You are here

Home » API reference » BOTCHA Spam Prevention 6

TODO.txt in BOTCHA Spam Prevention 6

Same filename and directory in other branches
  1. 6.2 TODO.txt
  2. 6.3 TODO.txt
  3. 7 TODO.txt
  4. 7.2 TODO.txt
  5. 7.3 TODO.txt
TODO
----
- (fix it or leave it?) statistics by variable_set is too slow - it clears vaiable cache in variable_set
- Allow recipe to be used multiple times. (different secret - hash should not collide)
- Add hash collision detection (form_elements, url_elements)


Development roadmap
-------------------
- DONE Keep blocked/passed statistics
- DONE Select forms to be protected
- Recipe description language
?- Site hash (any need to make something on top of botcha_secret variable?)
- Recipe update service
  - CRON: call home, report self, get list of updates, cache it, load in chunks
- More recipes
- DONE D7




Ideas For Implementation
------------------------
- Implement different recipies, enable by on/of setting, all recipies are additive
Recipies:
- obscure "magic" fields by adding a bunch of bugus hidden fields
==== CSS+JS (verify bot is not executing JS or not loading CSS):
- CSS is separate file (important), JS takes CSS attribute to calculate submission field setting
==== JS (verify bot is not executing JS, but legitimate user can also disable JS):
DONE - JS Change post variable
- JS Change post variable to a hash value
- JS Change post URL
DONE - JS Change URL variable
- JS Change URL variable to a hash value
- JS Change submit button value (to a hash value)
- JS Remove an input field completely
- JS Convert a hidden field into an input field (?)
- JS Change a hidden field (to a hash value) (bots are smart enough to leave them alone)
DONE - JS + Honeypot field / hidden by CSS
==== completely server-side:
- Shuffle field names
- Encrypt field names (except [some] honeypots
- Verify all variables that are submitted - reject if any extra fields appeared
- linked javascript file using 'document.write' to append the form
- Server delays certain forms (e.g. user/register) to slow down spambot scripts
==== CAPTCHA strengthening:
- Limit time to submit captcha
==== FORM strengthening:
DONE - allow form post only once. invalidate form token. Next submit will fail.
- minimum time check - submitted too early (2..3 seconds)
- register form filters out any submissions with http://
- block suspicious/empty useragent string, compare form build vs form submit
==== COOKIE-based (needs JS)
- save a cookie, then JS uses that cookie to fill a validation field
- set a cookie by javascript then retrieve the cookie during form processing in the cgi script

File

TODO.txt
View source 
  1. 

  2. TODO

  3. ----

  4. - (fix it or leave it?) statistics by variable_set is too slow - it clears vaiable cache in variable_set

  5. - Allow recipe to be used multiple times. (different secret - hash should not collide)

  6. - Add hash collision detection (form_elements, url_elements)

  7. 

  8. 

  9. Development roadmap

  10. -------------------

  11. - DONE Keep blocked/passed statistics

  12. - DONE Select forms to be protected

  13. - Recipe description language

  14. ?- Site hash (any need to make something on top of botcha_secret variable?)

  15. - Recipe update service

  16.   - CRON: call home, report self, get list of updates, cache it, load in chunks

  17. - More recipes

  18. - DONE D7

  19. 

  20. 

  21. 

  22. 

  23. Ideas For Implementation

  24. ------------------------

  25. - Implement different recipies, enable by on/of setting, all recipies are additive

  26. Recipies:

  27. - obscure "magic" fields by adding a bunch of bugus hidden fields

  28. ==== CSS+JS (verify bot is not executing JS or not loading CSS):

  29. - CSS is separate file (important), JS takes CSS attribute to calculate submission field setting

  30. ==== JS (verify bot is not executing JS, but legitimate user can also disable JS):

  31. DONE - JS Change post variable

  32. - JS Change post variable to a hash value

  33. - JS Change post URL

  34. DONE - JS Change URL variable

  35. - JS Change URL variable to a hash value

  36. - JS Change submit button value (to a hash value)

  37. - JS Remove an input field completely

  38. - JS Convert a hidden field into an input field (?)

  39. - JS Change a hidden field (to a hash value) (bots are smart enough to leave them alone)

  40. DONE - JS + Honeypot field / hidden by CSS

  41. ==== completely server-side:

  42. - Shuffle field names

  43. - Encrypt field names (except [some] honeypots

  44. - Verify all variables that are submitted - reject if any extra fields appeared

  45. - linked javascript file using 'document.write' to append the form

  46. - Server delays certain forms (e.g. user/register) to slow down spambot scripts

  47. ==== CAPTCHA strengthening:

  48. - Limit time to submit captcha

  49. ==== FORM strengthening:

  50. DONE - allow form post only once. invalidate form token. Next submit will fail.

  51. - minimum time check - submitted too early (2..3 seconds)

  52. - register form filters out any submissions with http://

  53. - block suspicious/empty useragent string, compare form build vs form submit

  54. ==== COOKIE-based (needs JS)

  55. - save a cookie, then JS uses that cookie to fill a validation field

  56. - set a cookie by javascript then retrieve the cookie during form processing in the cgi script

  57. 

  58. 

  59. 

  60.