I put up a webpage advertising a particular birthday party. A simple html page served by apache2 on ubuntu server 12.04. I have a link on the page to a cgi script-Python-that asks the requester to submit text values that will be formatted and relayed in an email to the bithrday boy. What’s a simple way to authenticate that a human being is filling out the form, so that I can avoid having the birthday boy receiving spam. Using standard CGI because I do not expect an overload of concurrent requests.
I am aware of things like reCaptcha, but am looking for canonical strategies for quick and dirty authentication. Not being paid for this and the site will be up for but 9 days, so I don’t want to put time into a solution more robust that what I actually need. Would asking a human answerable question suffice? If so could I get a away with a dropdown box of selectable answers. I want quick and dirty, but I also don’t want to wind up with boat loads of spam because I underestimated the intelligence of spam bots.
3
I assume that you are sending this site as a link to the invitees. Why not have the link be something like www.yourbirthdaysite.com/24387921854781987458714590349839849394? Only accept connections to that address, not the root address. This is an effective way to keep content private when you don’t need overkill security. Google uses it as a sharing option for sharing Google Docs, for example.
If you want people to be able to access the root address directly (if they need to type it in rather than clicking on a link), I would do two things:
- Disable Google Indexing and don’t link from anywhere public (your site is not targeted to the general public anyway). This will remove the main source of traffic for spambots to your site. Security through obscurity is not a good practice generally. But a site that is not indexed on search engines and is only visible for nine days is very obscure. Realistically, you are unlikely to get spam in that time.
- Have a simple question and answer verification. Have a few questions about the birthday boy that would be known to the party attendees. Make it fun, and it will add to the site overall.
1
I’d try something that’s trivial and based on the page, but requires context so a standard bot won’t pick up on it.
Specific suggestions:
- Type the birthday boy’s name backwards
- Type the birthday boy’s initials
- What is the name of the birthday boy’s mother?
- What day is the birthday?
It’d be trivial to write a bot that could answer these, but nothing pre-existing ought to pick up on it, and it wouldn’t be practical or worthwhile to do so in that timeframe.
Add this to your form then in your Python script just check that the posted form field called capt == “human”;
<input type="hidden" name="capt" id="capt" value="">
<script>
document.getElementById('capt').value="human";
</script>
Will fool 99% of bots that can not run JavaScript and will only reject friends that disable JavaScript, but then again that’s probably a good test of a true friend 😉
1
Why not copy Google?
These days they insist on a mobile phone number when you sign up for mail, G+ etc.
Every now and then when you log in from a strange address they tell you to check your phone and look for an SMS message containing an authentication code.
You enter the code in the login screen and proceed as normal.
You could do something similar by requesting a mobile number, sending a verification code via SMS and only responding to mails with a valid verification code.
2