像Facebook这样的网站如何保护机器人没有任何验证码 [英] How websites like Facebook are protected against bot without any captcha
问题描述
我想为项目创建一个注册表单,我不想在注册和Captchas的机器人经常是丑陋的..
编辑:
我的问题真的是在注册期间,因为我知道Facebook使用Captchas一次注册
Facebook使用某种隐藏的垃圾邮件保护,如果您查看注册表单的来源,您将看到事情如:
class =hidden_elem>< div class =fsl fwb>安全检查< / div>这是我们用来防止垃圾邮件发送者创建假帐户和垃圾邮件用户的标准安全测试。
所以当javascript会认为你是机器人时,捕获变得可见。
哪里有几种方法使机器人难以完成注册而不需要捕获,事情
喜欢时间填写表单,鼠标点击事件的发起者等等。
也是以表单形式的随机会话值(直接提交到没有下载表单的情况下)
还有些人使用隐藏的表单元素,电子邮件,在CSS中看起来不可见,但常见的简单机器人将尝试填写所有表单字段,因此如果此隐藏元素具有任何值,您可以阻止它们。
twitter和fb花费大量的时间来开发Tecniques来阻止垃圾邮件发送者,我不认为他们会公开,因为它们对于打击垃圾邮件发送者是有效的。
但是所有的客户端JavaScript都可以从fb或twitter下载,如果需要的话可以进行研究,因为大多数的保护将在客户端内部发生,而不是在服务器端。
服务器只能发布一些随机会话变量,检查请求中的有效标题,总体时间等等。它真的有限。
某些网站还在服务器和客户端之间使用ajax交换当用户填写表单时,主要是为了使bot开发人员更难以进行模拟的伪造数据交换。
无论如何,不幸的是,不容易的解决方案体面的保护,特别是没有验证码或某种类型的问题
另外,
提交按钮可以使用图像映射而不是按钮,
你可以使用PHP中的GDI这样的东西在随机位置上绘制的提交botton图像来动态创建大图像,并使用css仅使用实现按钮显示该图像的一部分,并在服务器端检查鼠标点击的位置X和Y位置这个机器人很难打破。
除非他们使用真正的浏览器,而且只是模拟键盘和鼠标。无论如何,正如我所说的不幸,哪里不容易解决。
How websites like Facebook and Twitter are protected against bot during registration? I mean, there's no captcha at all on the signup form?
I want to create a signup form for a project, and I don't want bot during registration and Captchas are often ugly..
edit: My question is really during the registration because I know Facebook use Captchas once registred for the first time.
Facebook uses some sort of hidden spam protection, if you view source of sign-up form you will see things like:
class="hidden_elem"><div class="fsl fwb">Security Check</div>This is a standard security test that we use to prevent spammers from creating fake accounts and spamming users.
so capture becomes visible when javascript will think that you are a bot.
Where is few methods of making it harder for bots to complete registration without capture, things like timing to fill out form, originators of mouse clicks events ect. also random session based values in form (to privent direct submissions without downloading of the form first)
also some people use hidden form elements with common names like 'email' that is styled invisible in css but common simple bots will try to fill out all form fields and so you can block them if this hidden element have any value
twitter and fb spend lot of time on developing tecniques to block spammers i don't think they will made it public as it will be counter productive for them to fight the spammers.
But all the client side javascripts you can download from fb or twitter and study them if you want, because most of the protection will happen inside client not on server.
server could only issue some random session variable, check for valid headers in request, overall time etc. its really limited.
some sites are also use ajax exchanges between server and client during the time when user is filling out the form , mostly just to make it harder for bot developer to do simular fake exchanges of data.
Anyway, unfortunatelly where is no easy solution to do decent protection , espesially without captcha or some kind of question
also, for submit button you can use image map instead of button, you can dynamically create big image with a submit botton image drawn on it at random position using things like GDI in PHP and using css to display only portion of that image with the actuall button, and on server side check X and Y position of where mouse was clicked, this will be hard for bots to break. Unless they use real browsers and just emulate keyboard and mouse. Anyway , as i said unfortunatelly where is no easy solution.
这篇关于像Facebook这样的网站如何保护机器人没有任何验证码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
