Comment by grishka

7 months ago

> you can always create zip bombs that are links on a web page that don't show up for humans

I did a version of this with my form for requesting an account on my fediverse server. The problem I was having is that there exist these very unsophisticated bots that crawl the web and submit their very unsophisticated spam into every form they see that looks like it might publish it somewhere.

First I added a simple captcha with distorted characters. This did stop many of the bots, but not all of them. Then, after reading the server log, I noticed that they only make three requests in a rapid succession: the page that contains the form, the captcha image, and then the POST request with the form data. They don't load neither the CSS nor the JS.

So I added several more fields to the form and hid them with CSS. Submitting anything in these fields will fail the request and ban your session. I also modified the captcha, I made the image itself a CSS background, and made the src point to a transparent image instead.

And just like that, spam has completely stopped, while real users noticed nothing.

8 comments

grishka

Reply
anamexis  7 months ago

I did essentially the same thing. I have this input in a form:

    <label for="gb-email" class="nah" aria-hidden="true">Email:</label>
    <input id="gb-email"
           name="email"
           size="40"
           class="nah"
           tabindex="-1"
           aria-hidden="true"
           autocomplete="off"
    >

With this CSS:

    .nah {
      opacity: 0;
      position: absolute;
      top: 0;
      left: 0;
      height: 0;
      width: 0;
      z-index: -1;
    }

And any form submission with a value set for the email is blocked. It stopped 100% of the spam I was getting.

  • zzo38computer  6 months ago

    If CSS is disabled or using a browser that does not implement CSS, that might also be an issue. (A mode to disable CSS should ideally also be able to handle ARIA attributes (unless the user disables those too), but not all implementations will do this (actually, I don't know if any implementation does; it doesn't seem to on mine), especially if they were written before ARIA attributes were invented.)