Need to improve anti-spam for opac-suggestions
Hi all, It looks like we may need to improve anti-spam for opac-suggestions.pl. A negative captcha was added with https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3144, but I'm noticing a distributed spam attack which appears to either be wise to the "negcap" field or is occasionally lucky to accidentally not put any data with that parameter. Back in the day, we decided not to go with a positive captcha for accessibility reasons. I suppose we do have a positive captcha in the patron self-registration (I think) so maybe we should add one here. Or. think of something else clever. Ideas? David Cook Systems Librarian Prosentient Systems 72/330 Wattle St, Ultimo, NSW 2007
Positive captchas are still discrimatory. The reasons for not using them are as valid now as they were then. I guess the question is would you rather discriminate against potential or current users or deal with the spam. Long winded way of me saying we should find a better tool than positive captchas or deal with the spam. My 2 cents Chris On 3 February 2016 4:09:53 pm AEDT, David Cook <dcook@prosentient.com.au> wrote:
Hi all,
It looks like we may need to improve anti-spam for opac-suggestions.pl.
A negative captcha was added with https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3144, but I'm noticing a distributed spam attack which appears to either be wise to the "negcap" field or is occasionally lucky to accidentally not put any data with that parameter.
Back in the day, we decided not to go with a positive captcha for accessibility reasons. I suppose we do have a positive captcha in the patron self-registration (I think) so maybe we should add one here. Or. think of something else clever.
Ideas?
David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St, Ultimo, NSW 2007
------------------------------------------------------------------------
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
I actually had a thought about that as well. What about text-based captchas? That shouldn’t discriminate against anyone. Something along the lines of “please enter the third word from the first sentence in the paragraph above into the following box”, and possibly have the numbers in that instruction change randomly. That wouldn’t discriminate against someone who couldn’t use an image-based captcha. I think the main downside of that one is that it’s a bit verbose for users… but it should be accessible. Another thought would be to increase the information stored in the database… and maybe allow librarians to flag certain IP addresses as bots. It wouldn’t be perfect but it could provide some relief. Other ideas… if they send data that doesn’t fit the field type, we might ask the user if they’re a robot. I noticed that the year fields in `suggestions` weren’t being filled correctly with the spam, so someone is probably sending “G:SDHGAEGH” at a field which should be something like “2011”. In other words, we might try adding some basic heuristics and prompt the user if we suspect that they might not be human (I dislike saying that as the email archive will make me seem overly human-centric in the future when we’re sharing the Earth with sentient AIs or aliens..). Maybe even a confirmation screen after clicking submit which might ask them to re-enter some information or answer a question. Also not perfect but perhaps better than nothing. David Cook Systems Librarian Prosentient Systems 72/330 Wattle St, Ultimo, NSW 2007 From: Chris Cormack [mailto:chrisc@catalyst.net.nz] Sent: Wednesday, 3 February 2016 4:42 PM To: David Cook <dcook@prosentient.com.au>; 'koha-devel' <koha-devel@lists.koha-community.org> Subject: Re: [Koha-devel] Need to improve anti-spam for opac-suggestions Positive captchas are still discrimatory. The reasons for not using them are as valid now as they were then. I guess the question is would you rather discriminate against potential or current users or deal with the spam. Long winded way of me saying we should find a better tool than positive captchas or deal with the spam. My 2 cents Chris On 3 February 2016 4:09:53 pm AEDT, David Cook <dcook@prosentient.com.au <mailto:dcook@prosentient.com.au> > wrote: Hi all, It looks like we may need to improve anti-spam for opac-suggestions.pl. A negative captcha was added with https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3144, but I’m noticing a distributed spam attack which appears to either be wise to the “negcap” field or is occasionally lucky to accidentally not put any data with that parameter. Back in the day, we decided not to go with a positive captcha for accessibility reasons. I suppose we do have a positive captcha in the patron self-registration (I think) so maybe we should add one here. Or… think of something else clever. Ideas? David Cook Systems Librarian Prosentient Systems 72/330 Wattle St, Ultimo, NSW 2007 _____ Koha-devel mailing list Koha-devel@lists.koha-community.org <mailto:Koha-devel@lists.koha-community.org> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/ -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
There is already a text based captcha in opac/opac-memberentry pl. It asks something like the following (with a random string): Please type the following characters into the preceding box: ODXZX Note: The preceding box is case-sensitive. Ensure that the entered characters are in all-caps. - What ist the experience with this captcha? - Possible improvement: - Do not call the fieldset / field 'captcha' or the like to make it harder for robots to recognize it as captcha field. - Combine it with e negative captcha? Marc Am 03.02.2016 um 06:54 schrieb David Cook:
I actually had a thought about that as well. What about text-based captchas? That shouldn’t discriminate against anyone.
Something along the lines of “please enter the third word from the first sentence in the paragraph above into the following box”, and possibly have the numbers in that instruction change randomly.
That wouldn’t discriminate against someone who couldn’t use an image-based captcha. I think the main downside of that one is that it’s a bit verbose for users… but it should be accessible.
Another thought would be to increase the information stored in the database… and maybe allow librarians to flag certain IP addresses as bots. It wouldn’t be perfect but it could provide some relief.
Other ideas… if they send data that doesn’t fit the field type, we might ask the user if they’re a robot. I noticed that the year fields in `suggestions` weren’t being filled correctly with the spam, so someone is probably sending “G:SDHGAEGH” at a field which should be something like “2011”. In other words, we might try adding some basic heuristics and prompt the user if we suspect that they might not be human (I dislike saying that as the email archive will make me seem overly human-centric in the future when we’re sharing the Earth with sentient AIs or aliens..).
Maybe even a confirmation screen after clicking submit which might ask them to re-enter some information or answer a question. Also not perfect but perhaps better than nothing.
David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St, Ultimo, NSW 2007
*From:*Chris Cormack [mailto:chrisc@catalyst.net.nz] *Sent:* Wednesday, 3 February 2016 4:42 PM *To:* David Cook <dcook@prosentient.com.au>; 'koha-devel' <koha-devel@lists.koha-community.org> *Subject:* Re: [Koha-devel] Need to improve anti-spam for opac-suggestions
Positive captchas are still discrimatory. The reasons for not using them are as valid now as they were then.
I guess the question is would you rather discriminate against potential or current users or deal with the spam. Long winded way of me saying we should find a better tool than positive captchas or deal with the spam.
My 2 cents
Chris
On 3 February 2016 4:09:53 pm AEDT, David Cook <dcook@prosentient.com.au <mailto:dcook@prosentient.com.au>> wrote:
Hi all,
It looks like we may need to improve anti-spam for opac-suggestions.pl.
A negative captcha was added with https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3144, but I’m noticing a distributed spam attack which appears to either be wise to the “negcap” field or is occasionally lucky to accidentally not put any data with that parameter.
Back in the day, we decided not to go with a positive captcha for accessibility reasons. I suppose we do have a positive captcha in the patron self-registration (I think) so maybe we should add one here. Or… think of something else clever.
Ideas?
David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St, Ultimo, NSW 2007
------------------------------------------------------------------------
Koha-devel mailing list Koha-devel@lists.koha-community.org <mailto:Koha-devel@lists.koha-community.org> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website :http://www.koha-community.org/ git :http://git.koha-community.org/ bugs :http://bugs.koha-community.org/
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
Salvete! Shouldn't that just draw on the list of registered borrowers? I'm trying to think of a situation where I'd take a suggestion from someone that's not a Patron, and in those cases they either ring the Library directly or email me. Cheers, Brooke
Hi Brooke, This is covered by a system preference: AnonSuggestions: [Allow / Don't allow] patrons that aren't logged in to make purchase suggestions. Am 03.02.2016 um 14:28 schrieb BWS Johnson:
Salvete!
Shouldn't that just draw on the list of registered borrowers? I'm trying to think of a situation where I'd take a suggestion from someone that's not a Patron, and in those cases they either ring the Library directly or email me.
Cheers, Brooke _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
Hi Brooke, This issue first arose at a library whose collection is 100% digital. Users are not even registered, so never log in. Any suggestions are necessarily anonymous. Bob On 04/02/16 00:38, Marc Véron wrote:
Hi Brooke,
This is covered by a system preference: AnonSuggestions: [Allow / Don't allow] patrons that aren't logged in to make purchase suggestions.
Am 03.02.2016 um 14:28 schrieb BWS Johnson:
Salvete!
Shouldn't that just draw on the list of registered borrowers? I'm trying to think of a situation where I'd take a suggestion from someone that's not a Patron, and in those cases they either ring the Library directly or email me.
Cheers, Brooke
Salvete!
This issue first arose at a library whose collection is 100% digital. Users are not even registered, so never log in. Any suggestions are necessarily anonymous.
Ah, how interesting. This additional information is very helpful. No wonder there is a much higher incidence of spam than what I normally hear about! My suggestion after attending ShmooCon would be to honeypot the form, and then reassess things. https://www.dexmedia.com/blog/honeypot-technique/ Cheers, Brooke
Hi Brooke: We're already doing that with the negcap, and that worked for a while, but I think that someone may have changed their bot to exclude fields with an ID or class of "negcap"... or their bot doesn't always fill out all fields perhaps. It seems to be a bit of a sporadic thing, as I'll see lots of failed HTTP POSTs in the logs, but occasionally one gets through and adds a spam suggestion. Jonathan: I think changing the name from "negcap" would be a good idea. David Cook Systems Librarian Prosentient Systems 72/330 Wattle St, Ultimo, NSW 2007
-----Original Message----- From: koha-devel-bounces@lists.koha-community.org [mailto:koha-devel- bounces@lists.koha-community.org] On Behalf Of BWS Johnson Sent: Thursday, 4 February 2016 11:50 PM To: Bob Birchall <bob@calyx.net.au>; koha-devel@lists.koha-community.org Subject: Re: [Koha-devel] Need to improve anti-spam for opac-suggestions
Salvete!
This issue first arose at a library whose collection is 100% digital. Users are not even registered, so never log in. Any suggestions are necessarily anonymous.
Ah, how interesting. This additional information is very helpful. No wonder there is a much higher incidence of spam than what I normally hear about!
My suggestion after attending ShmooCon would be to honeypot the form, and then reassess things.
https://www.dexmedia.com/blog/honeypot-technique/
Cheers, Brooke _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha- community.org/ bugs : http://bugs.koha-community.org/
The input is named "negcap", you could try to change it :) 2016-02-03 5:09 GMT+00:00 David Cook <dcook@prosentient.com.au>:
Hi all,
It looks like we may need to improve anti-spam for opac-suggestions.pl.
A negative captcha was added with https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3144, but I’m noticing a distributed spam attack which appears to either be wise to the “negcap” field or is occasionally lucky to accidentally not put any data with that parameter.
Back in the day, we decided not to go with a positive captcha for accessibility reasons. I suppose we do have a positive captcha in the patron self-registration (I think) so maybe we should add one here. Or… think of something else clever.
Ideas?
David Cook
Systems Librarian
Prosentient Systems
72/330 Wattle St, Ultimo, NSW 2007
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
On 16-02-3 6:09 pm, David Cook wrote:
Hi all,
It looks like we may need to improve anti-spam for opac-suggestions.pl.
A negative captcha was added with https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3144, but I'm noticing a distributed spam attack which appears to either be wise to the "negcap" field or is occasionally lucky to accidentally not put any data with that parameter.
hiya, are you running the follow-up patch, also? https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=15035
participants (7)
-
Bob Birchall -
BWS Johnson -
Chris Cormack -
David Cook -
Jonathan Druart -
Marc Véron -
Mason James