12  

In a guestbook app I wrote, I implemented two features which prevent most of the spam:

在我写的留言簿应用程序中,我实现了两个阻止大多数垃圾邮件的功能:

• Don't allow POST as the first request in a session

  不允许POST作为会话中的第一个请求

• Require a valid HTTP Refer(r)er when posting

  发布时需要有效的HTTP Refer(r)er

6  

One way that I know which works is to use JavaScript before submitting the form. For example, to change the method from GET to POST. ;) Spambots are lousy at executing JavaScript. Of course, this also means that non-Javascript people will not be able to use your site... if you care about them that is. ;) (Note: I don't)

我所知道的一种方法是在提交表单之前使用JavaScript。例如,要将方法从GET更改为POST。 ;)Spambots在执行JavaScript时很糟糕。当然,这也意味着非Javascript用户将无法使用您的网站......如果您关心他们的话。 ;)(注意:我没有)

5  

In my experience, the best easy defenses come from just doing something "non-standard". If you make your site non-standard, this makes it so that any automated spam would have to be coded specifically for your site, which (no offense) probably isn't worth the effort. Note that if the spam is coming from human spammers, there's not really anything you can do that won't also stop legitimate posters. So the goal is to find a solution that will throw away any "standard" posts - that is, "fill out the whole form and push submit".

根据我的经验,最好的轻松防御来自于做“非标准”的事情。如果您使您的网站不标准,这使得任何自动垃圾邮件都必须专门为您的网站编码,这可能是不值得努力的(没有冒犯)。请注意,如果垃圾邮件来自人类垃圾邮件发送者,那么您无法做任何事情也不会阻止合法海报。所以我们的目标是找到一个可以抛弃任何“标准”帖子的解决方案 - 即“填写整个表格并推送提交”。

A couple examples that come to mind of things that you could try:

想到你可以尝试的事情的几个例子:

• Have a hidden form field with a name that sounds like something a spammer would want to fill out, like "website" or "homepage" or something like that. If the form field gets filled out, throw away the message instead of posting it, because it was a bot automatically filling in the whole form, even invisible fields.

有一个隐藏的表单字段,其名称听起来像垃圾邮件发送者想要填写的内容,如“网站”或“主页”或类似的东西。如果填写表单字段,则抛弃消息而不是发布消息,因为它是一个机器人自动填写整个表单,甚至是不可见的字段。

• You don't have to use a "real" captcha, but even something simple like "Enter the following word backwards: <random backwards word>" or "What is the domain name of this website?". Easy for a human to do, but it would require a fairly complex bot to figure out what to fill in.

您不必使用“真实”验证码,但即使是“向后输入以下单词: <随机向后单词> ”或“此网站的域名是什么?”之类的简单内容。人类容易做,但需要一个相当复杂的机器人来确定要填写什么。

4  

You could use a captcha, there are some good scripts like PHPCaptcha or use a spam control service, like Akismet, they have a PHP API.

您可以使用验证码,有一些好的脚本,如PHPCaptcha或使用垃圾邮件控制服务,如Akismet,他们有一个PHP API。

2  

You might want to look at this question, which has several answers that describe how you could implement a non-intrusive captcha.

您可能希望查看此问题,其中有几个答案描述了如何实现非侵入式验证码。

Another thing to consider is to require time between posts to prevent massive spamming.

另一件需要考虑的事情是在帖子之间需要时间来防止大量垃圾邮件。

2  

Include a CAPTCHA that is always "orange".

包括始终为“橙色”的CAPTCHA。

2  

The spams may be by bots or humans - bots are more likely.

垃圾邮件可能是机器人或人类 - 机器人更有可能。

To stop the bots, put in a hidden field populated by Javascript - there is a 99.5% chance that a standard, stupid bot that isn't customised to your site will fail to fill that in.

要停止机器人,请放入一个由Javascript填充的隐藏字段 - 有99.5%的可能性,未经自定义的标准,愚蠢的机器人将无法填充。

If they fail to fill it in correctly, give them a message that Javascript is required or something, and give them an opportunity to post some other way (e.g. with a captcha or registration). That way anonymous users who aren't spambots can (mostly) still post with no problems, and most spambots (which haven't been tailored for your specific site) won't.

如果他们未能正确填写,请给他们一个消息,说明Javascript是必需的,或者让他们有机会发布其他方式(例如使用验证码或注册)。这样,不是垃圾邮件程序的匿名用户可以(大部分)仍然没有问题发布,并且大多数垃圾邮件程序(没有为您的特定站点定制)不会。

Don't bother blacklisting IP addresses or using third party blacklists, that will just generate false positives. Almost all bots use the same IP addresses as (some) legitimate users.

不要打扰列入黑名单的IP地址或使用第三方黑名单,这只会产生误报。几乎所有机器人都使用与(某些)合法用户相同的IP地址。

Another trick is to put in a text field with a plausible sounding name, which is made difficult to see with CSS - anyone filling this field in with anything is considered to be a bot.

另一个技巧是放入一个带有合理声音名称的文本字段,这很难用CSS看到 - 任何填充此字段的人都被视为机器人。

2  

Advanced solutions:

• Akismet
• Defensio
• Sblam! (open source clone of the above)

Sblam! (上面的开源克隆)

You can try your luck with non-standard form:

你可以用非标准形式试试运气:

• fields that must stay empty hidden with CSS

必须保持空的字段用CSS隐藏

• fields with misleading names, e.g. <input name=email> for something that is not an e-mail.

具有误导性名称的字段,例如表示非电子邮件的内容。

For me CAPTCHA is like giving up to spammers and letting them damage your forum anyway – except that instead of spam damage, you get usability and accessibility damage.

对我来说,CAPTCHA就像放弃垃圾邮件发送者并让他们损坏你的论坛 - 除了垃圾邮件损坏,你获得可用性和可访问性损害。

2  

Something I've found to be surprisingly effective: disallow comments that contain too many URLs (more than, say, 5). Since doing that, I've had zero comment spam.

我发现有些令人惊讶的有效:禁止包含太多网址的评论(超过5个)。从那以后,我没有垃圾评论。

Edit: Since writing the above, I've had recurring comment spam with only one link. I have now added some honeypot fields and have had no commend spam for a few months now.

编辑:自从编写上述内容以来,我一直只有一个链接反复发表评论垃圾邮件。我现在已经添加了一些蜜罐字段,并且几个月来一直没有推荐垃圾邮件。

0  

Don't let anybody post until they respond to an email sent to their registered email address. You'll see lots of forums and mailing lists generate a unique email address or web url that is sent to the new user's given email address, and they have to respond to the email or click on the link to finalize their registration.

在回复发送到其注册电子邮件地址的电子邮件之前,不要让任何人发帖。您会看到许多论坛和邮件列表生成一个唯一的电子邮件地址或网址,该网址会发送到新用户的指定电子邮件地址,他们必须回复该电子邮件或点击该链接以完成注册。

0  

Captcha is definitely the easiest method - try KittenAuth if you want something bot-proof (Although I got pandas this time)

Captcha绝对是最简单的方法 - 尝试KittenAuth,如果你想要一些机器人防护(虽然我这次有大熊猫)

• Kitten Auth

0  

There is no single answer since Spam is really a matter of economics: how much is it worth it to someone to put their stuff onto the web. There, however, some solutions that seem pretty good

没有一个答案,因为垃圾邮件真的是经济问题:有人把他们的东西放到网上是多少钱。然而,有些解决方案似乎相当不错

• Recaptcha
• Use CCS to create an invisible field that robots fill-in

使用CCS创建机器人填充的不可见字段

• Create a time-specific hidden field in your form so the robot can't use the same form over and over again.

在表单中创建特定于时间的隐藏字段,以便机器人不能一遍又一遍地使用相同的表单。

0  

I want to say that in most time, a CAPTCHA is enough for you to prevent SPAMers. But do use a strong one, like http://www.captcha.net/.

我想说,在大多数情况下,CAPTCHA足以阻止SPAMers。但要使用强大的,如http://www.captcha.net/。

Remember that SPAMers do not want to spend much time to deal with a particular site(except heavy traffic sites), they use a tool to post AD on a lot of sites. So make your FORM a little unusual, (e.g. give the user a image says '1.5+2.4=?' and let users to answer, this will block most of the spam tools :) )

请记住,垃圾邮件发送者不想花太多时间来处理特定站点(流量大的站点除外),他们使用工具在很多站点上发布AD。所以让你的FORM有点不寻常,(例如给用户一个图像说'1.5 + 2.4 =?'并让用户回答,这将阻止大多数垃圾邮件工具:))

-1  

The easiest thing I've done to stop spammers with (so far) 100% consistency is to validate the text that was submitted. If you use the php function strstr() to check for "a href" or even a non-clickable http or www, you can then just reroute the spammer elsewhere. I actually have a script then write to my .htaccess file to deny the offending IP address. Not sure if there's any other kind of spam to be concerned about, but links are all I've seen so far.

我为阻止垃圾邮件发送者(迄今为止)100%一致性所做的最简单的事情就是验证提交的文本。如果您使用php函数strstr()来检查“a href”甚至是不可点击的http或www,那么您可以将垃圾邮件发送者重新路由到其他位置。我实际上有一个脚本然后写入我的.htaccess文件以拒绝违规的IP地址。不确定是否还有其他类型的垃圾邮件需要关注,但链接是我到目前为止所见过的。