With the way that some spambots work by trying to mass register at SMF sites, is it worth it to give SMF installs the ability to custom name on the registration inputs to keep the auto-registration from happening? Just crossed my mind today when thinking about some spam issues. If you don't get what I mean, here's an small example.
Pretend normal input for username:
<input type="text" name="username" />
Custom input (can be different for each SMF install, maybe ability to set in anti-spam options):
<input type="text" name="customKey_username" />
Get what I'm saying? Is this not worth it for some reason I'm not thinking of? I guess maybe the token kind of defeats the purpose for this, but maybe it's an additional option to be added. Just curious...
As far as I know most of the bots simply browse the site loading up the pages, filling all the inputs they find and pressing buttons like real users.
Change input fields name doesn't make any difference...
I guess we weren't reading about the same bots then. Things like the xrumer program that register accounts auto-magically wouldn't be able to register if they don't know which inputs hold the correct values in order to be a proper registration. Sure they could sit there and guess. But that's kind of my point, they'd have to sit there and try to guess it when the inputs don't have a default name.
Yeah but doing it that way you have to basically do a brute force attack on the form. Which you could do no matter what. Heck I've done these types of things with jmeter. Either way, it's just a thought to see if it was worth it to anyone else.
I don't think it'd hurt, but there are measures I'd suggest doing ahead of that, namely the empty field (which will nail the brute force bots every time anyway) and the minimum-time on registration test, if they filled the form in too quickly, kick it back with a friendly message (and don't enforce the same length of time next time around, e.g. 10 seconds on the first request, 5 on subsequent requests from the same session)