views:

378

answers:

8

Has anyone been able to successfully prevent spam on their site without placing a burden on your visitor (e.g. CAPTCHA) and without using a centralized spam reporting system (e.g. Akismet)

I've found this & it looks promising, but doesn't contain detailed deployment instructions.

I want to present my web forms without burdening my users with CAPTCHA like technologies, but also actively automate preventing spam.

There doesn't seem to exist a detailed instruction/tutorial on how to implement such a technology.

Disclaimer

Also, I realize there no silver bullet appropriate to preventing spam. But if simply putting in place a non-invasive (invisible to user) prevention system that blocks 95+ % of spam, it would be worth the effort to deploy.

+3  A: 

Honey Pot captcha (article by Phil Haack). Is the usual method employed to do what you are looking for. It isn't foolproof, but what is really?

This appears to be pretty much what you have already explored. Just do your due diligence to understand what the limitations of the solution are, if you still find it meets your needs, be assured this technique has been put to good use by others.

Matthew Vines
+1  A: 

If there were an ultimate solution, there would be no need for CAPTCHA's at all. However if the size of your site isn't large enough to warrant someone manually looking for a way to hack it, security through obscurity may be the best way. Such as the link you supplied above, or as easy as adding a input called something like "City_2" and making it hidden. If the input box is filled out, chances are you've got a spammer as they automatically fill in every field- just dump the data and move along... Just my 2 cents.

Ryan
While the City_2 solution may be good, I wanted to comment that "security through obscurity" is no kind of security at all.
JasCav
@Jason: Captchas as such are "security through obscurity", quite literally actually. Some obscured (distorted) text must be identified, that's all it is. There's no real *security*, there are no hidden parts, formerly exchanged secret keys or anything. A Captcha is just a little more obscure for a machine than for a human, and that's the point.
deceze
A: 

This is a very good working solution, I using it in my projects.

It's worth a try...

astropanic
That looks like a centrally managed services to flag my comments as spam or not. I would prefer to have everything local to my system and not rely on a 3rd party. Thanks though
TimJK
A: 

I use Akismet, which is really just very similar to an email spam filter, but quite powerful as it continuously builds a Bayesian profile with the combined spams of every site using the service (about 18 million comments per day). Their web service is extremely simple and very fast - just sent the comment over the wire and they will send back a "spam" or "not spam" response. There are existing Akismet libraries for almost every platform.

On my site, if the comment passes, I put it in the database, otherwise I just silently ignore it.

Rex M
I've modified my question, no centralized spam management system please. (Don't want to rely on 3rd parties)
TimJK
A: 

Get rid of 99% spam, see this - http://wordpress-plugins.feifei.us/hashcash/

Obviously it only prevents automated spam, use it together with Akismet or something else and get a 100% protection.

Update: How HashCash works? Spamming costs nothing (its free using botnets), that's why it works. So the idea is that if this process can be made (CPU)expensive then bulk spamming/messaging would not work. More details are here - http://en.wikipedia.org/wiki/Hashcash

A simpler version can be implemented using JavaScript. Before submitting the form, the script would produce a computed value. This process has to be CPU expensive. Most botnets would avoid doing so and hence no automatic spam.

Arpit Tambi
It's unclear to me how the HashCash work. Do you mind elaborating?
TimJK
updated answer with more info
Arpit Tambi
A: 

I recently tried one very simple-minded technique. I noticed that when presented with a collection of radio buttons, the spam bots seems to always either choose the first option or accept whatever was pre-checked. So on one web site I run I have a form that users fill out with maybe half a dozen questions. One of the questions is a "type of entry" with radio buttons for the choices. So I added a new first choice, "I am a spammer", with a parenthetical comment explaining why the choice is there, and made it the default. If the form is submitted with that option checked, I return an error message instead of the usual confirmation message. Since doing that, the amount of spam I get has dropped to almost nothing. I don't know if what's left is spam bots that take a different strategy -- randomly choose among available radio buttons perhaps -- or if it's human spammers rather than robots.

Mostly I did this as an experiment to see if it would work -- and frankly because it was fun to trick the spam bots into simply confessing and turning themselves in! Mostly I bring it up for discussion: maybe it will contribute to a better idea.

If a spammer decided that my little site was worth devoting their special attention, they could easily beat this with a slightly smarter spam bot. But that could be said of many anti-spam schemes.

Jay
A: 

No answers so far appear to specifically address the Original Posters question.

I'm also looking for an answer to this question.

A: 

General comment about any anti-spam system: Nothing you do is going to be 100% secure. If your site is big enough or rewarding enough that a spammer decides to devote special attention to breaking it, they'll probably find a way. But it's like they routinely say about home security: Sure, a skilled, professional thief can beat any alarm system the average home owner is likely to be able to afford. But you'll keep out the clumsy amateurs, and if you make it enough trouble for the professional, you increase the risk for him that by the time he breaks it, you'll have returned home or a neighbor will see him and call the police. When I worked for the military, we routinely talked about the balance between security and preventing the legitimate users from doing their jobs. The goal in the military is not some hypothetical "absolute security", but rather something good enough to reduce the risk to "acceptable levels" consistent with minimum inconvenience to authorized people. Obviously what constitutes "acceptable" depends on what you're protecting: I certainly hope that the people who were protecting nuclear warheads insisted on a higher level of security than we put around radar systems. People in areas where attacks were suspected, like bases in the Middle East, had higher security than we had in middle-America bases. Etc.

Point being: How likely a target is your site? I certainly hope my bank uses tighter security to protect my money than I bother to use to prevent spam abstract submissions on the convention site I run. Sites that have millions of visitors and are well-known probably need better security than obscure sites with thousands or hundreds of visitors. How much is "good enough"?

Jay