Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What is your use case? I get exactly 0 spam on my website (of 100,000s of users) by simply writing my user registration page in a nonstandard way that bots aren't familiar with filling out automatically. It uses JS to `fetch()` a custom API endpoint and then redirects to the homepage.

Or for example, a fixed question "What color is the sky?" or something can reduce spam by orders of magnitude relative to nothing at all.



I think a "honeypot" HTML input field works well for anything not written explicitly to target your site. If any text is entered, mark as bot/spam.

    <form>
    <div style="display:none">
    If you are human, please ignore this field:
    <input type="text" name="Name" value="My Name">
    </div>
    Name:
    <input type="text" name="actualfield">
    </form>
Bots can't resist. Accessibility is fine, I think.

(Edit: suggested earlier elsewhere in the thread by tyingq: https://news.ycombinator.com/item?id=23090550 )


I used this technique in my forms until I realised that the browser's auto-fill also works similar to the bot and will fill fields that has a familiar field name (email, name phone etc). Real users (many of them) who use browsers auto-fill feature will get blocked by this technique. If you add a field with a random field name bots ignore that field.

One thing that works still is using Javascript to create a hidden field and make that field mandatory. Run of the mill bots don't run Javascript yet. However this will exclude people who have disabled Javascript in their browsers.


This works to the extent that bots aren't contextually aware of accessibility semantics. If the bot is mindful to the fact that the field isn't displayed, it could skip it. Which is exactly what screen reader technology would do, due to the "display: none;" rule.


Perhaps the trick could work by displaying it but setting the opacity or the height to 0, and hiding it from screen readers with aria-hidden. But I guess that won't fool the smarter bots.


  > <div style="display:none">
No, don't do this. Just use:

  <form>
    If you are human, please leave this blank:
    <input type="text" name="Name" value="">
    Name:
    <input type="text" name="actualfield">
  </form>


Accessibility should fine if screen readers haven't changed a lot. They skip or are not even aware of display:none blocks

Does the above honeypot work well with bots using headless browsers? Or is actually rendering the page not common enough for bots still?


Does this break things with chrome or LastPass autocomplete?


It shouldn't; you don't fill anything at registration, so even if the password generators prefill it, it should remain empty and can be ignored.


It does though. https://bugs.chromium.org/p/chromium/issues/detail?id=132135


A website I use used to have a question of "How do you spell 'blue'?" Then a bot figured it out and they had to change it to "How do you spell 'green'?".


I like a test that asks a question relevant to whatever the site is about. "What game is this forum about?"

That, or a slightly harder variation, might also have the benefit of slowing down human trolls. But the answer should be easy for any legitimate user of your site. And of course easy to check automatically.


When I used to manage web forums, I ask a hard question and put the answer within the question itself (e.g. "hint: the answer is xxx").


I've seen that. It's great for keeping out generic bots, while allowing anyone with the slightest reading comprehension in. And if your forum is small, nobody is going to bother writing a custom bot for it.


I like this approach, specially for niche websites. Usually a pool of themed questions is enough.


This gets me thinking. What we're looking for here is a way for "small" players to be able to survive without having to lean on Google. But small players are smaller targets for bots. So they don't need to take drastic measures. Once you can get big enough to be noticed by more sophisticated bots, you would be more likely to be able to afford a more sophisticated defense.


how do you handle blind or colorblind visitors


Blind and colorblind people still know what color the sky is. It's impossible to live long enough to register on a website and have never heard that.


OP edited their comment. it was originally "What color is our logo?"


Ah, sorry about that then.


Our logo is black actually.


You just need to have heard the most famous song from The Mamas & The Papas.


Hopefully members on HN are smart enough to generalize my example to something that may be better or more suitable for their own website, and not just lazily copy-paste my example of a generic question. If you do, I'm not sure you pass the human test.


Too late. My CAPTCHA now reads "What colour is vortico's logo". It's pretty effective. Not one bot signup.


They know it culturally.


grey


UK grey or Seattle grey?


UK is grey, Seatle is gray


Television-tuned-to-a-dead-channel grey?


Usually black, actually; sometimes with white dots.


Octarine.


You mean gray? /s


darker than that


> "What color is the sky?"

Well, the answer is obvious:

> The sky above the port was the color of television, tuned to a dead channel.

I hope this is the good answer you support on your page.

On the other hand there is no one answer to this question, as the proper answer should begin with "it depends...". Currently, the sky is totally dark grey, storm is coming. Soon, it will be dark, so the sky will be black.

I think your "captcha" is broken.


I think this falls under something like https://xkcd.com/810/ , where you would not be allowed access, and that would be deemed a benefit to other users.


Perhaps his forum doesn't want snarky people?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: