hi

i have asp form for submitting guestbook entries.. the problem i had recently was spamming.. so how can i prevrnt any user from sending messages more than 2 within 12 hours? i mean how cna i put 12 hours ban on a visitor who has already submitted 2 times?

ofcourse that require a log file or ip addresse ..a txt file which writes the ip address and the checks the ip address everytime it is called ..that ip is found twice in it ...it bans that address for 12 hours..that i what i mean...how is it done ?[possible ?i am not asp coder so any one who knows what sort of code shall be required to "include" in my submit.asp file?

plz write the code i want logip.txt file to b written in this this db folder

www.westernnite.com/devilhits/db

the submit page is at this "about" folder

www.westernnite.com/devilhits/about/submit.asp

any one hwo knows what the code will be???

plz Write it for me if u can HELP..thanks

I could write you the code, but it would be kinda useless, because a lott of people have dynamic IP adresses. And spammers will probably know how to spoof their IP adress.

Besides, people behind proxyservers or on public PC's could lock out other users (that have the same IP).


The only sollution is requiring the user to log in before he can submit an entry, and then check on that. Probably also recording there IP adress and analyse that to see if there are IP adresses that are used for multiple users and that systymatically enter messages.

Originally posted by raf
Besides, people behind proxyservers or on public PC's could lock out other users (that have the same IP).

Not true nessacarily... Click here (http://www.hackthissite.org/readarticle.php?id=44)
Vote 10 ;)


Also, if you don't want to have a login, the best method is to place a session ban on someone. And if you want complete saftey, you would use sessions and ip logging ;)

So first you set the session to equal 1 Then after the second post, session = 2, and because this script is going through everytime, you check to make sure the session = nothing, and if it's session = 2 then no more posting.

At the same time, you can use IP logging too, just incase cookies are disbaled.

So I promise you, if you use sessions (or cookies) and logging the IP, you will not have any more problems.
The chances you will have a spammer who wants to spam and he/she has a changeable IP, or is able to change IPs and knows to remove the cookie, or disable cookies, are 1/1,000,000
And if someone has more then one computer with more then one ip, then you can't do anything about that, unless you get into IP mask banning, but that's just pointless.

understand?

Originally posted by Morgoth
Not true nessacarily... Click here (http://www.hackthissite.org/readarticle.php?id=44)
Vote 10 ;)

Hmm. I think it will work in some cases, but I'm not sure if your code would work for all proxys + different users behind a proxy will get the same IP over time. And that could very well be within the 12 hours period so you would still be wrongly locking out people (i wasn't laking about people who have a small home network, but people in companys, universitys or public PC's).
But it's better then just registering the REMOTE_ADDR.

IP checking is only usefull to counter Denial Of Service attacks, so you need to check and count them anyway, but they don't provide any real defense agains spamming by inserting more then 1 message within 12 hours.

Originally posted by Morgoth

Also, if you don't want to have a login, the best method is to place a session ban on someone. And if you want complete saftey, you would use sessions and ip logging ;)
...
At the same time, you can use IP logging too, just incase cookies are disbaled.

So I promise you, if you use sessions (or cookies) and logging the IP, you will not have any more problems.
The chances you will have a spammer who wants to spam and he/she has a changeable IP, or is able to change IPs and knows to remove the cookie, or disable cookies, are 1/1,000,000
understand?
You must be joking :confused:
Even with your suggestions implemented, It would be increadably easy for me to spam that app (even with my single computer). I just need to close my browser and reconnect to take care of your session and IP checks. I don't even need to know anything about sessions or IP's or cookies.
The only ways to identify an internet user are:
- require them to log in --> but they can just open 2 or more accounts ... so you'd need to send them something to uniquely identify them (a key or so), and thus isolate the identification from your app. Whic is probably overkill for this app.
- require them to accept cookies --> but they can just open 2 different browsers, like IE, Moz, etc which makes cookiechecking pointless

If you feel up to it, please try to set something up and prevent me from posting more then once within 12 hours :D

If a hacker wants to spam an web-app, I can assure you of that in most cases, no webbrowser will be used!
-Ever heard of telnet ???

Originally posted by phlegmatic
-Ever heard of telnet ???

Yes. Once... I think ...

Hacking never even entered the picture.
My point was that everyone with a dynamic IP can post as much messages as he likes without knowing anything about coding. He wouldn't even notice that you're trying to prevent it (and if you check on sessions, IP AND cookies, he just needs to use different browsers or turn cookies off.)
No real tricks needed to bypass these controls.

True, I read it wrong, and 12 pages into the future...
I kind of read the word 'spammer' as hacker, which is not the same.

I just read a few articles on 'secure' asp-pages and had been looking at some guys scripts that said they were safe and secure (they were using HTTP_REFERRER and other servervariables and said that was secure, lol ?)

Sorry raf, your post was to the point, I need to get hacking/security out of my head...









...






...still working on it :D

My point is that, if you don't notify users of the 2 methods to make your application spam free, then the chances someone actually removing cookies and changing their IP address is very very slim.
If you saw a guestbook, and you wanted to spam, the first thing you'd think of is IP logging, depending on your site this guest book is on, a lot of people may not know how to change IP addresses using proxies or something else. Also, with having cookies, there would be a slimmer chance of anyone deleting the cookie.

I would only say to make a login script if you want to be completly safe from spammers (up to a point) IP loging, no two ips can have the same account, nor two e-mail addresses. But of course they can just make another account with another e-mail address.

Spamming is impossible to protect against... But you can stop it to a degree. And those degrees vary depending on which solution you choose, and what type of people go to your site.

Understand?

well... so what would be the conclusion of it? is there one? what is the best way to reduce spamming WITHOUT locking out suers that don't deserve it?

I'm not looking for the "final" solution against spamming (which can't exist) but for something that will reduce the chances to be spammed. Something with (most important) 100% chances not to bother users that have no bad ideas at all. Being paranoid about it usually ends up by bothering "normal" users in way or in another I guess...

logging IP using my scripts, and using cookies at the same time.

I'd say : form your own opinion.

You will not be able to stop them, but a few simple tricks can go a long way.

A possibility is : require the user to log in and allow cookielogin (like here) If the user has cookies enabled, you can automatically check when he last posted (--> store the datetime of last entry in the cookie, or better still, store it in the entry's table) If the user has cookies disabled, then that will mean he'll always have to log in if he wan't to post an entry (but that's then his own choice/problem).

If you check against the entry's table (so not checking against the cookie, but only using the cookie to identify the user), then using more then one browser wont create problems.

The only thing you need to worry about then, is users that open more then one account ...

To limit that risk, you could ask an emailadress when they register (but that's problematic to) or register the IP's and don't allow users with the same IP as an already active user (so you need to keep a table of users with an active session) --> but sessions wount be long and IP's could be reused so ...
That's the only 'safe' use of IP-checking i can think of.


Another (optional) way : create a form where the admin can easily and quickly delete entrys + automatically close useraccounts + put there emailadresses or/and IP's (if it's a static one that was only used for that user) on a black list. For instance by checking a box in front aof the entry. It wount take you a minute each day to keep it clean.

The login is probibly your safest way, and best way, but of course, it is only a guestbook.
Why not lose the guestbook and make people sign up for accounts on a forum?

I don't know how far you wanna take it, so pick which ever method you wish.

well thank you fellas... i will think about it for a little while, it's not an emergency question, but login&cookies AND the admin advice given by raf seems a very good way of makin' it work...