You are here

Home » API reference » BOTCHA Spam Prevention 7.3

TODO.txt in BOTCHA Spam Prevention 7.3

Same filename and directory in other branches
  1. 6 TODO.txt
  2. 6.2 TODO.txt
  3. 6.3 TODO.txt
  4. 7 TODO.txt
  5. 7.2 TODO.txt
TODO
----
- (fix it or leave it?) statistics by variable_set is too slow - it clears vaiable cache in variable_set
- Allow recipe to be used multiple times. (different secret - hash should not collide)
- Add hash collision detection (form_elements, url_elements)
- Create and describe IRecipe to make implementation of new recipes easier
- Replace getProperty with more transparent solution


Development roadmap
-------------------
- DONE Keep blocked/passed statistics
- DONE Select forms to be protected
- Recipe description language
?- Site hash (any need to make something on top of botcha_secret variable?)
- Recipe update service
  - CRON: call home, report self, get list of updates, cache it, load in chunks
- More recipes
- DONE D7



Ideas For Implementation
------------------------
- Implement different recipies, enable by on/of setting, all recipies are additive
Recipies:
- obscure "magic" fields by adding a bunch of bugus hidden fields
==== CSS+JS (verify bot is not executing JS or not loading CSS):
- CSS is separate file (important), JS takes CSS attribute to calculate submission field setting
==== JS (verify bot is not executing JS, but legitimate user can also disable JS):
DONE - JS Change post variable
- JS Change post variable to a hash value
- JS Change post URL
DONE - JS Change URL variable
- JS Change URL variable to a hash value
- JS Change submit button value (to a hash value)
- JS Remove an input field completely
- JS Convert a hidden field into an input field (?)
- JS Change a hidden field (to a hash value) (bots are smart enough to leave them alone)
DONE - JS + Honeypot field / hidden by CSS
==== completely server-side:
- Shuffle field names
- Encrypt field names (except [some] honeypots
- Verify all variables that are submitted - reject if any extra fields appeared
- linked javascript file using 'document.write' to append the form
- Server delays certain forms (e.g. user/register) to slow down spambot scripts
==== CAPTCHA strengthening:
- Limit time to submit captcha
==== FORM strengthening:
DONE - allow form post only once. invalidate form token. Next submit will fail.
- minimum time check - submitted too early (2..3 seconds)
- register form filters out any submissions with http://
- block suspicious/empty useragent string, compare form build vs form submit
==== COOKIE-based (needs JS)
- save a cookie, then JS uses that cookie to fill a validation field
- set a cookie by javascript then retrieve the cookie during form processing in the cgi script

File

TODO.txt
View source 
  1. 

  2. TODO

  3. ----

  4. - (fix it or leave it?) statistics by variable_set is too slow - it clears vaiable cache in variable_set

  5. - Allow recipe to be used multiple times. (different secret - hash should not collide)

  6. - Add hash collision detection (form_elements, url_elements)

  7. - Create and describe IRecipe to make implementation of new recipes easier

  8. - Replace getProperty with more transparent solution

  9. 

  10. 

  11. Development roadmap

  12. -------------------

  13. - DONE Keep blocked/passed statistics

  14. - DONE Select forms to be protected

  15. - Recipe description language

  16. ?- Site hash (any need to make something on top of botcha_secret variable?)

  17. - Recipe update service

  18.   - CRON: call home, report self, get list of updates, cache it, load in chunks

  19. - More recipes

  20. - DONE D7

  21. 

  22. 

  23. 

  24. Ideas For Implementation

  25. ------------------------

  26. - Implement different recipies, enable by on/of setting, all recipies are additive

  27. Recipies:

  28. - obscure "magic" fields by adding a bunch of bugus hidden fields

  29. ==== CSS+JS (verify bot is not executing JS or not loading CSS):

  30. - CSS is separate file (important), JS takes CSS attribute to calculate submission field setting

  31. ==== JS (verify bot is not executing JS, but legitimate user can also disable JS):

  32. DONE - JS Change post variable

  33. - JS Change post variable to a hash value

  34. - JS Change post URL

  35. DONE - JS Change URL variable

  36. - JS Change URL variable to a hash value

  37. - JS Change submit button value (to a hash value)

  38. - JS Remove an input field completely

  39. - JS Convert a hidden field into an input field (?)

  40. - JS Change a hidden field (to a hash value) (bots are smart enough to leave them alone)

  41. DONE - JS + Honeypot field / hidden by CSS

  42. ==== completely server-side:

  43. - Shuffle field names

  44. - Encrypt field names (except [some] honeypots

  45. - Verify all variables that are submitted - reject if any extra fields appeared

  46. - linked javascript file using 'document.write' to append the form

  47. - Server delays certain forms (e.g. user/register) to slow down spambot scripts

  48. ==== CAPTCHA strengthening:

  49. - Limit time to submit captcha

  50. ==== FORM strengthening:

  51. DONE - allow form post only once. invalidate form token. Next submit will fail.

  52. - minimum time check - submitted too early (2..3 seconds)

  53. - register form filters out any submissions with http://

  54. - block suspicious/empty useragent string, compare form build vs form submit

  55. ==== COOKIE-based (needs JS)

  56. - save a cookie, then JS uses that cookie to fill a validation field

  57. - set a cookie by javascript then retrieve the cookie during form processing in the cgi script

  58. 

  59. 

  60. 

  61.