负面验证码-帮助我更好地理解垃圾邮件机器人 [英] Negative Captchas - help me understand spam bots better
问题描述
我必须决定一种防止垃圾邮件机器人注册我的网站的技术.在这个问题上,我主要问的是负面的验证码.
I have to decide a technique to prevent spam bots from registering my site. In this question I am mainly asking about negative captchas.
我开始了解机器人的许多弱点,但想了解更多.我读到某处大多数机器人不渲染/不支持JavaScript的地方.为什么会这样呢?如何测试访问程序无法评估javascript?
I came to know about many weaknesses of bots but want to know more. I read somewhere that majority of bots do not render/support javascript. Why is it so? How do I test that the visiting program can't evaluate javascript?
我从这个问题开始需要建议/想法易于使用但安全的验证码 如果您有一些验证码的想法,请回答该问题.
I started with this question Need suggestions/ideas for easy-to-use but secure captchas Please answer to that question if you have some good captcha ideas.
然后我在这里有了关于负验证码的想法 http://damienkatz.net/2007/01/negative_captch.html
Then I got ideas about negative captchas here http://damienkatz.net/2007/01/negative_captch.html
但是达米安(Damien)写下了though this technique likely won't work on big community sites (for long), it will work just fine for most smaller sites.
But Damien has written that though this technique likely won't work on big community sites (for long), it will work just fine for most smaller sites.
那么,有人制造特定于站点的机器人的机会是什么?我认为我的网站将是一个非常受欢迎的网站.该技术将考虑多少安全性?
So, what are the chances of somebody making site-specific bots? I assume my site will be a very popular one. How much safe this technique will be considering that?
使用复杂蜜罐实现的负验证码,此处描述 http://nedbatchelder.com/text/stopbots.html
Negative captchas using complex honeypot implementations here described here http://nedbatchelder.com/text/stopbots.html
有人知道它的实施有多么容易吗?有一些可用的插件吗?
Does anybody know how easily can it be implemented? Are there some plugins available?
谢谢
Sandeepan
Sandeepan
推荐答案
我在某处读到大多数机器人不提供/不支持JavaScript的地方.为什么会这样呢?
I read somewhere that majority of bots do not render/support javascript. Why is it so?
实现的简单性-您可以阅读网页源代码并以高级语言仅用十几行代码发布表单.我见过的机器人非常糟糕,例如使用正则表达式解析HTML,并在URL中输入../错误.但显然效果很好.
Simplicity of implementation — you can read web page source and post forms with just dozen lines of code in high-level languages. I've seen bots that are ridiculously bad, e.g. parsing HTML with regular expressions and getting ../ in URLs wrong. But it works well enough apparently.
但是,运行JavaScript引擎并实现DOM库要复杂得多.您必须处理执行while(1);的脚本,该脚本取决于计时器,外部资源,CSS,嗅探浏览器并执行许多疯狂的工作.您需要快速完成的工作量开始像编写一个完整的浏览器引擎一样.
However, running JavaScript engine and implementing DOM library is much more complex task. You have to deal with scripts that do while(1);, that depend on timers, external resources, CSS, sniff browsers and do lots of crazy stuff. The amount of work you need to do quickly starts looking like writing a full browser engine.
它在计算上也要昂贵得多,所以对于垃圾邮件制造者来说可能不那么赚钱-他们可以拥有笨拙的僵尸程序,以无声的方式每秒发送100页,或者功能齐全的笨拙的机器人以每秒2页的速度发送垃圾邮件,并像典型的那样将受害者的计算机吞噬网络浏览器即可.
It's also computationally much much expensive, so probably it's not as profitable for spammers — they can have dumb bot that silently spams 100 pages/second, or fully-featured one that spams 2 pages/second and hogs victim's computer like a typical web browser would.
仅实施特定于站点的简单黑客就有中间立场,例如,如果在页面中发现了已知的脚本模式,则填写特定的表单字段.
There's middle ground in implementing just a simple site-specific hack, like filling in certain form field if known script pattern is noticed in the page.
那么,有人制造特定于站点的机器人的机会是什么?我认为我的网站将是一个非常受欢迎的网站.该技术将考虑多少安全性?
So, what are the chances of somebody making site-specific bots? I assume my site will be a very popular one. How much safe this technique will be considering that?
这是成本/收益的折衷.如果您的网页排名很高,访问者很多或具有一定的货币价值或对垃圾邮件有用,那么某些垃圾邮件发送者可能会注意到您,并认为解决方法值得他花时间. OTOH如果您只有个人博客或小型论坛,那么还有数百万未受保护的其他人正等待被垃圾邮件阻止.
It's a cost/benefit trade-off. If you have high pagerank, lots of visitors or something of monetary value, or useful for spamming, then some spammer might notice you and decide workaround is worth his time. OTOH if you just have a personal blog or small forum, there's million others unprotected waiting to be spammed.
这篇关于负面验证码-帮助我更好地理解垃圾邮件机器人的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
