Forms submitted by bots

[אורי‎]

Django developers,

After releasing Speedy Net to production I received lots of spam to our contact forms [https://en.speedy.net/contact/ & https://en.speedymatch.com/contact/]. I found out that all of these spam messages were produced by bots. I had to add a new "no bots" field to this form, where I just ask users to type a specific number and validate it in the form. Since I added this field I didn't receive any more spam from the contact forms. I know Django is using CSRF cookie directives, but isn't it possible to prevent bots from submitting forms? I would like to remove the "no bots" field from this form as it is wasting time of our users who want to contact us. But I don't want to receive messages from bots. Is there another way to prevent bots from submitting forms?

אורי

u...@speedy.net

[Kye Russell]

This is more of a support question, but: https://github.com/jamesturk/django-honeypot will thwart the majority of (naive) automation attempts. 

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeGj%2BFdsrmq%3D_Yai3bJHDSG_5Q1tmXSHLSQv4YexgomZxQ%40mail.gmail.com.

[אורי‎]

Thank you. How do I use django-honeypot and how does it work? How does it affect our human users and how does it affect the bots? I didn't understand from their website.

I added a new feature request https://code.djangoproject.com/ticket/31085

אורי

u...@speedy.net

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANK-ykkZSVhyDA4nNg0JKudbK9zdyXGVews48MN0pmAT47fb_A%40mail.gmail.com.

[Adam Johnson]

Preventing bot submissions is a bit of an arms race. Django could add some protection but if many Django sites use it then bot scripts might be adapted to workaround it.

I've had success using django-recaptcha in the past: https://github.com/praekelt/django-recaptcha . django-honeypot looks good too.

I think adding such protection would be a major project - research plus implementation. I think it could make a good Google Summer of Code project and will suggest it to the other DSF members.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeFYbT-0pA%3DuMsdEtZGCvQvVVNDFt3RKH-3zAc_vNik9hA%40mail.gmail.com.

--

Adam

[1337 Shadow Hacker]

We had the same problem and didn't want to use recaptcha because it's too hard for some users (ie. senior users).

So, we used django-simple-captcha, but that didn't stop some of the bots. Our SecOps produced automated captcha parsing scripts so that we could fine-grain configuration, and found out a configuration that lets them only like 20% chances of success, and we don't have any more spam at all (maybe the captcha recognition scripts hackers use are not as good as the one we made for testing purpose ?).

This is our configuration : https://github.com/betagouv/mrs/blob/0f37f786c4770e0f401c071fb2fef85f18303aca/src/mrs/settings.py#L432-L448

Our special functions, which are just a copy/pasted from the original app source code, with the minimal modifications to make it stop : https://github.com/betagouv/mrs/blob/0f37f786c4770e0f401c071fb2fef85f18303aca/src/contact/captcha.py

Note that audio works well but in english only, but doesn't require any external webservice, it does require Pillow though. I suppose that would be the preferable implementation detail if Django were to integrate such protection.

Hope this helps

[אורי‎]

Hi,

I'm looking for a solution which will be zero time wasting for human users, not even clicking on the recaptcha's button, but on the other hand will prevent bots from submitting the form. I'm not sure how this can be implemented technically. But right now the "no bots" field I added prevents all the bots from submitting the forms on our websites. The only disadvantage of it is that it wastes about ~30 seconds of human users who have to type this number for the form to be submitted successfully.

We also have a registration form but luckily it was not abused (yet) by bots. All the other forms on our website (except registration, login and contact) can only be submitted by logged in users anyway. And if the user is logged in - he is not a bot.

I have another website which uses MediaWiki and there it was flooded by bots who also signed up for the website and created accounts and then pages. I guess these bots are MediaWiki-specific bots.

אורי

u...@speedy.net

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM3MzqGw-EQ9ApyWiFUsgKx-nqPvoGYZwbAOBvZu8pyTXg%40mail.gmail.com.

[Jason Johns]

We use Signal Sciences at work, integrated with nginx

I'm looking for a solution which will be zero time wasting for human users, not even clicking on the recaptcha's button, but on the other hand will prevent bots from submitting the form

welcome to the arms race :-)

[Tom Forbes]

IMO this is outside of the scope of this mailing list. There is no simple answer to this problem, nor a general solution. There is however a wealth of information on this topic that you can find with a few Google searches.

If there is something we can do to Django to make it easier to integrate 3rd party bot detection services then that’s something we could discuss, but it’s not sensible to include any attempts detection inside Django itself.

One of the better ways of zero-friction verification is Google’s recapture service - they have a hidden zero-interaction version that uses google’s historical data on that users browsing habits to detect if they are a bot. 

Tom

On 14 Dec 2019, at 13:29, אורי <u...@speedy.net> wrote:



To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeHc_%3DbS_9Bh-L3m0-KS8K75Ws%2BVMuTLx-v3SiWwoP9jvw%40mail.gmail.com.

[Matemática A3K]

On Sat, Dec 14, 2019 at 9:25 AM Tom Forbes <t...@tomforb.es> wrote:

IMO this is outside of the scope of this mailing list. There is no simple answer to this problem, nor a general solution. There is however a wealth of information on this topic that you can find with a few Google searches.

I agree

 

If there is something we can do to Django to make it easier to integrate 3rd party bot detection services then that’s something we could discuss, but it’s not sensible to include any attempts detection inside Django itself.

One of the better ways of zero-friction verification is Google’s recapture service - they have a hidden zero-interaction version that uses google’s historical data on that users browsing habits to detect if they are a bot. 

Or you can install a spam filter easily with:

https://django-ai.readthedocs.io/en/latest/apps/spam_filtering.html

https://django-ai.readthedocs.io/en/latest/apps/examples.html#spam-filtering-with-svm-example-3

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/59F81237-AADB-47A9-9BB5-BB93817B1C52%40tomforb.es.

[Jure Erznožnik]

We're using django-recaptcha (google recaptcha) and it requires a single checkbox click for most "ordinary" users. Some do have to go through a more complex image-identification process, but that one is a few seconds, not 30.

Lp,

Jure

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeHc_%3DbS_9Bh-L3m0-KS8K75Ws%2BVMuTLx-v3SiWwoP9jvw%40mail.gmail.com.

[James Bennett]

Since this discussion seems to be exclusively about how to use Django, please take it to the django-users mailing list; the django-developers list is not an appropriate place for this topic.

[Matemática A3K]

On Sun, Dec 15, 2019 at 2:54 AM James Bennett <ubern...@gmail.com> wrote:

Since this discussion seems to be exclusively about how to use Django, please take it to the django-users mailing list; the django-developers list is not an appropriate place for this topic.

I agree :)

 

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAL13Cg8h%2BHsZbc5oZ5rwLiOO0%2BHTiS8EKpT6OW1P6bSUj1R1pA%40mail.gmail.com.

[אורי‎]

Hi,

On Sun, Dec 15, 2019 at 9:55 AM James Bennett <ubern...@gmail.com> wrote:

Since this discussion seems to be exclusively about how to use Django, please take it to the django-users mailing list; the django-developers list is not an appropriate place for this topic.

This is about my feature request "Prevent bots from submitting forms.":

https://code.djangoproject.com/ticket/31085 

אורי 

[Kye Russell]

Due to the cat-and-mouse nature inherent in this sort of request, and the community’s expectation of feature stability in Django, I feel that a third-party app is not the appropriate place for a feature like this. 

If the Django documentation doesn’t already do so, perhaps it could mention this issue in the Forms section, so new developers / Django users are aware of it. 

Kye Russell

Sent from my iPhone

On 17 Dec 2019, at 7:36 am, אורי <u...@speedy.net> wrote:



--

You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeELxLx3MTjYaVRrYRuuaAPyzhRe9nx6qjD8dxa%2B6XN9dw%40mail.gmail.com.