Interesting thing about being on Product Hunt is the unexpected attention you get. We've got multiple interview requests, spam registration attempts (had to install hCaptcha) and bug bounty hunters reach out in the last few days #notacoincidence #interviewmode

@markosaric Ooh… Try to avoid hCaptcha; their accessibility is terrible and they extort browser history from people to let them bypass the CAPTCHAs.

If I knew you any worse, using hCaptcha would be enough for me to mistrust your motives.

developers.reverseeagle.org/re doesn't have many alternatives, unfortunately.

@wizzwizz4 do you have any links on what's wrong with them?

i looked and couldn't find any working alternatives. either google or this so we picked them as they look better and seem that they care more.

cannot have anything good with all the spammers around unfortunately and we had to act quickly so this was best we found...

people need to start making better alternatives to all these tools as websites need to use something and self-hosting is inconvenient in most cases unfortunately...

@markosaric That they do.

I wrote some things about it here: fosstodon.org/@spamty/10443353

@brandon also wrote something, but it's more about the incentives: fosstodon.org/@brandon/1040787

Basically, you can only use hCaptcha effectively if you are:

• Good at vision (or willing to let hCaptcha track you around the web).
• Not using Tor (because of Cloudflare).
• Lucky – some of their challenges are literally impossible.
• Familiar with American English (to understand the categories used in the puzzles).

@wizzwizz4 @brandon ok thanks. at this stage, i think they're better choice than google.

we can try and build something of our own but that will take some time and we're short on resources at the moment.

or hopefully if this spam attack stops, we could go back to not have anything at all again.

someone needs to built Plausible-like solution for recaptha 😀

Follow

@wizzwizz4 @markosaric Yep. So called "honeypots" do not work anymore. I have one installed but bots keep on crawling in since a couple of months. I would also self host, so I'm open to ethical alternatives.

· · Web · 1 · 0 · 0

@der_On @wizzwizz4 yeah, would be great with an even more ethical choice (invisible too if possible)...

@markosaric @der_On It's impossible to distinguish between humans and bots invisibly without tracking, assuming a targeted attack.

@wizzwizz4 @markosaric @der_On does timing how long it takes the user to fill out the form work?

@daz @markosaric @der_On Perhaps. They could lie, unless you included a nonce in a hidden field.

@wizzwizz4 @markosaric @der_On maybe an encrypted "generated at" timestamp in a hidden field? Then compare with the submitted at timestamp?

@daz @markosaric @der_On A known plaintext attack could defeat the encryption, for such a short string. It'd be more effort than most would go to, though.

Instead, they'd just create a lot of forms, wait a while, then submit them later. Your way is good enough that we'd just have to worry about this next issue.

@wizzwizz4 @der_On ah ok. preference would be not to bother visitors at all but if that cannot be done then some captcha has to do... spammers win!

@wizzwizz4 @der_On i'll take a look. this was a quick reaction to a spam attack that needed to be stopped asap. i did a bit of research, found what i though was a nice alternative to google and we went for it. didn't test or research all the options available as there was no time

@markosaric @der_On Is the attack over?

(By the way, you always have the option of replacing the form with "We're currently experiencing a spam attack, so the registration form is disabled; please bookmark this page and come back later." It's not a good solution, but it's always there.)

@wizzwizz4 @der_On we don't see any spam registrations since we installed it and it hasn't affected real people from signing up either but not sure if it will continue if we stop using it... we'll have to figure out what to do

@markosaric @wizzwizz4 I'm using shared hosting, so fail2ban is not an option. As I'm using a CMS system I've installed a "honeypot" extension that adds a hidden field (in my case "url") and expects the form fill to be at least 5s. It blocks a lot of bots already, but not all. Maybe I should increase the expected duration.

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!