Hi there,

I am researching new anti-spam methods for my site. BOTCHA is looking really good. A quick question for you:

Are there any circumstances that would block a legitimate user's post? I understand that false negatives are always a possibility, but I would like to use a method that has practically 0 false positives. Are the hidden CSS fields labelled to advise human users not to fill them if for some reason they were to appear?

I'm not sure what has been attacking my site recently. I've been using CAPTCHA. I get the impression that it is mainly human. I was getting 6 to 10 spam post per day, and always in the comments of the same node. My site is not widely known or hugely popular, so I doubt that I would be the target of a CAPTCHA decoder bot, I just sort of doubt that they would bother with me. And I think if a bot managed to get through, it would have posted a lot more spam to a lot more threads.

Thanks for the help!

Comments

iva2k’s picture

Status: Active » Fixed

When CSS is disabled, there are instructions for user to not change the honeypot fields. When JS is disabled, there are instructions for user to enable JS. So in theory legitimate users should have 0 false negatives. The only outstanding issue is the screen readers (see the issue queue).

rahim123’s picture

Very good, thanks for the reply and thanks for working on this very necessary project!

timwood’s picture

sb56637,
If you believe your attack is "mainly human" then BOTCHA isn't really going to help you. Anyone can pay pennies via Amazon's Mechanical Turk to have humans post spam comments to your site. It would be okay to leave BOTCHA enabled or even test it to see if your spam is minimized. If you want something that can catch/detect any type of spam by analyzing the content I would recommend one of the other Drupal modules available such as Spam (if you can't use a 3rd party service), Mollom (if you CAN use a 3rd party service), or others listed here.

Since we cannot use Mollom I'm looking into using the Spam module for our sites. The current Dev version has a lot of improvements and I believe an Alpha/beta/RC version is eminent.

rahim123’s picture

Thanks timwood for your suggestion,

Yes, you're right that BOTCHA can't do anything against human spammers. But I figured that if it isn't likely to produce false positives than I could install it just to be safe. Or maybe they are using a bot to register and then a human to post, I can't really tell. I did think about the Spam module, but I'm not sure how well the bayesian heuristics can distinguish between a post full of spam links and a post full of legitimate links, which is a major part of my site's focus. Have you had pretty good luck with the Spam module?

Thanks again!

iva2k’s picture

Status: Closed (fixed) » Fixed

> Anyone can pay pennies via Amazon's Mechanical Turk to have humans post spam comments to your site.
My investigation shows that economy of this is not real. It turns out that they would use humans to target the website with scripts, but then offload it to bot farms.

I even caught in the logs few attacks by human when a programmer did numerous postings by hand and then obviously spent some time tested scripts to do the same. Needless to say that scripts did not work and postings were rejected by BOTCHA. In a while he figured a script that would get through after very many tries, amounting to one posting a day. I just changed the secret key and that stopped.

I would also encourage everyone to use multiple levels of defense. BOTCHA works fine side-by-side with other modules like CAPTCHA, Mollom, etc.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.