<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-fareast-language:EN-US;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-AU link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><a name="_MailEndCompose">I actually had a thought about that as well. What about text-based captchas? That shouldn’t discriminate against anyone.<o:p></o:p></a></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Something along the lines of “please enter the third word from the first sentence in the paragraph above into the following box”, and possibly have the numbers in that instruction change randomly.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>That wouldn’t discriminate against someone who couldn’t use an image-based captcha. I think the main downside of that one is that it’s a bit verbose for users… but it should be accessible. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Another thought would be to increase the information stored in the database… and maybe allow librarians to flag certain IP addresses as bots. It wouldn’t be perfect but it could provide some relief.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Other ideas… if they send data that doesn’t fit the field type, we might ask the user if they’re a robot. I noticed that the year fields in `suggestions` weren’t being filled correctly with the spam, so someone is probably sending “G:SDHGAEGH” at a field which should be something like “2011”. In other words, we might try adding some basic heuristics and prompt the user if we suspect that they might not be human (I dislike saying that as the email archive will make me seem overly human-centric in the future when we’re sharing the Earth with sentient AIs or aliens..).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Maybe even a confirmation screen after clicking submit which might ask them to re-enter some information or answer a question. Also not perfect but perhaps better than nothing.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='mso-fareast-language:EN-AU'>David Cook<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-AU'>Systems Librarian<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-AU'>Prosentient Systems<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-AU'>72/330 Wattle St, Ultimo, NSW 2007<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='mso-fareast-language:EN-AU'>From:</span></b><span lang=EN-US style='mso-fareast-language:EN-AU'> Chris Cormack [mailto:chrisc@catalyst.net.nz] <br><b>Sent:</b> Wednesday, 3 February 2016 4:42 PM<br><b>To:</b> David Cook <dcook@prosentient.com.au>; 'koha-devel' <koha-devel@lists.koha-community.org><br><b>Subject:</b> Re: [Koha-devel] Need to improve anti-spam for opac-suggestions<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:EN-AU'>Positive captchas are still discrimatory. The reasons for not using them are as valid now as they were then.<br><br>I guess the question is would you rather discriminate against potential or current users or deal with the spam. Long winded way of me saying we should find a better tool than positive captchas or deal with the spam.<br><br>My 2 cents<br><br>Chris<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:EN-AU'>On 3 February 2016 4:09:53 pm AEDT, David Cook <<a href="mailto:dcook@prosentient.com.au">dcook@prosentient.com.au</a>> wrote:<o:p></o:p></span></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><p class=MsoNormal>Hi all,<o:p></o:p></p><p> <o:p></o:p></p><p class=MsoNormal>It looks like we may need to improve anti-spam for opac-suggestions.pl.<o:p></o:p></p><p> <o:p></o:p></p><p class=MsoNormal>A negative captcha was added with <a href="https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3144">https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3144</a>, but I’m noticing a distributed spam attack which appears to either be wise to the “negcap” field or is occasionally lucky to accidentally not put any data with that parameter. <o:p></o:p></p><p> <o:p></o:p></p><p class=MsoNormal>Back in the day, we decided not to go with a positive captcha for accessibility reasons. I suppose we do have a positive captcha in the patron self-registration (I think) so maybe we should add one here. Or… think of something else clever. <o:p></o:p></p><p> <o:p></o:p></p><p class=MsoNormal>Ideas?<o:p></o:p></p><p> <o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-AU'>David Cook<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-AU'>Systems Librarian<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-AU'>Prosentient Systems<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-AU'>72/330 Wattle St, Ultimo, NSW 2007<o:p></o:p></span></p><p> <o:p></o:p></p><pre style='text-align:center'><hr size=2 width="100%" align=center></pre><pre><br>Koha-devel mailing list<br><a href="mailto:Koha-devel@lists.koha-community.org">Koha-devel@lists.koha-community.org</a><br><a href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a><br>website : <a href="http://www.koha-community.org">http://www.koha-community.org</a>/<br>git : <a href="http://git.koha-community.org">http://git.koha-community.org</a>/<br>bugs : <a href="http://bugs.koha-community.org/">http://bugs.koha-community.org/</a><o:p></o:p></pre></blockquote></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif;mso-fareast-language:EN-AU'><br>-- <br>Sent from my Android device with K-9 Mail. Please excuse my brevity.<o:p></o:p></span></p></div></div></body></html>