Anti spammer registration timer

[AndyF]

I was thinking about this today.

Given that some of the 'spambot' programs can fill in the registration form and sometimes the captcha as well quite quickly I was thinking about some kind of 'timer' (possibly js?) to prevent this.

To expand a bit more its going to take an 'automated' bot only a few seconds to populate the registration form whereas a genuine human is going to take between say 10 to 30 seconds to do this on average. I'd doubt it will take less than 10 if they are typing.

From this, I guess if the 'time' detected at submission between it being initially loaded and fully populated / submitted is say < 10 then it should be rejected as a potential automated registration bot.

[Rheddy]

Sounds like a good idea in theory but it would also catch new members and prevent their registration as well. What has worked for me is using not just a single method to stop spammer registration, such as recaptcha, question and answer (using questions and answers that are specific to your forums; such as staying away from generic questions like 'what is 2+2'). I use four methods, at this time, to prevent spammer registrations, and if you wanted to take it a step further, require 'admin and email validation', that way if you're having a problem with spammers, that option requires the user to validate by email and then places that account into a validation queue until an admin can review the account and validate it.

You could also use a 'referral' system where you need a referral code from a current member in order to register. Other options yet? Require payment in order to register for an account.

[AndyF]

I was just thinking about speed really, a human will take a few seconds to populate the form data but an automated script will not take very long at all. :)

Was just a random thought.

[Misi]

but an automated script will not take very long at all. :smile:

Less than a second.

[AndyF]

Less than a second.

I was not sure how long it would take for them to read the capcha and make sense of it. Still figure the form would be populated far quicker than a human could do though. :) Hence this quick suggestion. I've not looked into how practical it would be however yet.

[Misi]

I was not sure how long it would take for them to read the capcha and make sense of it. Still figure the form would be populated far quicker than a human could do though. :smile:

endadinlir@hotmail.com:192.34.109.18 - 0 seconds

politicals.news@gmail.com:188.190.99.79 - 1 seconds

[Rheddy]

The thing is, there's no way of telling who is a person and who is a bot. If you apply a variety of anti-spam features, you won't run into spammer-related registrations. I've employed a number of features and I haven't had a single spammer break through the registration process. For instance, my community deals with a specific anime series and I have my question answer challenge set up so that if you don't know anything about this anime series in question, you simply aren't going to get through. On top of that, I have user validation, I use the Forum Anti Spam feature, I use IPS' anti-spam feature and I use recaptcha.

I've employed all of these methods back when IPS introduced their IPS Anti-Spam feature and I haven't had a single spammer break through the registration process, and it's been like this for a few years now. You simply cannot rely on a single method and live with the belief that you're protected. It's like your home. You don't just rely on the door lock. You use a master bolt lock, an alarm system, a guard-dog and possibly a baseball bat and/or a weapon. I'm just illustrating a point.

If it takes real users a few moments to fill out the registration form and a spammer can do that quicker, you're going to create problems for any new user to register for an account. Employing a method such as a timer is just going to create problems for you, not to mention a very big headache.

[Misi]

If it takes real users a few moments to fill out the registration form and a spammer can do that quicker, you're going to create problems for any new user to register for an account. Employing a method such as a timer is just going to create problems for you, not to mention a very big headache.

What problems could a timer create for me or the new users?

I don't need users who can fill the registration form(including the question/answer) in one or less than one second.

[davejjj]

The thing is, there's no way of telling who is a person and who is a bot.

Yes there is -- if they have a reading and typing speed that is non-human then they are a bot. Period.

[AndyF]

Yes there is -- if they have a reading and typing speed that is non-human then they are a bot. Period.

That was my basic point here. :)

[Rheddy]

Andy dave, actually, there's not. During the registration process, there is no way you can tell who is a bot and who is a real person. Setting a timer on registration will seriously hamper any efforts for any new members to register on your site. For instance, say you set a timer at 0.5 seconds. Unless you have a crystal ball and can tell for certain who is a bot and who is a person, there's no way you can tell for sure. If you set a timer for half a second, not only will you stop spambots in their tracks but you'll also stop actual people who want to register for an account because in all my experience, I don't know anyone who can go through the registration process in less than a second. It's impossible. It takes an average of anywhere from 20 seconds to 45 seconds, and that's providing you don't make mistakes or you enter in a username already used by someone else or you enter in a captcha setting incorrectly.

I think that you guys are confusing spam posting with the registration process.

[Misi]

Andy dave, actually, there's not. During the registration process, there is no way you can tell who is a bot and who is a real person. Setting a timer on registration will seriously hamper any efforts for any new members to register on your site. For instance, say you set a timer at 0.5 seconds. Unless you have a crystal ball and can tell for certain who is a bot and who is a person, there's no way you can tell for sure. If you set a timer for half a second, not only will you stop spambots in their tracks but you'll also stop actual people who want to register for an account because in all my experience, I don't know anyone who can go through the registration process in less than a second. It's impossible. It takes an average of anywhere from 20 seconds to 45 seconds, and that's providing you don't make mistakes or you enter in a username already used by someone else or you enter in a captcha setting incorrectly.

I think that you guys are confusing spam posting with the registration process.

No, you are confused.

The timer isn't there to set a limit that in that time should complete registration.

The timer is there to set the limit that in that time NOT TO complete it.

Set the limit to = 15 secs

You fill the form in 15 - 1500 seconds.

No problem with the timer.

You fill the form in 0 - 14 seconds.

That is too fast, registration will be rejected.

[Tarun]

Yes there is -- if they have a reading and typing speed that is non-human then they are a bot. Period.

That was my basic point here.

Now, what about people who use the automatic field entry software, like this addon, etc - https://addons.mozilla.org/en-US/firefox/addon/autofill-forms/

Can still register extremely fast (when compared to average joe user) with that sort of software since all they'd have to do is the captcha and any additional questions.

[Misi]

Can still register extremely fast (when compared to average joe user) with that sort of software since all they'd have to do is the captcha and any additional questions.

Set the limit to 5-10 seconds, a human being cannot do them.

reCAPTCHA itself can be easily more than 30 seconds (refresh,refresh...), for a bot almost nothing.

[Katsuma]

Now, what about people who use the automatic field entry software, like this addon, etc - https://addons.mozilla.org/en-US/firefox/addon/autofill-forms/

Can still register extremely fast (when compared to average joe user) with that sort of software since all they'd have to do is the captcha and any additional questions.

Then users like myself are going to improve their chances of getting banned.

[AndyF]

To clarify:

I don't think there should be an upper limit. The 'time check' was simply to stop bots auto-populating the form. Regarding browser 'auto fill' addons, these will not complete the captcha however and if its Recapcha (unless you're lucky) its going to take I'd say at least 3 seconds to fill it in assuming you can read the first one provided and do not have to refresh. KeyCapcha will take a few seconds to 'assemble' the puzzle too. :)

Was only a thought anyway. :)

[Misi]

Was only a thought anyway.

Useful thought.

In phpBB it's standard for a long time followed by Xenforo.

[AndyF]

Useful thought.

In phpBB it's standard for a long time followed by Xenforo.

I was not aware of any other product actually having it built in. :)

[Misi]

I was not aware of any other product actually having it built in.

They included it because there is nothing to lose but a lot to win with it.

[Rheddy]

I guess I assumed that what was being proposed is limiting the time to fill out the registration form, which was what I'm opposed to. :p lols

[AndyF]

I guess I assumed that what was being proposed is limiting the time to fill out the registration form, which was what I'm opposed to. lols

No. No maximum / upper limit at all.

Only a acceptable minimum time ie less than x seconds = potential automated spammer

[DMITRII LODIAKOV]

Check this out

'?do=embed' frameborder='0' data-embedContent>>

Add it on your site and you will be OK

[NordWulf]

My vBulletin site was flooded with spam bots. After installing an add-in requiring registrations to take at least 15 seconds between loading of registration page and actual submission eliminated all (or nearly all) spam bots. A system like that does work very good.