如何创建一个“核”蜜罐赶上形式的垃圾邮件发送者 [英] How to create a "Nuclear" honeypot to catch form spammers

问题描述

我在注册表格上的当前蜂蜜罐是使用 position：fixed; 放置在屏幕外的电话号码的条目。

它欺骗了一个标准品种的填充物，但效果并不如我。此外，垃圾邮件会立即响应表单的变化，这意味着这是自动的，我能做些什么。

因为他们让用户解决我的问题这是从来没有好过的。

真正聪明的蜜罐

这看起来很明显，但这里有一些技巧（稍后详述）：

假设他们能够知道屏幕上或其他元素的背后是什么

李>有多个陷阱。

• 时间陷阱


• 亲爱的玩家








1。像垃圾邮件机器人一样思考：





开始像垃圾邮件机器人一样浏览您的页面，您甚至可以自己编写自己的内容，但可以减少时间，但很有趣:)。
大多数垃圾邮件机器人都会通过标记来检索< form> 元素。然后，他们会看你的投入，并适当地填写它们，这是一个问题：他们怎么知道要填写什么内容。他们可能会看Id，课程，占位符和标签。这将我们带到了第一个方法中



方法＃1：





表单中的错误标签输入代码即可。 Bascily你的用户名输入应该有 #Form_Email 繁荣的ID！垃圾邮件机器人错误地填写表单。同时隐藏并贴错输入标签，使用div代替。 *





^{方法2从这里开始}





您可能已经注意到，如果您忽略隐藏的内容，则根据位置显示前面的内容，甚至是旧的 display：none; ， visibility：hidden; ， opacity：0; 或 type = '隐藏'。这给了我们一个强大的武器。我在测试时间陷阱时偶然发现了这一点。我用一个基本的表格填充来填写表单。在我的网站上（我不是在谈论GiantCowFilms.com），注册表格在用户点击注册按钮时打开的对话框中。默认情况下它是隐藏的。这给了我一个想法：



方法＃2





默认：form是隐藏的。基本上，你的表单隐藏在页面加载中，但是被某些基于鼠标的动作发现（我不认为机器人有鼠标）。如果你不希望你的表单在页面加载时显示，请添加一个相同的诱饵，这个诱饵在标记中是真实的。如果机器人填充并提交，请将它的IP屏蔽为几个分号。真正的用户，只要鼠标悬停在诱饵窗体上，切换它们。





2。假设他们知道你的页面是什么样的





假设用CSS隐藏蜜罐是完美的，这是一个严重的错误。他们有很多像JAWS这样的超级智能屏幕阅读器，可以重新用于垃圾邮件。这就是为什么你有多重防线。





3。有多个陷阱






• 时间陷阱：
  回到思维一个僵尸程序，你会不想在一个网站上等待而不是攻击他人？
  方法3：创建时间陷阱。
  最好的方法是在页面加载时在隐藏输入中打印时间。当您提交表格时，它会告诉您需要多长时间。尽可能快地填写表格。这应该是填写时间的最短时间。注意：对您的时间戳进行加密，因此漫游器无法更改它。
  
  如果你不想真正喜欢，测量机器人打字的WPM。这是在堆栈交换（尝试复制和粘贴，然后提交和问题/答案）完成的。另外，如果打字速度非常一致，那就是红旗。
  
  
  


• 蜜罐（方法＃4）：
  同时使用所有上述内容以获得最佳结果。确保欺骗愚蠢的机器人以及聪明的机器人（不要认为机器人总是在努力。）。
  
  
  

  现在，为了给我们发送垃圾邮件，机器人必须有游标，渲染页面，等待，以可变的现实速度输入。如果他们制作一个这样的机器人，那么我想这将是Captcha时间：（。

  
  
  

  * 使用屏幕阅读器的人会触发或被这些防御措施弄糊涂了，根据你的国家，你可能会因为歧视盲人和半盲人而陷入困境，因此，当用户触发机器人测试时，将他们带到一个非加载形式， a href =http://www.google.com/recaptcha/intro/> reCaptcha 。

  
  
  

  **人们经常分享Ips，您可以追逐有效的用户。

  
  
  

  PS使用简单的蜜罐就像你已经拥有的一些机器人太愚蠢，不能被我们这里的东西欺骗。 b $ b

  My current honey pot on my registration form is an entry for phone number which is placed off screen using position: fixed;.

  It tricked a standard breed form filler, but doesn't work as well as I though. Also, the spambots immediately responded to changes in the form, meaning that this is automatic, what can I do.

  Note: I hate captchs since the make they users solve my problems which is never good.

  解决方案

  Build a really smart honeypot

  That may seem obvious, but here are a few tricks(Details later):

  1. Think Like a spam bot
  2. Assume that they are able to know what is on screen or behind other elements
  3. have multiple traps.
     • Time Trap
     • Honey pot

  1. Think like a spam bot:

  Start going through your page like a spam bot, You can even write your own which can waist time but is quite fun :). Most spam bots will crawl through the markup looking for a <form> element. Then they will look at your inputs and fill them in appropriately, which is the catch: how do they know what to fill in. They will prbably look at the Id, class, placeholder, and label. which brings us to our first method

  Method #1:

  Mis label inputs in your form code. Bascily your username input should have the Id of #Form_Email boom! spam bot fills out form incorrectly. Also hide and mislabel your inputs labels, use divs instead.*

  ^{Method #2 starts here}

  You've probably noticed that if you simply ignore hidden stuff, based on location what is in front of it and even the good old display: none;,visibility: hidden;,opacity: 0; or type='hidden'. This gives us a powerful weapon. I discovered this by accident while testing a time trap. I used a basic form filler to fill the form. On my site(I'm not talking about GiantCowFilms.com), the register form is in a dialog that opens when a user clicks a register button. By default it is hidden. This gave me an idea for

  Method #2

  Default: form is hidden. Basically, your form is hidden on page load, but is uncovered by some mouse based action(I don't think bots have mouses). If you wan't your form to be visible on page load, add a I identical decoy one which is above the real one in the markup.If the bot fills in and submits it, block its Ip for a few minuets.** For really users, simply when the mouse hovers over the decoy form, switch them around.

  2. Assume that they know what your page looks like

  Assuming that hiding honeypot with CSS is perfect is a grave mistake. Their are a lot of super smart screen readers like JAWS that could be repurposed for spaming. That is why you have multiple lines of defense.

  3. Have multiple traps

  • Time Traps: Going back to thinking like a bot, would you wan't to wait on a site instead of attacking others? Method #3:Create a time trap. The best way is to print a time in a hidden input when the page loads. when you submit the form, it tells you how long it took. Fill the form as fast as you can. That should be the minimum amount of time to fill your for.Note: encrypt your time stamp so bots cannot change it.
    
    If you wan't to get really fancy, measure the WPM of the bot typing. This is done on stack exchange( try copy and pasting then submitting and question/answer). Also if the rate of typing is very consistent, that is a red flag.
    
    
  • Honeypots (Method #4): Use all of the above at once for best results. Make sure to trick dumb bots as well as smart bots (don't assume the bot is always trying hard.).

  Now, in order to spam us, bots will have to have cursors, render the page, wait, type at a variable realist speed. If they make a bot like that, Then I guess it'll be Captcha time :(.

  *People using screen readers will trigger or be confused by these defenses, and depending on your country you could get into trouble for discriminating against blind to semi-blind people. Therefor, when a user triggers the bot test, take them to a non loaded form with a disability friendly captcha like reCaptcha.

  **People often share Ips and you can chase away valid users.

  P.S. Use simple honey pots like you already have. Some bots are just too dumb to get tricked by what we have here.

  这篇关于如何创建一个“核”蜜罐赶上形式的垃圾邮件发送者的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！