[GTER] Whois do Registro.br
Juliao Braga
juliao at braga.eti.br
Thu May 17 14:44:16 -03 2007
Realmente seria uma facilidade.
Mas, no caso em que ocorre a autenticação há técnicas eficientes para
liquidar com os robos, sem o uso de "captcha". Estas técnicas usam o tempo e
campos escondidos para fazer isso.
Em particular, uma disponível em
http://www.phpclasses.org/browse/package/3817.html. Embora lá tenha as
explicações completas, eis as idéias que são implementadas:
1. A user (human or robot) must have the same IP and the same http user
agent ID on both pages, that send (html form) and receive (action of html
form - target page: same or other page) POST or GET requests. Humans always
do, robots sometimes do not, as they often only call the target page with
the required parameters. In other words: a page containing a html form must
be loaded before its target page (page that accepts the parameters) is
loaded and the IP and browser of the user must be the same on both pages.
-> A spambot is forced to use the same IP and agent ID when scanning and
attacking
2. A human user will not be affected by hidden tags with daily changing
names, depending on the current date, as they simply do not see them. As a
matter of fact, humans could be affected, if e.g. they call a web form at
23.57 and send the request at 0.06 (next day), but there is a simple
solution for that too (see below). On the other hand robots use to prescan a
html page containing a form and then call the target page with the scanned
parameters. A daily changing hidden input name requires prescanning at the
current day.
-> A spambot is forced to prescan the form at the current day when attacking
3. A form should be submitted within a specific time window. If this time
window is too short or too long, then the user is more likely to be a robot
than a human. For example a human cannot submit a form, that has 6 required
text inputs in just 2 seconds...
-> A spambot is forced to submit the form within a specific time window when
scanning and attacking
4. A spambot will try to populate every form element with some value so as
to best ensure that it will succeed in being posted. If a standard text
input tag is used in the form, that is hidden visually from the user, a
human will not enter anything into this field. it is quite likely though,
that a spambot will still post some value for this form element.
-> A spambot is forced to identify visually hidden trap form elements and
ignore them when attacking
Não tive tempo para fazer testes profundos, mas os primeiros foram bons!
[]'s
---
Pegasus® Telecomunicações
http://www.pegasus.com.br
-----Mensagem Original-----
De: "Marcelo Coelho" <marcelo at tpn.com.br>
Para: "Grupo de Trabalho de Engenharia e Operacao de Redes"
<gter at eng.registro.br>
Enviada em: quinta-feira, 17 de maio de 2007 13:37
Assunto: Re: [GTER] Whois do Registro.br
Creio que isso não tenha sido implementado pois faria com que os robôs
se adaptassem ao sistema, ou seja, os robôs passariam a se cadastrar no
Registro.br para efetuar a consulta ao whois sem o captcha.
More information about the gter
mailing list