Do spambots directly POST to server or fill out HTML forms? [closed]

Question

I'm looking at using an alternative to Captcha (or Recaptcha) for the registration form on website I'm working on.

I believe Captcha's negatively affect UX. I was looking into using hidden fields but apparently they're not effective at all (Reference: http://radio.javaranch.com/davo/2008/10/15/1224063498569.html)

A comment on that article states:

As someone that writes CAPTCHA crackers as part of my job (no, not for spamming), I can assure you that a hidden field would in no way trip me up. As another poster mentioned, I check the over the wire traffic, and don't pay much attention to what happens to be in the HTML of the form.

This led me to believe that spambots make direct POST requests to the server, rather than request the form and fill it out.

If that is the case, what if I create a hidden, read-only field that I pre-populate with a hash stored in SESSION. When the user submits the form, I can compare the values. Would this work as a way to keep away spambots, or am I overseeing something?

If the form is never requested, I, of course, would not find any hash stored in session and could thus ignore the request.

Answer 1

Adding another field with a challenge tied to a server-side session variable is a good approach; it would require considerably more effort on the side of spam bots, i.e. they have to load and parse the form, fill it out and make another request (sending along the necessary cookies).

You could also consider adding JavaScript to modify the given challenge and modify it in a certain way. The attacker would then need to find out what your code does before they can replicate it in an automated fashion. Transformations could be a simple rot13 or more complicated xor operations. Things like md5, sha1 are established algorithms so those are a poor choice; it has to be custom.

Of course, if an attacker is bound on targeting your site, there's not much you can do to prevent spam from coming in; that's the ugly truth. For instance, they could run Selenium and circumvent all the JavaScript protection you have carefully built in.

Answer 2

Unfortunately, I suspect that you already have spammers specifically targeting your site. If you've manually implemented login and registration, it's unlikely that a spambot would have logic capable of signing up without being specifically tailored to your forms.

The other solutions are good, and while they will help, none of them will prevent even a moderately determined spammer. Plenty of spambots operate as browser plugins, so trusting that a spambot can't evaluate JavaScript or won't call for the form in the first place is unlikely to help you for very long. At the very least, a CAPTCHA for registration (and perhaps for each post, or whatever your site does, until the account is manually approved) is probably going to be mandatory.

I know you don't want to impact the user experience, but spam messages and accounts are far more detrimental to UX than CAPTCHAs. Bite the bullet and do everything you can to slow spammers down, or your users will look elsewhere.

Granted, CAPTCHAs are not complete solutions - there exists software that can solve them (in some cases) more accurately than humans. They, like enriched breakfast cereal, are merely part of this complete breakfast - and no one in their right mind would start the day off with SPAM. ;)

Moderating new users will likely prove to be very helpful.