BetterPHP

jacek wrote:

conradk wrote:For one thing, I haven't seen any captcha on your registration form. I would ad one, as this would bug spammers to make new accounts once banned...

But they are such a pain right

I want to find a solution that allows the user to register with minimal irritation, but will still prevent most spam accounts from registering. A epically massive blacklist may be that solution

How about a new form of captcha ? New drag and drop captchas are appearing on the web. Easy to use, fast to complete = no pain at all.

Well I want to see if there is any need for one first.

I hate captchas.
Just saying

One thing they had on a game I used to play was 4 circles, and 1 of them was randomly broken (not a complete circle) and you had to click inside that circle.

That could be a solution?

Another one i used to like was having a 'safe dial' where you have to turn it to the number that is stated is pointing upwards

But i can imagine them being annoying?

Maybe record the time they started on the page, and teh time they completed the page.

if its a spam bot, it will do it insanely fast.. If its human it may take 1 - 2 minutes?

Implement a "drunk" test?
Have a circle with a pretty big outline and they have to go around the circle with the mouse inside of that outline. Not hard and not so very annoying.

These are all terrible solutions ! I don't want the user to have to do anything that they do not need to.

Hmm... what other ways are there?

I dont see the problem with teh duration one?

even if you make the duration 15 seconds, which it easily takes longer than that to type in all the information to register. But a bot will have it all palced almost immediately would they not?

bowersbros wrote: Maybe record the time they started on the page, and teh time they completed the page.

if its a spam bot, it will do it insanely fast.. If its human it may take 1 - 2 minutes?

This is a good idea IMO

Spam bots know people do this, I tried it on my demo http://jacekk.co.uk/code/data_file/comment.system.php and it made no difference at all.

jacek wrote:Spam bots know people do this, I tried it on my demo http://jacekk.co.uk/code/data_file/comment.system.php and it made no difference at all.

Maybe. But it will slow them down at least If a bot takes a least 15 seconds to send, you'll have his IP banned before he makes ant collateral damage. Also, just add a feature that allows you to remove a user and ALL of his posts and threads. This way, the bot will take time to post, and finally get banned with all his posts gone.

Another idea:

On the registration form, make the password field so that is has to be completed using a virtual keyboard on the screen. Tell people it is against key loggers. No one will complain and bots might have even more problems registering

Also, how about forcing Javascript support and forcing the form to be sent from the actual register page ?

bowersbros wrote: even if you make the duration 15 seconds, which it easily takes longer than that to type in all the information to register.

I just timed myself, I wrote my username, email, email, password, password in 7.8 seconds I even messed up once. Guess I can't register on the site

now i think about it, 15 seconds is actually quite long..

Hmm.

There is also maybe the idea that a user has to choose from a dropdown list simply whether they are a bot or not?

Simple english test

bowersbros wrote:now i think about it, 15 seconds is actually quite long..

Hmm.

There is also maybe the idea that a user has to choose from a dropdown list simply whether they are a bot or not?

Simple english test

50 % chance to still register as a bot ? A little bit too much IMO.
You should add all these basic things like an empty hidden field. If it gets filled, it is a bot. If you add all these stupid things, most bots will probably get lost somewhere... don't you think ?

Maybe make a browser check as well.
http://www.user-agents.org/

conradk wrote:

bowersbros wrote:now i think about it, 15 seconds is actually quite long..

Hmm.

There is also maybe the idea that a user has to choose from a dropdown list simply whether they are a bot or not?

Simple english test

50 % chance to still register as a bot ? A little bit too much IMO.
You should add all these basic things like an empty hidden field. If it gets filled, it is a bot. If you add all these stupid things, most bots will probably get lost somewhere... don't you think ?

Maybe make a browser check as well.
http://www.user-agents.org/

I like that idea.
Like a check box.

[ ] <-- Check this if you're a bot. [ ] <-- Check this to agree on terms of service

Bot will most likely check both boxes. Just in case both needs to be checked.

Temor wrote:

[ ] <-- Check this if you're a bot. [ ] <-- Check this to agree on terms of service

Bot will most likely check both boxes. Just in case both needs to be checked.

The goal is to make controls for which the end user doesn't have to do a single thing. With this, the user would have to check the box. But if you hide these checkboxes, the user check them. The bot might, if it doesn't read CSS of JS styling.

conradk wrote:

Temor wrote:

[ ] <-- Check this if you're a bot. [ ] <-- Check this to agree on terms of service

Bot will most likely check both boxes. Just in case both needs to be checked.

The goal is to make controls for which the end user doesn't have to do a single thing. With this, the user would have to check the box. But if you hide these checkboxes, the user check them. The bot might, if it doesn't read CSS of JS styling.

No, the user would ignore the box. A bot will read it as something important and check it, while a user just reads what it is and won't click it.

Temor wrote:

conradk wrote:

Temor wrote: Bot will most likely check both boxes. Just in case both needs to be checked.

The goal is to make controls for which the end user doesn't have to do a single thing. With this, the user would have to check the box. But if you hide these checkboxes, the user check them. The bot might, if it doesn't read CSS of JS styling.

No, the user would ignore the box. A bot will read it as something important and check it, while a user just reads what it is and won't click it.

Yeah, so the user has to read, which slows down the registration process and might confuse him. Besides, if the user check the first check box because he read the instruction too fast, he'll have to register again.

I'm pretty sure it's okay for users to READ.......

conradk wrote:The goal is to make controls for which the end user doesn't have to do a single thing.

Exactly, to the user it should look as if there is nothing anti-spam going on.

Most of these methods would work, but look into the long term and spam bots may adapt to the style of my form. For now we can rely on it being non-standard, but at some point that will stop working.

In all honesty, there will be spam bots without some sort of spam protection;
However, a large blacklist is a good start.

If the forum is moderated, assuming you can merely remove a user (and thus all of said users information), keeping spam under control would not be such a colossal task that it is unbearable.

I say you keep blacklist, checking the IP, or perhaps the username but requiring X (10 or so) number of entries, and then just allow moderation I think spam can be under controlled.

Another alternative is disallowing any links in the first X number of posts (5) as spam bots generally consist of spam links.