更好的蜜罐实施(形成反垃圾邮件) [英] Better Honeypot Implementation (Form Anti-Spam)
问题描述
我们如何摆脱我们网站上的这些垃圾邮件?
每个网站都是 spambots 在某些时候。如何处理它可以影响你的客户,大多数解决方案可能会阻止一些人填写你的表单。
这是蜜罐技术的用武之地。它允许你忽略而不会强制用户填写验证码或跳过其他环节填写表单。 这篇文章纯粹是为了帮助其他人实施蜜罐陷阱在他们的网站表格上。
$ b 更新:由于在我所有客户的网站上实施了下面的蜜罐,我们已经成功地阻止了所有垃圾邮件中的99.5%(数千份提交)。这是没有使用高级部分中提到的技术,即将实施。 解决方案
概念
通过在您的表单中添加一个只有垃圾邮件才能看到的隐形字段,您可以诱骗他们发现它们是垃圾邮件而不是实际的最终用户。
HTML
< input type =checkboxname =contact_me_by_fax_onlyvalue =1 style =display:none!importanttabindex = - 1autocomplete =off>
这里有一个简单的复选框:
$ honeypot = FALSE;
if(!empty($ _ REQUEST ['contact_me_by_fax_only'])&&(bool)$ _REQUEST ['contact_me_by_fax_only'] == TRUE){
$ honeypot = TRUE;
log_spambot($ _ REQUEST);
#视为spambot
} else {
#正常处理
}
回退
这是日志的来源。如果某个用户最终被标记为垃圾邮件,您的日志将会帮助你恢复任何丢失的信息。它还可以让你研究在你的网站上运行的任何僵尸程序,如果它们将来会被修改以规避你的蜜罐。
报告
许多服务允许您通过API或上传列表来报告已知的垃圾邮件IP。 (例如 CloudFlare )请通过报告您发现的所有垃圾邮件和垃圾邮件IP,帮助使互联网更安全。
高级
如果你真的需要打击更先进的spambot,还有一些额外的事情可以做:
- 纯粹用JS隐藏蜜罐字段的纯CSS
- 使用您实际不使用的逼真表单输入名称。 (如电话或网站)
- 在蜜罐算法中包含表单验证。 (大多数最终用户只会得到1或2个字段错误;垃圾邮件通常会导致大部分字段错误)
- 使用CloudFlare等自动阻止已知垃圾邮件IP的服务
- 有表单超时,并阻止即时发布。 (在页面加载3秒内提交的表单通常是垃圾邮件)
- 阻止任何IP每秒发布一次以上。
- 想法在这里:如何创建一个核蜜罐来捕捉形式的垃圾邮件
How do we get rid of these spambots on our site?
Every site falls victim to spambots at some point. How you handle it can effect your customers, and most solutions can discourage some people from filling out your forms.
That's where the honeypot technique comes in. It allows you to ignore spambots without forcing your users to fill out a captcha or jump through other hoops to fill out your form.
This post is purely to help others implement a honeypot trap on their website forms.
Update:
Since implementing the below honeypot on all of my client's websites, we have successfully blocked 99.5% (thousands of submissions) of all our spam. That is without using the techniques mentioned in the "advanced" section, which will be implemented soon.
Concept
By adding a invisible field to your forms that only spambots can see, you can trick them into revealing that they are spambots and not actual end-users.
HTML
<input type="checkbox" name="contact_me_by_fax_only" value="1" style="display:none !important" tabindex="-1" autocomplete="off">
Here we have a simple checkbox that:
- Is hidden with CSS.
- Has an obscure but obviously fake name.
- Has a default value equivalent 0.
- Can't be filled by auto-complete
- Can't be navigated to via the Tab key. (See tabindex)
Server-Side
On the server side we want to check to see if the value exists and has a value other than 0, and if so handle it appropriately. This includes logging the attempt and all the submitted fields.
In PHP it might look something like this:
$honeypot = FALSE;
if (!empty($_REQUEST['contact_me_by_fax_only']) && (bool) $_REQUEST['contact_me_by_fax_only'] == TRUE) {
$honeypot = TRUE;
log_spambot($_REQUEST);
# treat as spambot
} else {
# process as normal
}
Fallback
This is where the log comes in. In the event that somehow one of your users ends up being marked as spam, your log will help you recover any lost information. It will also allow you to study any bots running on you site, should they be modified in the future to circumvent your honeypot.
Reporting
Many services allow you to report known spambot IPs via an API or by uploading a list. (Such as CloudFlare) Please help make the internet a safer place by reporting all the spambots and spam IPs you find.
Advanced
If you really need to crack down on a more advanced spambot, there are some additional things you can do:
- Hide honeypot field purely with JS instead of plain CSS
- Use realistic form input names that you don't actually use. (such as "phone" or "website")
- Include form validation in honeypot algorithm. (most end-user will only get 1 or 2 fields wrong; spambots will typically get most of the fields wrong)
- Use a service like CloudFlare that automatically blocks known spam IPs
- Have form timeouts, and prevent instant posting. (forms submitted in under 3 seconds of the page loading are typically spam)
- Prevent any IP from posting more than once a second.
- For more ideas look here: How to create a "Nuclear" honeypot to catch form spammers
这篇关于更好的蜜罐实施(形成反垃圾邮件)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
