Bot protection without captchas
If you're in need of a user input field like a comment box or a contact form and you want to protect yourself from unwanted and automatically generated content, you will most probably use a captcha. They are proven to be very annoying and the harder they get to solve for a computer, the more impossible they get to solve by human. Since there are some widely used solutions available, many bot providers try to optimize their solution to solve those. Therefore, the best option is to implement your own protection. Reasons against this proposal are obvious. It is far too simple and can be cracked by a medium talented hacker in acceptable time. But also, for the evolved captchas like Google's reCaptcha there is no 100% protection. My aim is to avoid the very common (and stupid) spam bots without annoy the end user.
By keeping in mind that computers are super-fast, but only limited intelligent and ordinary humans need to render the website first before they can read the content, we can suppose that a meaningful formula isn't completely filled understood and filled in let's say 10 seconds. Tracking some of the spam bots I found out that I only have two calls on my site and they are together finished in most times less than 2 seconds.
Here is some simple code providing an example in PHP and MySQL.
Database Tables
Of course, it's easy to find out how it works, and therefore is easy to crack. But it's protecting me against the common crawling spam bots for years now. It is definitely not working against some dedicated 'I-don’t-like-you' attack, but they are seldom and even with a better bot protection hard to avoid.
By keeping in mind that computers are super-fast, but only limited intelligent and ordinary humans need to render the website first before they can read the content, we can suppose that a meaningful formula isn't completely filled understood and filled in let's say 10 seconds. Tracking some of the spam bots I found out that I only have two calls on my site and they are together finished in most times less than 2 seconds.
Here is some simple code providing an example in PHP and MySQL.
Database Tables
CREATE TABLE `Message` ( `Subject` text NOT NULL, `Text` text NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `Connection` ( `IP` varchar(45) NOT NULL, `UserTime` int(11) NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8; ALTER TABLE `Connection` ADD KEY `IP` (`IP`,`UserTime`);send.php
<?php
$mysqli = new mysqli(host, user, password, database);
$text = htmlspecialchars($_POST['text']);
$subject = htmlspecialchars($_POST['subject']);
$displayMsg = "";
if($_POST['submit']=="Send"){
$stmt = $mysqli->prepare("SELECT COALESCE(MAX(UserTime),0) maxTime FROM Connection WHERE IP = ?");
$stmt->bind_param('s', $_SERVER['REMOTE_ADDR']);
$stmt->execute();
$result = $stmt->get_result();
$row = $result->fetch_object();
if ($row->maxTime + 10 < time()){
$stmt = $mysqli->prepare("INSERT INTO Message (Subject, Text) VALUES (?,?)");
$stmt->bind_param('ss', $subject, $text);
$stmt->execute();
$displayMsg = "You're request has been stored successfully";
$text = "";
$subject = "";
}else{
$displayMsg = "<b>You're request couldn't be stored. Please wait 10 Seconds and try it again</b>";
}
}
$stmt = $mysqli->prepare("INSERT INTO Connection (IP,UserTime) VALUES (?,?)");
$stmt->bind_param('si', $_SERVER['REMOTE_ADDR'], time());
$stmt->execute();
?>
<html>
<body>
<?php echo $displayMsg; ?>
<form action="send.php" method="post">
<input type="text" name="subject" value="<?php echo $subject; ?>"/>
<textarea name="text"><?php echo $text; ?></textarea>
<input type="submit" name="submit" value="Send"/>
</form>
</body>
</html>
Of course, it's easy to find out how it works, and therefore is easy to crack. But it's protecting me against the common crawling spam bots for years now. It is definitely not working against some dedicated 'I-don’t-like-you' attack, but they are seldom and even with a better bot protection hard to avoid.