[GTER] Whois do Registro.br

Juliao Braga juliao at braga.eti.br
Thu May 17 14:44:16 -03 2007

Realmente seria uma facilidade.

Mas, no caso em que ocorre a autenticação há técnicas eficientes para 
liquidar com os robos, sem o uso de "captcha". Estas técnicas usam o tempo e 
campos escondidos para fazer isso.

Em particular, uma disponível em 
http://www.phpclasses.org/browse/package/3817.html. Embora lá tenha as 
explicações completas, eis as idéias que são implementadas:

1. A user (human or robot) must have the same IP and the same http user 
agent ID on both pages, that send (html form) and receive (action of html 
form - target page: same or other page) POST or GET requests. Humans always 
do, robots sometimes do not, as they often only call the target page with 
the required parameters. In other words: a page containing a html form must 
be loaded before its target page (page that accepts the parameters) is 
loaded and the IP and browser of the user must be the same on both pages.
-> A spambot is forced to use the same IP and agent ID when scanning and 

2. A human user will not be affected by hidden tags with daily changing 
names, depending on the current date, as they simply do not see them. As a 
matter of fact, humans could be affected, if e.g. they call a web form at 
23.57 and send the request at 0.06 (next day), but there is a simple 
solution for that too (see below). On the other hand robots use to prescan a 
html page containing a form and then call the target page with the scanned 
parameters. A daily changing hidden input name requires prescanning at the 
current day.
-> A spambot is forced to prescan the form at the current day when attacking

3. A form should be submitted within a specific time window. If this time 
window is too short or too long, then the user is more likely to be a robot 
than a human. For example a human cannot submit a form, that has 6 required 
text inputs in just 2 seconds...
-> A spambot is forced to submit the form within a specific time window when 
scanning and attacking

4. A spambot will try to populate every form element with some value so as 
to best ensure that it will succeed in being posted. If a standard text 
input tag is used in the form, that is hidden visually from the user, a 
human will not enter anything into this field. it is quite likely though, 
that a spambot will still post some value for this form element.
-> A spambot is forced to identify visually hidden trap form elements and 
ignore them when attacking

Não tive tempo para fazer testes profundos, mas os primeiros foram bons!


Pegasus® Telecomunicações

-----Mensagem Original----- 
De: "Marcelo Coelho" <marcelo at tpn.com.br>
Para: "Grupo de Trabalho de Engenharia e Operacao de Redes" 
<gter at eng.registro.br>
Enviada em: quinta-feira, 17 de maio de 2007 13:37
Assunto: Re: [GTER] Whois do Registro.br

Creio que isso não tenha sido implementado pois faria com que os robôs
se adaptassem ao sistema, ou seja, os robôs passariam a se cadastrar no
Registro.br para efetuar a consulta ao whois sem o captcha.

More information about the gter mailing list