I have a simple contact us / comment from in my website and this form will send email containing the comments, etc after it is submitted. I have used NoBot control from ajaxcontrol toolkit for several times but it seems that this control did not prevent the spam/bot attack 100%.
The client insist that this form should not have any capcha code or something that users have to insert in the form. So what is the best way to handle the spam/bot attack for my current case.
Thanks.
Without a captcha there is no 100% way of stopping all spam. (or even with a captcha)
one method would be to put an input type=text on the page and hide it using css, then if it's filled in when the form is submitted it's spam, any normal user would never even know about the field.
Outside of a captcha, the key to stopping bots on small sites is to do something custom. Bot-writers know their work, and they'll have canned scripts capable of defeating the common and even most of the uncommon systems out there. You need to do something unique. It doesn't even have to be that complicated. The person who created this very site was able to get by running a popular blog for years by simply asking his users to type in the word orange.
I want to also point out that this doesn't mean you should start from scratch. As with all security-related code, if you try to do it yourself you'll likely get it wrong. What you want to do is find a system that gives you source code and customize it for your site, so that existing scripts that know how to defeat that system will no longer work.
Related
Recently, a lot of people in my house have been going on my computer when I wasn't there and I want to make sure that I know what they have been on, for the sake of privacy. I had the idea of making a keylogger that I could use to see what they have been doing on my computer. The keylogger itself (as in a program that records key strokes) I could make, but I have another idea in mind that I'm not sure is possible.
My idea is basically, like a keylogger, something that compiles a list, or log, of the activities of the user, but to a greater extent. I was wondering if it would be possible to document the actions of the user to the extent that every element of the screen they clicked on would be documented. In a web browser, I'm sure there would be a way to do this as all of the information (ids) of the elements of the page can be collected by inspecting the elements (looking at the code). As for general use of the computer, I'm not so sure.
In simpler terms, I want to make a program that would record the users actions in a log as shown below.
14:17: User clicked Windows Start Button
14:17: User searched for 'Chrome' in search engine
14:17: User opened 'Chrome'
14:18: User clicked URL address bar
14:18: User searched for 'stackoverflow.com'
14:18: User clicked 'Login' button on 'stackoverflow.com'
I'm not an expert by any means and only have a school-level knowledge of programming, but I want to know if it would be possible to create something like this. I want the program to be able to collect all of these major actions so that I can compile them within a hidden text document. I'm not sure if these elements could be identified by a program but if anyone has any idea how I would do something like this or indeed if I could do something like this, by all means, message me on here. I would be EXTREMELY grateful!
P.S - This is my first post on here, go easy on me, aha.
With .NET code you will definitely be able to get window positions of other applications (for example google chrome).
For example with the following library: https://github.com/DataDink/WindowScrape
Furthermore you should be able to track keyboard inputs and mouse-clicks of the user on the desktop (which position he clicked on). I think the evualuation of the mouse-clicks will be up to you ("user clicked on url-bar in chrome").
Just a personal hint from me: Doing something like that without informing the person using the PC you will be heavily punished. Think about it twice.
I know this has been asked a LOT of times, but I am really struggling having tried a lot of different potential solutions.
I have a c# ASP.net website page. There is a form on there with a submit button. all code is in the code behind page.
We do not get any spam submitted through the form because I have a capture element. Yet - spam bots have are scanning the page, getting the field names and posting straight to the page.
I only know this because I set the Application_Error to report any errors by email to me (in global.asax).
I have tried changing my field names - but they just pick up the new fields.
I have put <httpRuntime requestValidationMode="2.0" /> in the web.config.
In my page, I have EnableEventValidation="False"
But - as I said, the problem isn't allowing html in the post data, it's trying to stop spam bots from submitting DIRECTLY to the page. It's being triggered (I think) before the page even loads.
I'm running out of ideas here! I am blocking ip ranges every 10 minutes on our firewall. I cannot keep doing that!
Thanks for any help!
This is what you do: ignore it. Blocking IPs will just keep you running around in circles and is ultimately a waste of time.
If spam is not actually being submitted then you really don't have a problem. The framework is doing exactly what it is supposed to be doing.
Quite frankly, I wouldn't bother investigating an error message like that unless it was preventing an actual user from doing what they need to do.
If you really just want the errors to go away then you need to do the following:
Set EnableEventValidation="true"
Set ValidateRequest="false"
EnableEventValidate tells .net to see if the post came from clicking on a control that it had rendered. This should help prevent direct posts.
ValidateRequest tells .net whether to test the inputs for html and other "dangerous" characters. Turning it off will stop your error message.
If you are simply trying to get spammers to stop hitting your site: close the site down. As that is the ONLY reliable way of keeping a spammer off of it.
Have you tried a honeypot field?
Create an input field in your markup, but don't display it on the page. You can use css or other methods to hide it from users, as long as it still shows up in your page source.
Then, in your code-behind, check that the field is empty before processing anything. You know your real users can't see the field, or enter anything in it. Therefore if that field was filled in, you know that it was from a bot scanning your page, and you can ignore all the rest.
The idea is that spam bots can't resist filling in fields, but most aren't smart enough to determine if the field is actually visible in a browser, so you trick them into giving themselves away by filling in something they shouldn't.
FWIW, I've used this approach personally with decent success.
However, if ASP is rejecting the submissions and causing an error, that's a different problem. Do you need legitimate users to be able to submit markup in the field? If you don't, the framework is actually doing the right thing by protecting your site. In that case, I would just check for that particular error in your Application_Error method and ignore it.
I have C# form in the site and want to prevent spam bots from filling it. The trick is, that I want to avoid CAPTHA or any other user input to avoid loosing a single registration.
Here are some techniques I have in my mind:
Hidden input field (question: is this still effective?)
Track time, since the first user input (focus on FirstName) till posting a form.. Humans will take more than 3 seconds to complete a form (even with auto-fill), where bots take a second or less to fill in registration and post it. (question: if I start timer with the first user input, when should I stop it?)
Put in the form tag a fake post url, or post form to itself, and only on Submit button click action to add a real post url with javascript. (question: wonder if new spam bots can cheat this?)
I would be glad to hear other techniques I could adopt, again, without using CAPTCHA, spam filters, form verifications and even validation. Thank you
would be good to have some sort of flash which asks you to reconnect dots (so that it is interactive and doesnt require typing), and when the user does it correctly, you can post with submit to check.
Never liked CAPTCHA, especially the wierd ones where even humans have problem intepreting it :)
A year ago there was a nice control for asp.net that put a hidden field on the form. With a javascript formula. Robots posted it back - and it wanted the result (stored the result first in the session). basically, as robots dont interpret the form in a browser (too slow).... ;) Most got just thrown out there.
Also, another tip: put in hidden fields for the email to address. Some (old)php forms use a mailer supportnig this. OBVIOUSLY only a robot fills that out ;) If not empty -> garbage.
Anyone else have any smart ideas? ;)
I would say stick with Captcha or a similar thing where the user has to type something in.
The problem with using JavaScript is that not everyone has javascript turned on and quite a few have it turned off for various reasons.
Now if you want to really track time, send a hidden form field with the server time filled in. When the postback occurs take the delta of that with the current time. Obviously if the field is missing then you know someone directly posted.
I'm writing a web-based application for internal use within the business where I work. It's a fairly complex application, with a lot of forms that will allow the user to view and enter data, which once saved will be stored in a database.
One thing I'm anxious to avoid is allowing a situation to exist where a user might enter large amounts of data in the browser, and then (either deliberately or inadvertently) navigate off the page without saving the changes. To this end, I have already implemented an entry page which opens up a new browser window in which there are no navigation controls at all; only what is provided on the web pages themselves.
However, there are two potential ways in which a user could still lose data:
The browser Close button is still enabled, and a user could potentially lose work by clicking it inadvertently. I can probably live with this, as it falls at the extreme end of helping the user not to shoot himself in the foot.
In Internet Explorer (and, apparently, in Firefox) the Backspace button works like a Back button. I only discovered this accidentally, and have as yet been unable to find a simple way of stopping this behaviour. This is potentially a problem, as an inadvertent use of the Delete key (e.g. having positioned the cursor in a read-only textbox, or when the cursor isn't on any particular field in the page) will navigate off the page.
What I would like to do, as a minimum, is prevent Backspace from navigating off a page if that page has any user-writable fields on it and any of those fields have been changed by the user since the form was loaded. Ideally, I would like to disable this particular use of the Backspace key completely, while the user is logged into this web application. The two possible ways that I can think of, for achieving this, are: (1) clear the browser's history as each page is loaded, or (2) trap the Backspace key and only allow it to work if the cursor is positioned within a field whose text can be changed (e.g. a textbox).
Can anyone suggest how I could achieve either of these things? The solution needs to be programmatic, rather than something that has to be manually configured on every browser in the company.
Instead of blocking* functionality that your users have learned to expect in their daily activities at work and at home, why not work with it? Make the "back" button actually take them to the previous screen as expected, and use AJAX to silently save the form as they fill it out (say, every 5 or 10 seconds), so when they return to the form you can check to see if they already have partial, unsubmitted values saved and reload them.
This approach aligns with the realities of web-based applications and delights users if implemented well. An alert that says "you did something wrong" just frustrates users and makes them trust your application less. Remember - users almost never do the wrong thing. It's our applications that aren't aligned with usage.
* more like trying to block functionality. As you've discovered, people who designed the interwebs and web browsers never really intended for site developers to totally disable moving back and forward in the navigation history.
What about something like this? You can ask them if they are sure before they leave.
var changes = false;
window.onbeforeunload =
function()
{
if (changes)
{
var message = "Are you sure you want to navigate away from this page?\n\nYou still have unsaved changes.\n\nPress OK to continue or Cancel to stay on the current page.";
if (confirm(message)) return true;
else return false;
}
}
You should look at the Javascript's window.unload event.
This is fired when the use tries to leave the page. You can't totally stop them leaving the page, but you can give them a chance to cancel.
try this
window.onbeforeunload() {
return "Are you sure you want to navigate away?";
}
Boring background:
I have been working with UltraVNC to control some PC's at work and it does the job great but in order to simplify things I created a program that interfaces with it in C#. Basically I take advantage of the commands the viewer offers to connect, control, watch or transmit to each PC.
Problem is anyone can access the PC's since it has one main account (no domain controller). I need everyone to sign for the PC before they can use it, so to make my job easier I open each PC and block the inputs + blank the screen that way there obligated to sign before use.
Opening each pc and press the block button can be hassle especial when you’re helping someone and a user leaves, others come (btw I work at an electronic library). UltraVNC doesn’t have a command for this; it’s been requested but I don’t think it’s much of a priority for them and the code seems very intimidating for a novice like me so I thought I could try a hack to get what I want.
Problem: I want to “click” a button in a program I use, from an application that I am building in c#. I can currently use the process class to get the handle and identify the specific window I want to use but I have no way to find the button handle which I read is what I need. I found stuff about using findwindow and sendkeys for this but I don’t see how that’ll work unless the button had a keystroke assigned to it which it doesn’t.
So can anyone point me in the right direction?
Why not use something like Eficium Cybercafe SurfShop to achieve what you want? After teh user finished you log the session out, and before someone can log in, they have to sign in.