Worthless Anti-Spam (What can we learn)

I recently can across a site that had a “anti-spam” field at the bottom of the entry from.  The first issue I had with it was that at 1280X800 you could not read the value you were suppose to enter (see below).  You tell me, should you enter div, dlv, piv, or plv.


But even worse than not being readable at high resolutions is the fact that the programmer who coded it really did not understand what this was used for.  An anti-spam (aka: catpcha) entry field should not be able to be read by looking at the HTML DOM object (so entry of value cannot be scripted).  In this case the value is simply a disabled text input filed that has the value you need to type.  So a hacker would simply need to search for text input field named “spam2” and then they could flood the site with spam.

   1: <td>
   2:   <label>
   3:     <input name="spam1" type="text" class="small" id="spam1" size="6" maxlength="3" />
   4:     <input name="spam2" type="text" class="small" id="spam2" value="plv" 
   5:        disabled="disabled" size="6" maxlength="3" />
   6:     * <span class="small">- Anti-SPAM key - please enter matching value</span>
   7:   </label>
   8: </td>


There are some things to learn from this example:

1) Always make sure you understand why you are coding a feature/function for any program you write.  Just following the requirements without realizing the “why” will sooner or later come back to bite you.  I think the above example appears to be an example of this.

2) Always check how the screen appears in different resolutions.  In this case it was pretty much unreadable in 1280x800, but you could read it in 800X600 (but most people I know do not have their resolution set that low).  Lucky for me I could “View Source” and get the value I needed to enter.


No Comments