Instead of putting your visitors through the hassle, you might put some time in it yourself, by snooping through logfiles (or create a script that does it for you) and find the ip addresses of the "users" that filled out the form more than once in a certain time span. (And yes, that wouldn't mean for certain that you're dealing with a bot, but when the form was filled out 20 times in under a minute, the chances are, you are dealing with a bot.)

Come up with another one, I'll try and defeat it for you. :) (FINISH HIM!)

A tiny disclaimer claiming site security will give the users the "why". And if they ask why and threaten to go away, well. you can only extend your reach so far :) The question is "do you value your customers or not"? If not, then there is no argument against using visual or audio tricks to make sure you're handling a real human. But why not step it up a notch and require users to come see you in person with a valid passport? This would surely ban the "evil" scripts.

It's a matter of perspective on who gets to do what and why.

Come up with another one, I'll try and defeat it for you. :) (FINISH HIM!)

Although you can't argue with stupidity, I'll be ignorant and give it a shot anyway. Of course you can always come up with arguments against mine (at least I fully hope so). The question is, is wheter this any productive.

b10m "Instead of putting your visitors through the hassle, you might put some time in it yourself, by snooping through logfiles..."

sporty "You can't go by ip. There are a lot of proxies out there, like those used by AOL. Even so, 30 bots each submitting 1 request a day for 30 days is 900 junk registrations. Maybe I'll accumulate 60 bots and do one every other day. Now you have to sit down and analze logs for hidden patterns, since a proxy will totally through your ip anlaysis off. :)"

As hardburn put it well in node 317719 :

hardburn "If a harvester really wanted to, they could pay a batch of minimum-wage workers to fill out these forms all day with an acceptable rate of acesses per day"

sporty "I run an internal site that uses pre-generated, overly random passwords. The user can reset his password whenever he wants to another new pre-generated password. People hate it since they are hard to remember, but they put up with it since it's understood that I won't change it for security reasons. I tell them right out, I'm more likely to trust my random junk than someone typing in a really bad password later."

Ah, yes, "random" passwords are very secure. For this measure to be somewhat useful, you would have to make sure that your entire site runs over SSL, no cookies are used and new super secure, pre-generated random passwords are either e-mailed to the user, using (GPG) encryption, or not e-mailed at all. Still, I could probably find flaws in any type of security you could come up with ;-)

Unless you're a BOFH, I could see no added value to these mega "secure" random passwords.

By the way: Shall we continue this thread by e-mail? For I believe there is no PM value in all this ...

--
b10m

I would argue that it IS productive. Someone may come along, read this silly tyrad between two people on security.

The site I run is actually restricted by MAC address due to the sensitivity of the data. Yes, you can run a proxy on your local machine just like you can put a non-ssl to ssl proxy between a secure site to make it insecure. Beyond that, I usually hand deliver all passwords since so many of my cow-orkers leave their computers unlocked :( Sorta defeats it all, eh? But you can't blame me for leaving your keys in the lock. :)


Play that funky music white boy..

(And yes, that wouldn't mean for certain that you're dealing with a bot, but when the form was filled out 20 times in under a minute, the chances are, you are dealing with a bot.)

Or that there are lots of interested subscribers behind a firewall/masquerading gateway. Wouldn't like to spoil them all.