You are here

TODO.txt in BOTCHA Spam Prevention 7

Same filename and directory in other branches
  1. 6 TODO.txt
  2. 6.2 TODO.txt
  3. 6.3 TODO.txt
  4. 7.2 TODO.txt
  5. 7.3 TODO.txt
TODO
----
- (fix it or leave it?) statistics by variable_set is too slow - it clears vaiable cache in variable_set
- Allow recipe to be used multiple times. (different secret - hash should not collide)
- Add hash collision detection (form_elements, url_elements)


Development roadmap
-------------------
- DONE Keep blocked/passed statistics
- DONE Select forms to be protected
- Recipe description language
?- Site hash (any need to make something on top of botcha_secret variable?)
- Recipe update service
  - CRON: call home, report self, get list of updates, cache it, load in chunks
- More recipes
- DONE D7




Ideas For Implementation
------------------------
- Implement different recipies, enable by on/of setting, all recipies are additive
Recipies:
- obscure "magic" fields by adding a bunch of bugus hidden fields
==== CSS+JS (verify bot is not executing JS or not loading CSS):
- CSS is separate file (important), JS takes CSS attribute to calculate submission field setting
==== JS (verify bot is not executing JS, but legitimate user can also disable JS):
DONE - JS Change post variable
- JS Change post variable to a hash value
- JS Change post URL
DONE - JS Change URL variable
- JS Change URL variable to a hash value
- JS Change submit button value (to a hash value)
- JS Remove an input field completely
- JS Convert a hidden field into an input field (?)
- JS Change a hidden field (to a hash value) (bots are smart enough to leave them alone)
DONE - JS + Honeypot field / hidden by CSS
==== completely server-side:
- Shuffle field names
- Encrypt field names (except [some] honeypots
- Verify all variables that are submitted - reject if any extra fields appeared
- linked javascript file using 'document.write' to append the form
- Server delays certain forms (e.g. user/register) to slow down spambot scripts
==== CAPTCHA strengthening:
- Limit time to submit captcha
==== FORM strengthening:
DONE - allow form post only once. invalidate form token. Next submit will fail.
- minimum time check - submitted too early (2..3 seconds)
- register form filters out any submissions with http://
- block suspicious/empty useragent string, compare form build vs form submit
==== COOKIE-based (needs JS)
- save a cookie, then JS uses that cookie to fill a validation field
- set a cookie by javascript then retrieve the cookie during form processing in the cgi script




File

TODO.txt
View source
  1. TODO
  2. ----
  3. - (fix it or leave it?) statistics by variable_set is too slow - it clears vaiable cache in variable_set
  4. - Allow recipe to be used multiple times. (different secret - hash should not collide)
  5. - Add hash collision detection (form_elements, url_elements)
  6. Development roadmap
  7. -------------------
  8. - DONE Keep blocked/passed statistics
  9. - DONE Select forms to be protected
  10. - Recipe description language
  11. ?- Site hash (any need to make something on top of botcha_secret variable?)
  12. - Recipe update service
  13. - CRON: call home, report self, get list of updates, cache it, load in chunks
  14. - More recipes
  15. - DONE D7
  16. Ideas For Implementation
  17. ------------------------
  18. - Implement different recipies, enable by on/of setting, all recipies are additive
  19. Recipies:
  20. - obscure "magic" fields by adding a bunch of bugus hidden fields
  21. ==== CSS+JS (verify bot is not executing JS or not loading CSS):
  22. - CSS is separate file (important), JS takes CSS attribute to calculate submission field setting
  23. ==== JS (verify bot is not executing JS, but legitimate user can also disable JS):
  24. DONE - JS Change post variable
  25. - JS Change post variable to a hash value
  26. - JS Change post URL
  27. DONE - JS Change URL variable
  28. - JS Change URL variable to a hash value
  29. - JS Change submit button value (to a hash value)
  30. - JS Remove an input field completely
  31. - JS Convert a hidden field into an input field (?)
  32. - JS Change a hidden field (to a hash value) (bots are smart enough to leave them alone)
  33. DONE - JS + Honeypot field / hidden by CSS
  34. ==== completely server-side:
  35. - Shuffle field names
  36. - Encrypt field names (except [some] honeypots
  37. - Verify all variables that are submitted - reject if any extra fields appeared
  38. - linked javascript file using 'document.write' to append the form
  39. - Server delays certain forms (e.g. user/register) to slow down spambot scripts
  40. ==== CAPTCHA strengthening:
  41. - Limit time to submit captcha
  42. ==== FORM strengthening:
  43. DONE - allow form post only once. invalidate form token. Next submit will fail.
  44. - minimum time check - submitted too early (2..3 seconds)
  45. - register form filters out any submissions with http://
  46. - block suspicious/empty useragent string, compare form build vs form submit
  47. ==== COOKIE-based (needs JS)
  48. - save a cookie, then JS uses that cookie to fill a validation field
  49. - set a cookie by javascript then retrieve the cookie during form processing in the cgi script