更好的蜜罐实施(表单反垃圾邮件) [英] Better Honeypot Implementation (Form Anti-Spam)

问题描述

<块引用>我们如何摆脱我们网站上的这些垃圾邮件程序?

每个网站都在某个时候成为垃圾邮件机器人的受害者.您处理它的方式会影响您的客户，而且大多数解决方案都会阻止某些人填写您的表单.

这就是蜜罐技术的用武之地.它允许您忽略垃圾邮件机器人，而不会强迫您的用户填写验证码或跳过其他圈来填写您的表单.

这篇文章纯粹是为了帮助其他人在他们的网站表单上实施蜜罐陷阱.

<小时>

更新:

自从在我所有客户的网站上实施以下蜜罐以来，我们已成功阻止了99.5%(数千次提交)的所有垃圾邮件.那是没有使用高级"部分中提到的技术，该部分将很快实现.

解决方案

概念

通过在您的表单中添加一个只有垃圾邮件机器人可以看到的不可见字段，您可以诱使他们透露他们是垃圾邮件机器人而不是实际的最终用户.

HTML

这里我们有一个简单的复选框:

• 使用 CSS 隐藏.
• 有一个不起眼但明显是假的名字.
• 具有等效于 0 的默认值.
• 无法通过自动完成来填充
• 无法通过 Tab 键导航到.(参见tabindex)

服务器端

在服务器端，我们要检查该值是否存在并且具有除 0 以外的值，如果存在，则对其进行适当的处​​理.这包括记录尝试和所有提交的字段.

在 PHP 中，它可能看起来像这样:

$honeypot = FALSE;如果 (!empty($_REQUEST['contact_me_by_fax_only']) && (bool) $_REQUEST['contact_me_by_fax_only'] == TRUE) {$蜜罐=真；log_spambot($_REQUEST);# 视为垃圾邮件机器人} 别的 {# 正常处理}

后备

这就是日志的来源.如果您的用户以某种方式最终被标记为垃圾邮件，您的日志将帮助您恢复任何丢失的信息.它还允许您研究在您的站点上运行的任何机器人，如果它们将来被修改以绕过您的蜜罐.

报告

许多服务允许您通过 API 或上传列表来报告已知的垃圾邮件机器人 IP.(例如CloudFlare)请通过报告您发现的所有垃圾邮件机器人和垃圾邮件 IP，帮助使互联网成为一个更安全的地方.

高级

如果您真的需要打击更高级的垃圾邮件机器人，您还可以做一些额外的事情:

• 纯粹使用 JS 而不是简单的 CSS 隐藏蜜罐字段
• 使用您实际上并未使用的真实表单输入名称.(例如电话"或网站")
• 在蜜罐算法中包含表单验证.(大多数最终用户只会弄错 1 或 2 个字段；垃圾邮件机器人通常会弄错大部分字段)
• 使用 CloudFlare 等自动阻止已知垃圾邮件 IP 的服务
• 设置表单超时，并防止即时发布.(在页面加载后 3 秒内提交的表单通常是垃圾邮件)
• 防止任何 IP 每秒发布一次以上.
• 更多想法请看这里:如何创建核"蜜罐捕捉形式的垃圾邮件发送者

How do we get rid of these spambots on our site?

Every site falls victim to spambots at some point. How you handle it can effect your customers, and most solutions can discourage some people from filling out your forms.

That's where the honeypot technique comes in. It allows you to ignore spambots without forcing your users to fill out a captcha or jump through other hoops to fill out your form.

This post is purely to help others implement a honeypot trap on their website forms.

---

Update:

Since implementing the below honeypot on all of my client's websites, we have successfully blocked 99.5% (thousands of submissions) of all our spam. That is without using the techniques mentioned in the "advanced" section, which will be implemented soon.

解决方案

Concept

By adding a invisible field to your forms that only spambots can see, you can trick them into revealing that they are spambots and not actual end-users.

HTML

<input type="checkbox" name="contact_me_by_fax_only" value="1" style="display:none !important" tabindex="-1" autocomplete="off">

Here we have a simple checkbox that:

• Is hidden with CSS.
• Has an obscure but obviously fake name.
• Has a default value equivalent 0.
• Can't be filled by auto-complete
• Can't be navigated to via the Tab key. (See tabindex)

Server-Side

On the server side we want to check to see if the value exists and has a value other than 0, and if so handle it appropriately. This includes logging the attempt and all the submitted fields.

In PHP it might look something like this:

$honeypot = FALSE;
if (!empty($_REQUEST['contact_me_by_fax_only']) && (bool) $_REQUEST['contact_me_by_fax_only'] == TRUE) {
    $honeypot = TRUE;
    log_spambot($_REQUEST);
    # treat as spambot
} else {
    # process as normal
}

Fallback

This is where the log comes in. In the event that somehow one of your users ends up being marked as spam, your log will help you recover any lost information. It will also allow you to study any bots running on you site, should they be modified in the future to circumvent your honeypot.

Reporting

Many services allow you to report known spambot IPs via an API or by uploading a list. (Such as CloudFlare) Please help make the internet a safer place by reporting all the spambots and spam IPs you find.

Advanced

If you really need to crack down on a more advanced spambot, there are some additional things you can do:

• Hide honeypot field purely with JS instead of plain CSS
• Use realistic form input names that you don't actually use. (such as "phone" or "website")
• Include form validation in honeypot algorithm. (most end-user will only get 1 or 2 fields wrong; spambots will typically get most of the fields wrong)
• Use a service like CloudFlare that automatically blocks known spam IPs
• Have form timeouts, and prevent instant posting. (forms submitted in under 3 seconds of the page loading are typically spam)
• Prevent any IP from posting more than once a second.
• For more ideas look here: How to create a "Nuclear" honeypot to catch form spammers

这篇关于更好的蜜罐实施(表单反垃圾邮件)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！