Random Registration URL

[Pete]

Everyone hates spam bots, but they only know where to sign up because the registration URL always stays the same!

So... why not change the registration link on a daily basis and add an md5 encrypted string into the url? So the URL could be http://forums.invisionpower.com/index.php?...=edrg3434gRGrg4 instead of the normal URL.

The up-side? Spam bots wouldn't recognise the URL in the template. The down-side? You'd need a little bit of code to create a new md5 string once a day and store the link in the database, then replace any references to the registration page url in the skin templates as they're loaded.

The only way I can see around this is that anything after http://forums.invisionpower.com/index.php?...Reg&CODE=00 is obviously the md5 bit, but with a bit of cleverness I imagine this idea could be adapted. For example, masking the "act" and "CODE" bits with other md5 hashes generated daily as well - then IPD checks the database to see what code and act matches up before displaying the page. So the url becomes http://forums.invisionpower.com/index.php?...=43t3ggf34gsdGN

It's all about distorting the URL into unrecognisability (and that's a new word I think :D).

So... who wants to be first to find a flaw in my idea ;)

[Dark Phantom]

You have to get and then compare the values, this will lead to additional load time, might not be a major flaw but it is indeed a flaw.

[Keith J. Kacin]

What is to stop the bot from being programmed to scan the source code for any link with: act={hash}, and then follow that link?

Or even follow any link that says: >Register</a>

[Pete]

Hehe, I only thought of that after switching my PC off last night. Knew it couldn't be that easy ;) Back to teh drawing board...

On to another idea - in the registration email give them a random code and an url to enter it at - wait now, I can see you saying it's easy enough to scan the email for the code, but since every administrator can re-word the email and put the reg code anywhere they like in the email, a simple regexp bot wouldn't be able to cope surely?

I know there's only so many ways you can word a valdation email, but if everyone puts their code in a different place and someone writes something like "pop the following string into the form: XXX" whilst someone else writes "enter XXX at the url above" then the bots will have a lot harder time, especially if the strings are randomly words, numbers, or mixes of both for each new member.

Potentially if there are something like 10,000 IPB installs and all 10,000 admins reworded their validation email to their own tastes, the bots would have to work out the problem 10,000 times rather than just one.

Any flaws in that, aside from laziness by administrators who can't be bothered changing the original email?

[ellawella]

Or, even better, improve the CAPTCHA image, which IPS have already done :)

[Luke]

Or, even better, improve the CAPTCHA image, which IPS have already done :)

:whistle: