastname'] is still blank before processing any data. It may not work all the time, it won't trick the more intelligent bots, and it will be easy to code a way to get around that - but basically it will stop your general run-of-the-mill spam bots from traversing through your site, and randomly submitting advertisements to your comment forms, and what not. <tg-php@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:20070330165557.A96DE81638@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > Maybe I'm missing something.. if the intent is to have 'hidden' fields > that a user would end up submitting but a bot wouldn't.. that wouldn't > work very well. A bot could easily see the hidden fields and submit them > along with whatever other data they were sending. > > If the intention is to trick a bot into sending data a user wouldn't, then > again.. doesn't work because a user is going to send the hidden fields as > well. > > It doesn't really matter if a user can 'see' or edit a form field, a bot > can be programmed to send whatever data it finds in that form, hidden or > not, because it's only hidden from humans from seeing and editing because > that's how the web browsers interpret and render that HTML. Bots don't > render HTML, just read it as a text file and parse through it looking for > form data and whatever else they're programmed to look for. > > Now, if you did an onsubmit on your form that executed a function to > modify the HTML pre-submit using JS's innerHTML command, you MIGHT be able > to trick it a little. But again, the bots are probably programmed not to > be too smart.. but to emulate specific CAPTCHA systems. So a smart bot > programmer would notice this and find a way to figure out what form > elements were included via innerHTML alteration. > > -TG > > > = = = Original message = = = > > I read something (I think on Slashdot) a while back about another method > that could be used to avoid CAPTCHAs. > > Basically on top of your standard form field, you place some input fields > in > a javascript hidden div around your page conveniently named things like > "email", "address", or "phone." Because they're hidden, when the form > submits they should exist as post variables but have a value untouched by > the user. > > Something simple like > <div class="spamcatcher"> > <input type="text" name="phonenumber" id="phonenumber" /> > </div> > > Then <body onload="hideSpamCatcher()"> > > A spam bot will generally send a value with every field they come across, > especially ones that have really common form field names. They find these > fields by parsing through your source for anything that looks like it's > submitted. If you hid some "trick" fields around your page and then > checked > on submit whether or not they had a value, you could probably get a pretty > decent turing test without the user suspecting anything. > > My old thrown together blog from a few years back had an unchecked comment > script that caught quite a bit of spam once I stopped caring about it. > I've > been considering putting that back together and using this method just to > see if the spam is cut back at all. > > Anyone have any experiences (good or bad) with this method? > > > > ___________________________________________________________ > Sent by ePrompter, the premier email notification software. > Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ___________________________________________________________ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
