Bot registration protection

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Bot registration protection

Post by AGISB »

feyd v3 | this thread was created on behalf of this thread


Well security wise I rather keep blind people from accessing the site then having spambots trash my forums.

Does the UK really have a law making websites illegal?

How about I put my site up in German. Is this illegal as well as someone who could not speak German form accessing the site?

Speak about weird laws.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

why not just do what we did at one point, and will likely redo... change the way the form is displayed or generated to be nonregular. At the same time, add restrictions and instant banning to any post to the form that doesn't fit this new code path. A human can't screw it up, but most bot registration scripts will.

Something else to think about is changing the policies against the people this bot is targetting with its advertising or whatever they are doing. For example, the new one here will probably disallow anonymous users sight of an user posted links, signatures, images, and avatars. It's also possible all users will be displayed as generic names like user32167, with no personal information display on the side of their posts. Attempting to view a profile of a user would have the same policies, as well as a memberlist view.

Doing that stuff alone makes it very difficult for these people to get a tangible page rank jump, or other responses that they typically target.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

Sure you can do many things to keep bots out but there must be a reason why yahoo and many other big sites do it this way.
I am not trying to protect a forum but publicly accessable funtions like password lookup, account creation that can be a good target by ddos.


Anyway I am not forcing anyone to use the code ;)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

yeah.. it's called lazy.

another thing we/I am contemplating is adding code to not display any users who have never logged in. If they have not logged in within... say 3 months, their account is deactivated or removed. An account being inactivated would silence any of their display in any list.
User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

Post by fresh »

How could handicap accessiblity laws affect websites, the output is text based, and you could suggest the page is a text file, which it is, and therfore the author can not be obligated to make it accesible to the blind or deaf. Just like a book or magazine, you certainly don't see Rolling Stones Magazine including brail. However, I don't know the laws on website accesibility so there may be a valid argument that I have overlooked.

Anyway, nice code man :)
Last edited by fresh on Fri Jan 21, 2005 1:20 am, edited 2 times in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

there are brail computer displays..
User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

Post by fresh »

yeah, but how are they to know where to click a link or enter their names and passwords to login?

EDIT: oh displays.. how does that work?

EDIT2: A braille display is a tactile device consisting of a row of special 'soft' cells. A soft cell has 6 or 8 pins made of metal or nylon; pins are controlled electronically to move up and down to display characters as they appear on the display of the source system - usually a computer or braille note taker. Soft braille cells have either 6 or 8 dot pins depending on the model. Advanced braille code features 8 dot braille, but most will probably only use the 6 dot code. Dots 7 and 8, if present. can be used to show the position of the cursor in the text or for European 8 dot braille. They can also be used for advanced maths work and for computer coding.

I don't think that the blind could login into a forum because they would not know that there were text boxes on the page, i don't even think the display device would even work the way you may think.. it seems to be for word processing. I'd say that anyone that useses the code should be OK.. ;)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the ones I'm thinking of, use screen reading technology, and a special keyboard with many many solenoids that raise and lower hard plastic pins creating the braille letters/word-combinations for them to read.

Have you see Blade: Trinity? If you have, then you've seen one of these keyboards. Natashe Lyonne's character, Sommerfield had a purple one (if I remember correctly)


I remember hearing of a new braille display being worked on that actually raised the surface of an LCD panel to make the entire display tactile (yet still usable for the sighted)
Last edited by feyd on Fri Jan 21, 2005 1:37 am, edited 1 time in total.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

The problem is how could a developper know what technicalities he would have to observe to be compliant.

I personally never have seen a brail display and have no clue how it works.
However there are simple things that should be observed and could be checked with 'Lynx' . If a website is dispayable with Lynx it probably is accessable for nearly everyone.

Important parts are to use alt and title tags on every image. If you use grafics for design it should always have an alt="" tag to avoid being displayed in text browsers.

This site describes it very well for search engines and can somehow be translated into this disability topic:

http://www.woodshed.de/english/dialog-robot.html


As I want to protect my password lookup tool with captcha and there would be customer support ways to get a password info it won't actually discriminate any user.

However after I thought about above comments I noticed that I unwillingly have already protected my signup procedure by other means.
As the form input goes thru a validation process it displays the input for the user to change or verify. As the actual page that writes the data relies on a verified data hash from the verification page no machine will ever be able to submit as only one instance of this input is allowed.
User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

Post by fresh »

haha no haven't seen those i guess, but I referenced this page for information:

http://www.deafblind.com/display.html

Does this look like what you are talking about:

Image

If so, that device is for word processing.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

At any rate, we've had an interesting discussion, again, about this form of regisration protection.

I see no major problem with using it, provided alternate ways to verify a pulse are provided. However, I'd only use this on a site where these jerks are a real major problem.

I'd definitely be interested to know of alternate ways of dealing with those more determined jerks wishing to register.
User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

Post by fresh »

feyd, I wrote that JAVA application and it works if you want to write a front end for it you could really take control.. you just need to write a front end for it.

If you want it, just ask, I can post the source as a snippet or PM it to you, whatever you want.. I think it's worth taking a look at.. :)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The Java tool is an interesting concept, but I don't see a point in finding out the real IP of this "unwanted" user... as they are already going through zombie proxies to do most of the work (as far as I've seen)

the only reason I'd want their "true" IP is for giving to the authorities to let them handle it.

One nice thing I see about the image verification is it requires the spammer to either waste time and money to compute the information for it, or figure out an alternate way of getting someone else to fill in the information for them (phishing).

Phishing goes out the window if the image verification is independantly dynamic, so each request of the image generates a complete new one. Creating an analyzer for it goes out the window, if the routine used is changed at ~random intervals (manually or otherwise).. Given enough combinations of things, various formats, sizes; the number of permutations needed could be in the billions.. but that depends on the how fragile and similar the routines used are.


This whole thing is probably getting way off topic, so we may split this into the Theory forum in the next day or so..

--feyd v6
User avatar
fresh
Forum Contributor
Posts: 259
Joined: Mon Jun 14, 2004 10:39 am
Location: Amerika

Post by fresh »

zombie proxies... so these people are spamming you threw exploited PC's?? That's insane, these people are seriously hard up for money. If they are indeed doing that then the JAVA application is worthless.

Well then if identifying the user is not going to work then tagging them a registration time is not going to work. I still say you need to focus on the posting.php page... because it's not like your getting over run by fake accounts, so the problem lyes in the posting function. I would test this script I wrote out on a mock forum just to see if it works:

Code: Select all

<?php
//check for and bleep curse words
$phrase = $message;
strtolower($phrase);
$curse = array("bad word 1", "bad word 2", "bad url 1", "bad url 2");
$bleeped = array("*** **** *", "*** **** *", "*** *** *", "*** *** *");
$message = str_replace($curse, $bleeped, $phrase);
?>
I would try adding words like (sex, porn, etc), you could write a function that sets a flag if these posts ar found and could delete them if found in URLS or anything accompanied by http:// or ftp:// or https://.. and only bleep them out if not accompanied by the http://, etc..

This would prevent the spammers from posting their links and would give them no reason to use this forum for spamming. Now of course I am sure some would slip threw, maybe some with a redirector from one server not containing sex, or porn in the link, but even so, I would say that this is the path to take in order to defeat this problem or atleast prevent a lot of it.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

feyd wrote:there are brail computer displays..
In order to use a brail display for a security image you'd have to put whatever the user is supposed to retype in the alt text of the image.. which would rather defeat the purpose of the security image.
Post Reply