RJM62
Touchdown! Greaser!
- Joined
- Jun 15, 2007
- Messages
- 13,157
- Location
- Upstate New York
- Display Name
Display name:
Geek on the Hill
I built a site around that spam-stopper text messaging script, and enlisted a few people to help me test it. I'm glad I did, because a problem I really hadn't thought about have me re-thinking the whole concept of the way I did it.
The present script stashes data in a database when the form is loaded, and then recalls it when the form is submitted. A few of the tests directly or indirectly depend upon the IP address being the same at both stages. What I have come up against is a remarkably high number of known-human submissions in which the IP address changed in that interim.
One case was someone who loaded the page, then got called to a meeting, hibernated the computer, and sent the message after the meeting. Not only did it fail the time-out test, but his IP address also changed in that time.
Another case involved a somewhat similar thing. The user loaded and bookmarked the form, then got interrupted. The laptop hibernated, and he took the laptop home and sent the message from there. Different IP, and the message was dropped.
Another problem involved a hash that a particular user's browser kept truncating. I suspect it was some sort of security software that did it, and I'm hoping he lets me know what he's running.
In any case, I think I'm going to have to use sessions and cookies for the spam testing, which I had actually considered earlier but decided against once I started using the database. I think what will happen is that I'll keep the database as a record, but do the bot testing with sessions.
On the positive side, no bots have slipped through as of yet; and I'm getting some sorely-needed practice in PHP.
Rich
The present script stashes data in a database when the form is loaded, and then recalls it when the form is submitted. A few of the tests directly or indirectly depend upon the IP address being the same at both stages. What I have come up against is a remarkably high number of known-human submissions in which the IP address changed in that interim.
One case was someone who loaded the page, then got called to a meeting, hibernated the computer, and sent the message after the meeting. Not only did it fail the time-out test, but his IP address also changed in that time.
Another case involved a somewhat similar thing. The user loaded and bookmarked the form, then got interrupted. The laptop hibernated, and he took the laptop home and sent the message from there. Different IP, and the message was dropped.
Another problem involved a hash that a particular user's browser kept truncating. I suspect it was some sort of security software that did it, and I'm hoping he lets me know what he's running.
In any case, I think I'm going to have to use sessions and cookies for the spam testing, which I had actually considered earlier but decided against once I started using the database. I think what will happen is that I'll keep the database as a record, but do the bot testing with sessions.
On the positive side, no bots have slipped through as of yet; and I'm getting some sorely-needed practice in PHP.
Rich