spam filter logic

Question

Hi!

I know you guys will be able to tell me what I can't. That's why I'm here.

Basically i need to have antispam bot mechanism for any site I created. The problem is sometimes they are too complex or that I don't have time to put it on the website considering that some sites are already done and that some require stiff deadlines. I have been thinking how these spammers attack your site this way. Since most of the antispams (reCaptcha, akismet etc) uses the same principle in avoiding spams where they use some sort of random images (with words) and people can just guess the words based on what they think is the correct word out of it. Now, can't I just create a random word that people can enter (based on a given question). Say, on the antispam field i have a simple question: "What is the sixth planet in the solar system?", registrant answers "saturn", he gets the correct answer, his registration goes through... Can spammers answer these kinds of random question?

Just thinking...

Thanks in advance!

Answer 1

There are a lot of free captcha controls out there for ASP.Net

I'd stick to one of those and save yourself some coding.

As far as the question idea goes: It could work depending on how you implemented it, but if done wrong a simple dictionary attack would defeat it. It would never be quite as secure, because it's presumed the text of the question would give some sort of clue to the would-be bot attacker. That's assuming people are writing bots specifically to attack you, though, and if they are, you're probably screwed anyway. ;) haha.

commentary on reCAPTCHA

Also for the record, while reCAPTCHA sounds like a fun, free-the-world sort of idea on paper, I tend to disagree with what it's doing. IMO, Its use gets into some crazy intellectual property rights gray areas that can dishearten and sometimes dissuade the creative minds that bring us the books we enjoy.

Answer 2

The problem with implementing your own is generally not the idea you come up with (though in your case it's trivial enough) it's the actual implementation of it, which almost certainly you will get wrong in some small fashion.

Thus, it's better (faster, easier) to use reCAPTCHA (if it floats your boat).

The thing is, if you implement a custom system, the "general" spammers who want to look for common implementions and solve them, will find it hard, but as soon as you are targeted, it's all over.

Answer 3

Provided you aren't Google, or Hotmail, you're not going to have any problems.

If your site is not likely to be targetted by spammers who actually engineer some custom code, it should be easy to avoid them.

I'd either have some Javascript-filled field - which is fine, unless you want people to be able to fill the form legitimately without Javascript, or, my favourite, a field which needs to be left blank.

Spammers rarely seem to leave fields blank, especially if they're called "email" or "state" or "country" or such like. A spambot can't resist putting some junk in there.

Putting a few of those in (ideally in a div with display:none on) will catch most of them.

Then you can usually find out what's a spammer because he adds a zillion links in the comments field :)

Answer 4

thanks guys! learned a lot from all of your inputs. i guess i just have to go with either the blank field suggested for easier implementation or if i have ample time go for captcha.

thanks!