You are here

TODO.txt in BOTCHA Spam Prevention 6.3

Same filename and directory in other branches
  1. 6 TODO.txt
  2. 6.2 TODO.txt
  3. 7 TODO.txt
  4. 7.2 TODO.txt
  5. 7.3 TODO.txt
TODO
----
- (fix it or leave it?) statistics by variable_set is too slow - it clears vaiable cache in variable_set
- Allow recipe to be used multiple times. (different secret - hash should not collide)
- Add hash collision detection (form_elements, url_elements)
- Create and describe IRecipe to make implementation of new recipes easier
- Replace getProperty with more transparent solution


Development roadmap
-------------------
- DONE Keep blocked/passed statistics
- DONE Select forms to be protected
- Recipe description language
?- Site hash (any need to make something on top of botcha_secret variable?)
- Recipe update service
  - CRON: call home, report self, get list of updates, cache it, load in chunks
- More recipes
- DONE D7




Ideas For Implementation
------------------------
- Implement different recipies, enable by on/of setting, all recipies are additive
Recipies:
- obscure "magic" fields by adding a bunch of bugus hidden fields
==== CSS+JS (verify bot is not executing JS or not loading CSS):
- CSS is separate file (important), JS takes CSS attribute to calculate submission field setting
==== JS (verify bot is not executing JS, but legitimate user can also disable JS):
DONE - JS Change post variable
- JS Change post variable to a hash value
- JS Change post URL
DONE - JS Change URL variable
- JS Change URL variable to a hash value
- JS Change submit button value (to a hash value)
- JS Remove an input field completely
- JS Convert a hidden field into an input field (?)
- JS Change a hidden field (to a hash value) (bots are smart enough to leave them alone)
DONE - JS + Honeypot field / hidden by CSS
==== completely server-side:
- Shuffle field names
- Encrypt field names (except [some] honeypots
- Verify all variables that are submitted - reject if any extra fields appeared
- linked javascript file using 'document.write' to append the form
- Server delays certain forms (e.g. user/register) to slow down spambot scripts
==== CAPTCHA strengthening:
- Limit time to submit captcha
==== FORM strengthening:
DONE - allow form post only once. invalidate form token. Next submit will fail.
- minimum time check - submitted too early (2..3 seconds)
- register form filters out any submissions with http://
- block suspicious/empty useragent string, compare form build vs form submit
==== COOKIE-based (needs JS)
- save a cookie, then JS uses that cookie to fill a validation field
- set a cookie by javascript then retrieve the cookie during form processing in the cgi script




File

TODO.txt
View source
  1. TODO
  2. ----
  3. - (fix it or leave it?) statistics by variable_set is too slow - it clears vaiable cache in variable_set
  4. - Allow recipe to be used multiple times. (different secret - hash should not collide)
  5. - Add hash collision detection (form_elements, url_elements)
  6. - Create and describe IRecipe to make implementation of new recipes easier
  7. - Replace getProperty with more transparent solution
  8. Development roadmap
  9. -------------------
  10. - DONE Keep blocked/passed statistics
  11. - DONE Select forms to be protected
  12. - Recipe description language
  13. ?- Site hash (any need to make something on top of botcha_secret variable?)
  14. - Recipe update service
  15. - CRON: call home, report self, get list of updates, cache it, load in chunks
  16. - More recipes
  17. - DONE D7
  18. Ideas For Implementation
  19. ------------------------
  20. - Implement different recipies, enable by on/of setting, all recipies are additive
  21. Recipies:
  22. - obscure "magic" fields by adding a bunch of bugus hidden fields
  23. ==== CSS+JS (verify bot is not executing JS or not loading CSS):
  24. - CSS is separate file (important), JS takes CSS attribute to calculate submission field setting
  25. ==== JS (verify bot is not executing JS, but legitimate user can also disable JS):
  26. DONE - JS Change post variable
  27. - JS Change post variable to a hash value
  28. - JS Change post URL
  29. DONE - JS Change URL variable
  30. - JS Change URL variable to a hash value
  31. - JS Change submit button value (to a hash value)
  32. - JS Remove an input field completely
  33. - JS Convert a hidden field into an input field (?)
  34. - JS Change a hidden field (to a hash value) (bots are smart enough to leave them alone)
  35. DONE - JS + Honeypot field / hidden by CSS
  36. ==== completely server-side:
  37. - Shuffle field names
  38. - Encrypt field names (except [some] honeypots
  39. - Verify all variables that are submitted - reject if any extra fields appeared
  40. - linked javascript file using 'document.write' to append the form
  41. - Server delays certain forms (e.g. user/register) to slow down spambot scripts
  42. ==== CAPTCHA strengthening:
  43. - Limit time to submit captcha
  44. ==== FORM strengthening:
  45. DONE - allow form post only once. invalidate form token. Next submit will fail.
  46. - minimum time check - submitted too early (2..3 seconds)
  47. - register form filters out any submissions with http://
  48. - block suspicious/empty useragent string, compare form build vs form submit
  49. ==== COOKIE-based (needs JS)
  50. - save a cookie, then JS uses that cookie to fill a validation field
  51. - set a cookie by javascript then retrieve the cookie during form processing in the cgi script