击败垃圾邮件注册 [英] Defeating spam registrations

问题描述

我正在尝试尽可能多地学习运行一个备受瞩目的网站。我设计了一些用户注册屏幕，并在考虑典型的验证码或烦人的替代方案。在我看来，让他们要么导致可访问性问题，要么干脆打扰潜在客户并抑制他们的注册过程。

我的问题是，垃圾邮件发送者是否识别并触发JavaScript事件，例如输入字段上的 keydown 或 keypress 事件。据我所知，大多数机器人只是通过action属性来完成表单发布，而不以编程方式填写网络表单。

理论上，我可以添加JavaScript类似于以下内容：

 < input name = email /> 
< input name = human type = hidden /> 
< script> 
 var emailField = document.getElementById（‘email’）; 
 emailField.onkeydown = function（）{
 document.getElementById（'human'）.value = human; 
}; 
< / script> 
  

然后，在服务器端，我可以验证发布数据是否包含 human值

这是一个可行的解决方案，至少与键入一堆随机且难以阅读的字符一样有效吗？在重复尝试中，使用服务器随机生成的值比使用人类的静态值更有用吗？

解决方案

大多数垃圾邮件机器人只会在您的页面上查找< form> ，然后将数据直接发布到 action 属性。这是非常简单，轻巧且易于实现的。

某些垃圾邮件机器人实际上会使用无头浏览器（例如PhantomJS）来执行页面上的JavaScript。这些垃圾邮件机器人更容易被愚弄，但很少有人使用此方法，因为它更昂贵（在CPU和RAM中）。

我发现通常可以通过蜜罐（页面上的以编程方式删除的字段以及其他类似方法）阻止最常见的垃圾邮件机器人。有些漫游器会成功使用，而任何进行手动分析以找到可利用您网页的方法的人仍然会进入。对于大多数网站而言，这已经足够了，并且可以在防止垃圾邮件的同时保持网站的可用性。 p>

I am trying to learn as much as possible about running a high-profile website. I designing some user registration screens and was thinking about the typical CAPTCHA, or annoying alternatives. In my opinion, having them either causes accessibility issues, or simply bothers potential customers and inhibits their registration process.

My question is whether spambots recognize and trigger JavaScript events, such as the keydown or keypress event on an input field. From what I can gather, most bots simply do form posts via the action attribute and don't programmatically "fill out" web forms.

In theory, I could add JavaScript that something like the following:

<input name="email" />
<input name="human" type="hidden" />
<script>
var emailField = document.getElementById( 'email' );
emailField.onkeydown = function( ) {
   document.getElementById( 'human' ).value = "human";
};
</script>

Then, on the server side, I could verify that the post data includes a value of "human" for the hidden form field.

Is this a viable solution, at least as effective as typing in a bunch of random, difficult-to-read characters? Would using a random generated value from the server be more helpful in repetitive attempts than a static value of "human"?

解决方案

Most spam bots will simply look for a <form> on your page and then post data directly to the URL specified in the action attribute. This is very simple, lightweight, and easy to do.

Some spam bots will actually use a headless browser (such as PhantomJS) which executes JavaScript on the page. These spam bots are much harder to fool, but few bots use this method since it is much more expensive (in CPU and RAM).

I've found that it's generally fine to go for blocking the most common spam bots through a honeypot (field on the page that is removed programmatically, and other similar methods). Some bots will get through, and anyone who does manual analysis to find a way to exploit your page will still get in. For most sites, this is good enough, and provides a good balance in preventing spam while keeping your site usable.

这篇关于击败垃圾邮件注册的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！