...

View Full Version : [Security]How to avoid spambots



Masterslave
08-10-2007, 06:42 PM
Hello all,

I've a big problem.
I have a public guestbook.
And some spambots can leave posts in my guestbook.
I don't know how they do it.
Does anyone know how to avoid spambots (a non CAPCHA way)?



<?php
//part of the guestbook script
$strip_tags = strip_tags( $_POST['content'] );

if( !preg_match('/http:\/\/(localhost)|' . '(www\.trefnology\.nl)/i',$_SERVER['HTTP_REFERER']) )
{
die("Wegens veiligheidsredenen kun je niet het gastenboek bekijken zonder dat je al op een pagina bent geweest van Trefnology.");
}
else
{
if ( isset( $_SESSION["guestbook"] ) || $_SESSION["guestbook"] )
{
if( isset( $_POST['submit'] ) )
{
if( !empty( $_POST['hidden'] ) )
{
die();
}
else
{
if (trim(empty($_POST['name'])) || trim(empty($_POST['content'])))
{
$error = "<br /><strong>Je dient je naam en bericht op te geven om een bericht te plaatsen.</strong>";
}
if( $strip_tags != $_POST['content'] )
{
die("Het is verboden om HTML tags te gebruiken in het gastenboek. Ga terug naar het gastenboek om het opnieuw te proberen.");
}
else
{
$commentInsert = " INSERT INTO
$guestbooktable
(
name,
email,
website,
content,
ip,
host
)
VALUES
(
'" . mysql_real_escape_string($_POST['name']) . "',
'" . mysql_real_escape_string($_POST['email']) . "',
'" . mysql_real_escape_string($_POST['website']) . "',
'" . mysql_real_escape_string($_POST['content']) . "',
'" . mysql_real_escape_string($_POST['ip']) . "',
'" . mysql_real_escape_string($_POST['host']) . "'
)";
$result = mysql_query($commentInsert) or die (mysql_error());
header("Location: guestbook.php");
}
}
}
}
else
{
die();
}
}?>

How can the spammers breakthrough my security?
Is my script above not right, tell me.
Thanks for your help.

Attached a screenshot from PHPmyadmin and a part of the log file from apache.

Log:


81.177.22.198 - - [07/Aug/2007:20:34:42 +0200] "GET /guestbook.php?page=6 HTTP/1.0" 200 121 "http://www.valdosta.edu/~tthompson/syllabi/sys.php?amateur.html" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
81.177.22.198 - - [07/Aug/2007:20:34:42 +0200] "GET /guestbook.php?page=6 HTTP/1.0" 200 121 "http://www.valdosta.edu/~tthompson/syllabi/sys.php?amateur.html" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
81.177.22.198 - - [07/Aug/2007:20:34:43 +0200] "GET / HTTP/1.0" 200 10025 "http://www.trefnology.nl/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
81.177.22.198 - - [07/Aug/2007:20:34:43 +0200] "GET /guestbook.php?page=6 HTTP/1.0" 200 5288 "http://www.trefnology.nl/guestbook.php?page=6" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
81.177.22.198 - - [07/Aug/2007:20:34:45 +0200] "POST /guestbook.php?page=6 HTTP/1.0" 302 5288 "http://www.trefnology.nl/guestbook.php?page=6" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
81.177.22.198 - - [07/Aug/2007:20:34:45 +0200] "GET / HTTP/1.0" 200 10025 "http://www.trefnology.nl/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
81.177.22.198 - - [07/Aug/2007:20:34:46 +0200] "GET /guestbook.php HTTP/1.0" 200 7973 "http://www.trefnology.nl/guestbook.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1"
81.177.22.198 - - [07/Aug/2007:20:34:46 +0200] "GET /guestbook.php?page=6 HTTP/1.0" 200 5561 "http://www.trefnology.nl/guestbook.php?page=6" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
81.177.22.198 - - [07/Aug/2007:20:34:46 +0200] "POST /guestbook.php?page=6 HTTP/1.0" 302 5561 "http://www.trefnology.nl/guestbook.php?page=6" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
81.177.22.198 - - [07/Aug/2007:20:34:46 +0200] "GET /guestbook.php HTTP/1.0" 200 10558 "http://www.trefnology.nl/guestbook.php" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
81.177.23.136 - - [07/Aug/2007:20:50:15 +0200] "GET /guestbook.php?page=6 HTTP/1.0" 200 121 "http://www.valdosta.edu/~tthompson/syllabi/sys.php?teen.html" "Mozilla/1.22 (compatible; MSIE 2.0d; Windows NT)"
81.177.23.136 - - [07/Aug/2007:20:50:15 +0200] "GET /guestbook.php?page=6 HTTP/1.0" 200 121 "http://www.valdosta.edu/~tthompson/syllabi/sys.php?teen.html" "Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
81.177.23.136 - - [07/Aug/2007:20:50:15 +0200] "GET / HTTP/1.0" 200 10025 "http://www.trefnology.nl/" "Mozilla/1.22 (compatible; MSIE 2.0d; Windows NT)"
81.177.23.136 - - [07/Aug/2007:20:50:15 +0200] "GET / HTTP/1.0" 200 10025 "http://www.trefnology.nl/" "Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
81.177.23.136 - - [07/Aug/2007:20:50:55 +0200] "GET /index.php HTTP/1.0" 200 10025 "http://www.trefnology.nl/index.php" "Mozilla/1.22 (compatible; MSIE 2.0d; Windows NT)"
81.177.23.136 - - [07/Aug/2007:20:50:55 +0200] "GET /index.php HTTP/1.0" 200 10025 "http://www.trefnology.nl/index.php" "Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
81.177.23.136 - - [07/Aug/2007:20:51:35 +0200] "GET /guestbook.php?page=6 HTTP/1.0" 200 5449 "http://www.trefnology.nl/guestbook.php?page=6" "Mozilla/1.22 (compatible; MSIE 2.0d; Windows NT)"
81.177.23.136 - - [07/Aug/2007:20:51:35 +0200] "GET /guestbook.php?page=6 HTTP/1.0" 200 5449 "http://www.trefnology.nl/guestbook.php?page=6" "Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
81.177.23.136 - - [07/Aug/2007:20:51:35 +0200] "GET /index.php HTTP/1.0" 200 10025 "http://www.trefnology.nl/index.php" "Mozilla/1.22 (compatible; MSIE 2.0d; Windows NT)"
81.177.23.136 - - [07/Aug/2007:20:51:35 +0200] "GET /index.php HTTP/1.0" 200 10025 "http://www.trefnology.nl/index.php" "Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
81.177.23.136 - - [07/Aug/2007:20:51:36 +0200] "GET /index.php HTTP/1.0" 200 10025 "http://www.trefnology.nl/index.php" "Mozilla/1.22 (compatible; MSIE 2.0d; Windows NT)"
81.177.23.136 - - [07/Aug/2007:20:51:36 +0200] "GET /index.php HTTP/1.0" 200 10025 "http://www.trefnology.nl/index.php" "Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
81.177.23.136 - - [07/Aug/2007:20:52:16 +0200] "GET /index.php HTTP/1.0" 200 10025 "http://www.trefnology.nl/index.php" "Mozilla/1.22 (compatible; MSIE 2.0d; Windows NT)"
81.177.23.136 - - [07/Aug/2007:20:52:16 +0200] "GET /index.php HTTP/1.0" 200 10025 "http://www.trefnology.nl/index.php" "Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
81.177.23.136 - - [07/Aug/2007:20:52:16 +0200] "GET /index.php HTTP/1.0" 200 10025 "http://www.trefnology.nl/index.php" "Mozilla/1.22 (compatible; MSIE 2.0d; Windows NT)"
81.177.23.136 - - [07/Aug/2007:20:52:16 +0200] "GET /index.php HTTP/1.0" 200 10025 "http://www.trefnology.nl/index.php" "Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"
81.177.23.136 - - [07/Aug/2007:20:52:55 +0200] "GET /guestbook.php?page=6 HTTP/1.0" 200 5449 "http://www.trefnology.nl/guestbook.php?page=6" "Mozilla/1.22 (compatible; MSIE 2.0d; Windows NT)"
81.177.23.136 - - [07/Aug/2007:20:52:55 +0200] "GET /guestbook.php?page=6 HTTP/1.0" 200 5449 "http://www.trefnology.nl/guestbook.php?page=6" "Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"




<form method="post" action="<?=htmlentities($_SERVER['REQUEST_URI'])?>" onsubmit="return checkform(this);">
<label for="name">Naam:</label>
<input type="text" name="name" id="name" /><br />
<label for="email">Email:</label>
<input type="text" name="email" id="email" /><br />
<label for="website">Website:</label>
<input type="text" name="website" id="website" /><br />
<label for="comment">Bericht:</label>
<textarea name="content" id="comment"></textarea><br />
<input type="hidden" value="<?=$_SERVER['REMOTE_ADDR'];?>" name="ip" />
<input type="hidden" value="<?=gethostbyaddr($_SERVER['REMOTE_ADDR']);?>" name="host" />
<input type="text" name="hidden" id="hidden_field"/>
<input type="submit" name="submit" value="Plaats reactie" class="button" />
</form>


I've added the new PHP code for the guestbook, which includes Len Whistler way.

Len Whistler
08-10-2007, 09:21 PM
Does anyone know how to avoid spambots (a non CAPCHA way)?

You could create an extra form text field which is hidden from the user, if that field has value when submitted then the entire form is rejected. A spambot might fill it out while a user wont since they can't see it.

OR

One of the fields could require the answer to a simple math problem.

usik
08-11-2007, 01:29 AM
you could check for what type of browser the user is using, you will need the browscap.ini for php to do this, it has a fairly up 2 date list of spambots, check for their browser and if it comes back false or as one of the spam bots then don't upload the information.

Len Whistler's suggestion is a good one as well ;)

Inigoesdr
08-11-2007, 03:53 AM
you could check for what type of browser the user is using, you will need the browscap.ini for php to do this, it has a fairly up 2 date list of spambots, check for their browser and if it comes back false or as one of the spam bots then don't upload the information.

Len Whistler's suggestion is a good one as well ;)

That's not a great solution by itself because the user agent is set by the user, and it can be changed fairly easily. If you used this in combination with another method it would help, though.

Masterslave
08-11-2007, 09:33 AM
Thanks for the replies so far.
I'll do the way Len Whistler said.
I've post above the new code.

Masterslave
08-12-2007, 11:47 AM
I have a spammessage recieved moments ago.



71.202.35.104 - - [12/Aug/2007:12:36:45 +0200] "GET /guestbook.php?page= HTTP/1.0" 200 3576 "http://www.trefnology.nl/guestbook.php?page=" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2"
71.202.35.104 - - [12/Aug/2007:12:37:01 +0200] "POST /guestbook.php?page= HTTP/1.0" 302 3576 "http://www.trefnology.nl/guestbook.php?page=" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2"
71.202.35.104 - - [12/Aug/2007:12:37:14 +0200] "GET /guestbook.php HTTP/1.0" 200 6542 "http://www.trefnology.nl/guestbook.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2"
How can he post a message after I've pumped up the security?
Somebody?

Maybe change


if( !empty( $_POST['hidden'] ) )
{
die();
}
into:


if( !empty( trim( $_POST['hidden'] ) ) )
{
die();
}
???

mlseim
08-12-2007, 01:47 PM
Another idea ...

Put a fake form above your real form and comment it out:

<!--
<form method='post' action='process.php'>
Name: <input type='text' name='name' value=''><br>
Email: <input type='text' name='email' value=''><br>
<input type='submit' name='submit' value='Submit'>
</form>
-->

Then, create a real PHP script called "process.php" that
does nothing except return to a thankyou page.

The Spambots see the form even though it's commented-out.
It processes that form and does not look for any more forms.
For some reason, the programmers are too lazy to make the robots
come back to your site and look for more forms ... so the fake form
gets processed and the real form is left untouched.

I've used this method and have never had spammer problems.

Masterslave
08-12-2007, 02:35 PM
Ok mlseim, thanks for your reply.
I'll give it a try later this day.

Inigoesdr
08-12-2007, 05:40 PM
This seems like a lot to go through to avoid using a CAPTCHA. What is wrong with requiring the simple math problem?

Masterslave
08-12-2007, 09:00 PM
There's nothting wrong with that but if you look the code in my startpost, the 'invisible' input field method seems to be not working, so I think the math method will not work either (I guess...).

I haven't try the extra form method yet that mlseim told.

Inigoesdr
08-12-2007, 09:04 PM
There's nothting wrong with that but if you look the code in my startpost, the 'invisible' input field method seems to be not working, so I think the math method will not work either (I guess...).

I haven't try the extra form method yet that mlseim told.

I'm guessing that the field is ignored either because the spambot realizes it's hidden, or is set to only fill out certain fields. You could try making the field normally and hiding it with css. The math method should work. If the field is empty you ignore the post.

Masterslave
08-12-2007, 09:31 PM
I'm guessing that the field is ignored either because the spambot realizes it's hidden, or is set to only fill out certain fields. You could try making the field normally and hiding it with css. The math method should work. If the field is empty you ignore the post.
That field is visible but, indeed I did, hide it with CSS display: none

Masterslave
08-23-2007, 11:24 AM
Sorry for my late reaction, I was on a little vacation in Germany. I've inserted the form which is commented in html (don't know how you say that in proper English).
Hope the spammers can't post anymore. :rolleyes:

Masterslave
08-27-2007, 11:55 AM
I'vent recieved spam for almost a week, so I think it's working. Thanks mlseim!

mlseim
08-27-2007, 03:38 PM
and if the spammers figure out that they need to check for more than
one form, then you'll have to spin another plan .... that's part of the game.

Masterslave
08-27-2007, 04:01 PM
True.

Moments ago I've read the logs and they are still spamming in the commented form. ;)

mlseim
08-27-2007, 07:16 PM
too funny.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum