-1

I have just added a CAPTCHA to a page to block spams but we are getting spams as usual.

The website is using Html, Php, Javascript and unsecured http only and nothing else.

I am generating and comparing captchas in Php using if statement. I am also adding both the captchas (generated and typed) in a comment for testing. So while genuine mails are received with both the generated and typed captcha. In the spams mails both capchas are blank (the spammers are at work so mystery and confusion).

I have checked all the files on website they are exactly as I had uploaded. I do not understand what spammers have done and how?

Some guidelines are needed. So, I can start studying books and websites.

Suraj Kumar
  • 5,547
  • 8
  • 20
  • 42
ulka
  • 1
  • 1

1 Answers1

-1

You can basically chaulk that up to...

https://dynomapper.com/blog/514-online-captcha-solving-services-and-available-captcha-types

https://github.com/imagetyperz-api/imagetyperz-api-nodejs

https://github.com/bestcaptchasolver/bestcaptchasolver-php

The list goes on and on but I think you get the idea.

Your going to want to stack methods of spam prevention that don't annoy real users.

https://www.lifewire.com/solutions-to-protect-web-forms-from-spam-3467469

Good list there, my personal goto has always been honeypots, just a hidden field that looks and feels like a real field, but if someone fills it out you immediately know its a bot. Maybe throw it 9999px of the page to the right, but to a bot they still see it right under the other fields in your code.

Also if you are bored and have a bit of time and another great way of banning most of the current active botnets from your site, or maybe setting up a seperate site on the same hosting provider just to harvest all the active IPs of botnets trolling your hosting providers IP range.

Make a robots.txt file like this

User-agent: *
Disallow: /secret/

Any honest bot like google bot won't follow the path to /secret/ on your domain, but let me tell you that if its a bot you do not want on your site one of the first things its going to be programmed to do is check files like this for queues on where the paths on your site are, especially private ones.

Then just set up a script to automatically IP ban all traffic to /secret

Now odviously this is doing to end up banning some legit people who end up using the IP after the bot etc, etc. But honestly tell me it doesn't sound like a fun idea.

rifi2k
  • 199
  • 1
  • 6
  • Hello @rifi2k Thanks a lot for the answer. It has given me a good beginning in understanding the scenario. I will certainly improve the website based on these methods hope they will work. Thank you again for your time and efforts in answering the question – ulka Jan 05 '19 at 15:45
  • Apart from this I am still want to know how they can bypass the captcha field and submit the form – ulka Jan 05 '19 at 17:33
  • If you check out the first 3 links they are all links to libraries which are build to beat / bypass captcha fields automatically. – rifi2k Jan 07 '19 at 17:53