Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Captcha String random generation, will this be enough to avoid spam

Posted on 2014-04-07
19
Medium Priority
?
401 Views
Last Modified: 2014-04-08
Currently my contact form is getting a ton of spam. I am using cgi to process the submitted form.

I am using the code below to generate random string using php like below

 <?php 
 $characters = 'bcdfghjklmnpqrstvwxyz0123456789';
 $random_string_length = 6;
 $string = '';
 for ($i = 0; $i < $random_string_length; $i++) {
      $string .= $characters[mt_rand(0, strlen($characters) - 1)];
 } 
 ?>

Open in new window


and display the above generated 6 length string inside a div tag as below

<div class="captcha"><?php echo "$string" ?></div>

Open in new window


then I have a input text box where the user enters the above code and using jquery I am checking if both values are correct continue with the form submission

My question will this be enough to keep spam away or Do I need to add anything else to make it more stronger.

here is the link where I added the code

http://nehikingholidays.com/brochure-request.php

Thanks
0
Comment
Question by:niceoneishere
  • 6
  • 6
  • 4
  • +1
18 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39984102
Just about any sort of 'captcha' will minimize automated spam.  It will do nothing to prevent people from individually posting spammy messages.  However, your captcha is clear enough to be read by OCR methods so I wouldn't use it if there was any money to be made by breaking in.
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 39984105
If you echo a string in clear text, the answer is "No, that is not good enough."

The article here will probably answer all your questions about CAPTCHA.  The popular and widely hated reCaptcha is the target of frequent attacks, some of which succeed.  By using an "organic" CAPTCHA you will avoid the spillover from those attacks.

Executive summary: This is the first line of defense against spam.  Content moderation and approval is the second line.  If you're reasonably fortunate you will never need the second line.

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39984115
You could make your captcha a little more effective by using a mottled background with the text color being part of it.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 2

Author Comment

by:niceoneishere
ID: 39984132
Thanks Dave and Ray for replying.

I will read the link you gave me Ray

And Dave can you shed little more mottled background, can this be dome using CSS. An example or reference is appreciated

Thanks
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39984135
Here's an example showing how easy it can be to extract a clear-text data element from an HTML document.  That's why it is usually smart to add a little more complexity to the CAPTCHA process.
http://iconoun.com/demo/temp_niceoneishere.php

<?php
/**
 * Per the request of the Author, the example source code has been removed
 */

Open in new window

HTH, ~Ray
0
 
LVL 2

Author Comment

by:niceoneishere
ID: 39984153
Oh wow, so basically I am back to square one :(  how can I avoid the clear-text, is that means I need to display it over an image

Thanks
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39984242
Ray's article shows how you can include the captcha code inside an image instead of using plain text.
0
 
LVL 2

Author Comment

by:niceoneishere
ID: 39984409
Thanks but my form is using perl (.cgi) If I use the captcha code inside an image as Ray's article do I have to create the form in PHP

Thanks
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39984438
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39984447
I assumed you wanted a PHP solution since the question was posted in the PHP Zone and you gave your example in PHP.  The principles remain the same whatever language you choose.  Anyway, best of luck with your project, ~Ray
0
 
LVL 2

Author Comment

by:niceoneishere
ID: 39984591
Hi Ray,

Anyway you can remove my webpage link in the example you have posted showing how easy it was figuring out the captcha code.

Thanks
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39984686
I'll see what I can do.  But this is not secret information that is unique to you or your web page.  Everybody with even a little bit of PHP knowledge knows how to do this!  If hackers want to attack you, they will do it without my 2-cents.  For your own safety and security please consider joining OWASP and advancing the cause of online security.
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39984972
One of the things I have run into is the client complains of spam but they also complain about captchas and they feel people don't fill out forms if they are too hard to read.

Most of the sites I am talking about here are for small businesses that get 3K to 50K uniques each month, we are not talking big numbers.  If I take down a captcha, there is typically one bot that rapid fires spam submits.

The compromise has been to create a clear text captcha or secret word or the 1+1=2 thing and it immediately cuts out 99% of the problem.   I just did this for a client and he still gets one spam post a week instead of 50 a day.  For him, the one spammy post per week is tolerable for not having  complaints about a traditional captcha.  In addition, I have a counter that allows only so many posts before the form code is hidden as well as the code that accepts input.  

In Ray's article, I like the Craftsy approach as well as the "secret word"

Are these methods the most secure and best practice? No but this only works because of the types of smaller sites I am working with and I have not detected any issues yet that would force me to use something different.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39985642
0
 
LVL 54

Expert Comment

by:Scott Fell, EE MVE
ID: 39986745
I agree!   I wouldn't want my solution for my bank...
0
 
LVL 2

Author Comment

by:niceoneishere
ID: 39986821
Thanks guys I ended up using one of Ray's solution along with Captcha. It was amazing It been 24hrs and so far no spam at all . Touchwood :)

Thanks guys
0
 
LVL 2

Author Closing Comment

by:niceoneishere
ID: 39986823
Thanks
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39987122
Thanks for using EE, and here's hoping it continues to work well for you. ~Ray
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to implement server side field validation and display customized error messages to the client.
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
In this tutorial viewers will learn how to style elements, such a divs, with a "drop shadow" effect using the CSS box-shadow property Start with a normal styled element, such as a div.: In the element's style, type the box shadow property: "box-shad…
In this tutorial viewers will learn how to embed videos in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: "<!DOCTYPE html>": Use the <video> tag to insert a video. Define the src as the URL of your video; this is similar to …
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question