Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers

Webmaster Forum / PHP / General PHP Topics / September 2008


Tip: Looking for answers? Try searching our database.

Guestbook spam protection

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Mathieu Maes - 03 Jul 2008 09:30 GMT
Hello everyone,

I have created a simple guestbook for my bandsite (http://www.thefirm-
online.be). As you might expect, some spambots have jumped on it as
soon as it went online. At the moment, I've put the following measures
in place:
- Protection against XSS attacks, SQL injections, etc...
- Check the IP address - if the origin is abroad, the post is inactive
and needs approval by a moderator (me).

Currently I have to delete 25 spam posts /day which is getting a
little ridiculous. I'm looking for a much better solution.

Already found solutions (which I won't use)
- CAPTCHA - I don't want to punish every visitor for having those
spambots. it's not that safe either. I prefer not using this kind of
solution.
- Make a dynamic image (php-file outputting the image) store a
variable in the session. Problem is that images are cached by the
browser, making it usable only the first time the user visits the
website.
- Have a javascript function alter some hidden value in the form.
Haven't tried this yet...
- Found several "commercial" solutions where the form is being
encrypted. Haven't tried this yes either...

Thanks for your help
Mathew
Reply to this Message
Geoff Berrow - 03 Jul 2008 10:19 GMT
Message-ID:
<4bbf3fa7-a8bd-4884-bc7e-f080dafcdc8c@t54g2000hsg.googlegroups.com> from
Mathieu Maes contained the following:

>Currently I have to delete 25 spam posts /day which is getting a
>little ridiculous. I'm looking for a much better solution.

I don't allow links or URLs.  I have a banned word list and so far I
haven't has to add more than three words 'http://' ' www.' and '<'.  Any
one who legitimately needs to post a link can always write
www[dot]example[dot]com, but that's no advantage to spammers who simply
want to get links published.

I've also been experimenting with an enquiry form that used to get
spammed.  I've added a secret field, hidden by CSS.

<label for='secret_field' style='display:none'>Please leave blank <input
name='secret_field'id='secret_field'></label>

Bots will usually either leave it out or fill it with garbage and so I
check for this like so:-

if(!isset($_POST[$secret_field])||$_POST[$secret_field]!=""){
//at the moment I'm prepending the resultant email's subject
// with [SPAM]  but eventually may just silently drop it.
}

Signature

Regards,

Geoff Berrow

Reply to this Message
Floortje - 03 Jul 2008 10:34 GMT
Geoff Berrow schreef:
> Message-ID:
> <4bbf3fa7-a8bd-4884-bc7e-f080dafcdc8c@t54g2000hsg.googlegroups.com> from
[quoted text clipped - 8 lines]
> www[dot]example[dot]com, but that's no advantage to spammers who simply
> want to get links published.

I have done something similar. This got rid of all the spam

if(Login::isGuest()){

$badwords=array('xanax','cialis','phentermine','viagra','tramadol','skincare','finanziamento','[/url]','ringtones');

// check for matches ..

}

Arjen
Reply to this Message
C. (http://symcbean.blogspot.com/) - 03 Jul 2008 12:43 GMT
> Geoff Berrow schreef:
>
[quoted text clipped - 22 lines]
>
> Arjen

Too crude - have a look at the email spam you receive (or not) and
you'll see this is easily avoided. That's why bayesian filtering is so
popular. A better solution would be to push the message through a well-
trained spam-filter before publishing it.

Other approaches:

Use a capcha, but drop a cookie which allows subsequent submissions to
bypass the capcha

Hold posts pending release, send the URL for releasing the post to the
email address supplied - mostly spammers don't use real addresses -
but it's not foolproof.

Manually approve all posts.

--
BTW trying to prevent CSS and injection via blacklisting you'll always
be playing catchup with the blackhats. Starting point is to design
your system so it processes the data correctly, using html_entities,
mysql_eral_escape_string etc to neutralise the attack. By all means,
once this is done, apply some sort of approvals as you do for spam -
but this way the solution for CSS, injection and spam becomes the same
thing.

C.
Reply to this Message
Floortje - 03 Jul 2008 12:51 GMT
C. (http://symcbean.blogspot.com/) schreef:

>> if(Login::isGuest()){
>>
[quoted text clipped - 10 lines]
> popular. A better solution would be to push the message through a well-
> trained spam-filter before publishing it.

In theory you are right but in practice (atleast in my case) not. It
took me 2 mins to get rid of all the spam on my site (quite a large
site) and it has been clean for over 2 years now. I get lotsa bots
trying to post spam and none of them is clever enought to beat this
simple system.

Im well aware that maybe one day I should change this as the bots get
more clever but for now it does a perfect job.

Arjen
Reply to this Message
Michael Berkowski - 03 Jul 2008 14:01 GMT
> I've also been experimenting with an enquiry form that used to get
> spammed.  I've added a secret field, hidden by CSS.
[quoted text clipped - 9 lines]
> // with [SPAM]  but eventually may just silently drop it.
> }

In our organization, we have a number of different "contact us" forms.
Our ASP.NET developer tends to use the hidden field method you
described with success.  On my PHP pages, I sometimes use the same
method, but in some cases I've added a little arithmetic captcha
something like the following.  Get two random integers less than 10,
and ask the user to sum them.

<?php
// Create the session variables for the math problem
session_start();
$_SESSION['n1'] = rand(1,9);
$_SESSION['n2'] = rand(1,9);
?>
<label for='math'>
    What is  <?php echo $_SESSION['n1'] . " + " .$_SESSION['n2']; ?>
</label> <input id='math' type='text' name='math' />

I know CAPTCHAs were to be avoided in the original post, but this one
is so trivial. (Though it might keep out first graders).  I've never
had spam on one of these forms except for the occasional manually
entered list of links once or twice a year.
Signature

Michael Berkowski <berk0081@NOSPAM.umn.edu>

Reply to this Message
Mathieu Maes - 04 Jul 2008 08:47 GMT
> On Thu, 03 Jul 2008 10:19:43 +0100
>
[quoted text clipped - 35 lines]
> --
> Michael Berkowski <berk0...@NOSPAM.umn.edu>

Thanks for all replies so far! I like the banned words list and hidden
input fields, I'll give that a try for sure!

The main goal for me personally is to avoid spam, but I don't want to
annoy the "normal" visitors with security features. I know my visitors
are very simple people, to say the least. If I show the guestbook to
my mom, she will just mock me because she needs to answer a simple sum
to sign a guestbook :-)

On that topic, I've seen more creative captcha's using images. I could
show 9 pictures from our band and ask the user to click 3 pictures
from the drummer for example. (Idea came from KittenAuth -
http://www.thepcspy.com/contact)

Requiring users to confirm their post by email would scare some people
because they don't want to give their email.
Reply to this Message
Twayne - 04 Jul 2008 16:02 GMT
>> On Thu, 03 Jul 2008 10:19:43 +0100
>>
[quoted text clipped - 52 lines]
> Requiring users to confirm their post by email would scare some people
> because they don't want to give their email.

IME the captcha scares people off too, especially neophytes or those in
a hurry if they have to squint etc. to figure out the
distorted/over-lined/hidden in colors etc. characters, especially the
visually challenged and color blind.  For things like guest books you
want to make it as easy as you can bit still keep some security too.
  IMO a simple expansion on your original idea might be a better
solution, only use a random-length, random number and allow the digits
to go negative (e.g. mt_rand(-99, 00)).  Print them in the clear and use
those plus a related question; maybe the number of digits in the code or
something, to add a further layer to it.  Or just ask for the middle 3
numbers, etc. of the code instead of the whole thing; lots of things one
could do.

HTH, just my thoughts for the moment.
Reply to this Message
illona - 02 Sep 2008 05:33 GMT
There is a professional solution if captchas are bad (I agree with that too by
the way)

Take a look at www.streamforensics.com 
Their solution isnt cheap but I can attest that once you have it you'll want to
use it everywhere (and you only buy it once to use everywhere)
Its a bit hard to get your head round at first but when the penny drops its
easy. You can protect existing or new forms in seconds. (really)
We have it on every form and forum post now. We dont have a guest book
but it should work just fine as those are just forms anyway.
Reply to this Message
Jerry Stuckle - 02 Sep 2008 13:30 GMT
> There is a professional solution if captchas are bad (I agree with that too by
> the way)
[quoted text clipped - 7 lines]
> but it should work just fine as those are just forms anyway.
>  

There is no need for your expensive package.  There are much better ways
to handle CAPTCHA than an image.

For instance, I often use simple arithmetic in words, i.e. "How much is
five minus four?" or "What is the sum of three and six"?  These are easy
for a person to solve, can be used with a screen reader by the visually
impaired, yet harder to parse by 'bots, especially if you vary the
wording (I typically have multiple sentences).

And BTW - CAPTCHA is not the image.  CAPTCHA is a process.  A CAPTCHA
image is one way to handle the process.

Signature

==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Reply to this Message
Twayne - 02 Sep 2008 16:00 GMT
>> On Fri, 04 Jul 2008 15:02:37 GMT, "Twayne"
>> <nobody@devnull.spamcop.net> wrote: There is a professional solution
[quoted text clipped - 19 lines]
> the visually impaired, yet harder to parse by 'bots, especially if
> you vary the wording (I typically have multiple sentences).

Ah, I'm not the only one doing that; great.   I even still generate a
random number to type in but it's fully readable and not in an image.
I've also spread the bot-test Qs into two forms, the second very easy
but hopefully unexpected by the bots and not even noticed.  Counting
page views and errors seems like it'd help too, and of course force only
one email address, etc. etc..
  If what I read about India's captcha business is anywhere near
accurate it just proves what I've always though about those stupid hard
to read captcha images anyway.  You just have to enforce the right house
rules and get as close as you can to making it too hard to bother to use
your stuff; there's always someone easier right down the pipe if you're
lucky.  I suspect making the questions random too helps a lot if someone
does sit down and manually figure out the processes; but you need a
database so it's not going to repeat too quickly.  Random seems to be
the magic touch for now.   And natch, keep it all working fast so there
arean't any noticeable delays over the norm or where they wouldn't be
expected.

Cheers,

Twayne

> And BTW - CAPTCHA is not the image.  CAPTCHA is a process.  A CAPTCHA
> image is one way to handle the process.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.