1 / 13

Who: Jake Munson Company: Idaho Power Website: techfeed/blog/

Attack of the spam bots. Who: Jake Munson Company: Idaho Power Website: http://techfeed.net/blog/ Email: yacoubean@gmail.com Location: Kuna, ID. What is a spam bot?. Any kind of spam that comes in through web forms. Comment spam in blogs Feedback forms Registrations forms.

denali
Download Presentation

Who: Jake Munson Company: Idaho Power Website: techfeed/blog/

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attack of the spam bots Who: Jake Munson Company: Idaho Power Website: http://techfeed.net/blog/ Email: yacoubean@gmail.com Location: Kuna, ID

  2. What is a spam bot? • Any kind of spam that comes in through web forms. • Comment spam in blogs • Feedback forms • Registrations forms

  3. How do spam bots work? • Automated software • Directly attack form processor • Cached forms • http://www.botmaster.net/ • “This autosubmitter uses a huge database of forums, guestbooks, wikis and blogs to post messages...its ability to work around most types of 'captchas'.” • Manual spammers • Armies of cheap labor

  4. How do you stop them? • Remove feedback options • Moderation queues • CAPTCHA • The user has to prove they are human • Emerging methods • Make the spammer prove they aren't a spammer

  5. CAPTCHA • Completely Automated Public Turing test to tell Computers and Humans Apart Please enter the text you see in the image: • The Good • Can be very effective • OCR software has difficulty reading the image • Automated-no moderation is necessary • CAPTCHA In ColdFusion • Alagad Captcha-http://www.alagad.com/index.cfm/name-captcha • Lyla Captcha-http://lyla.maestropublishing.com/

  6. CAPTCHA • The Bad • Accessibility problems • Captcha is designed to defeat automated screen readers • Blind people use screen readers • Linux problems • Difficult, but not impossible, to run CF based Captchas on headless Linux • #1 web design rule: “Don't make me think”-Steve Krug • Captcha is designed to make the user think, which is bad for usability • Some Captchas are so difficult the user needs to make multiple attempts • Charlie Arehart discusses making Captcha easier • http://carehart.org/blog/client/index.cfm/2006/8/17/the_angst_against_captchas • “I don't use (Captchas) as a double-key deadbolt lock to keep out intruders, I just use them as a screendoor to keep out random pests”

  7. Programmatically Identify Spammers Users are innocent until proven guilty. Body of Evidence to Prove Innocence • Mouse movement • Keyboard usage • Empty hidden field is empty • Normal time to fill out form • 1 or less URLs in form contents • Form contents are not “spammy”

  8. Mouse Movement Users move mice, spam bots don't

  9. Keyboard Usage Users bang on keyboards, spam bots don't

  10. 3 Key More Clues The evidence is starting to pile up • Empty hidden field is empty • Spammers fill out all fields • Normal time to fill out form • Software is a lot faster than users • 1 or less URLs in form contents • Spammers like to...well, spam • Dave Shuck's idea

  11. The Final Straw If all else fails, call in the Dream Team • If you want to use any of these ideas, use Akismet • http://www.akismet.com/ • Similar to virus definitions • You send form contents to a web service, it returns true or false • Compares form contents to vast database of known form spam • Community of web developers contributes to database • Extremely accurate

  12. If it walks like a duck... Users don't do spammy things • Each test is unreliable by itself • Many tests together can identify spammers • CFFormProtect • http://cfformprotect.riaforge.org/ • Others are doing it • Ben Nadel-http://bennadel.com/index.cfm?dax=blog:405.view • Be creative!

  13. Questions?

More Related