Hi guys,

I've got a comment system set up on my site mattfacer.com - when you submit a new comment, I ask the user to confirm the message by typing in a random number/letter combination which is generated using GD... the system then sends me an email which informs me of the new messaage, which I can log in and either allow it on the site, or delete it.

The problem is, I keep getting spam comments about casino's! The text in the comment seems to be a CV or something... I'm not sure, but it doesnt make any sense. Plus, the system doesnt send me an email - so it's like the comments are being added somehow without using my script.....

....any ideas how this can be?!

cheers!

They will be using the script, but bypassing the form.

I'm guessing this is a piece of third party software. What package are you using?

I have a similar problem with phpBB and Movable Type. The solution is usually to throw a spanner in the works by adding a new hidden field to the submit form, and requiring a value to be set for it in the script that handles the form input.

thanks for the reply...
I am using boastmachine (http://boastology.com/) for the blog and using a custom comment page with that. This code must have direct access to my DB because I ask for a confirmation code from the user - and without that, it never goes to the DB.... so it's like its using something... possibly including my DB.php file??

can we see the form in action?
i went to your site and entered a message in the contact-page. But that's apparently not what you are talking about because i didn't get a security-image...

sure, no problems!

www.mattfacer.com/blogs/37 is the most recent - just enter a comment there and you'll be taken to the confirmation page.

I had a horror thought before, I used "getRight" downloader and entered my PHP file, luckily none of the PHP is downloaded......!! Just the HTML, phew!!!

I added a check in my script which adds the comment to the DB to check the email of the person adding - as it's the same email every time - but it is still adding records.. could this be a virus on the server or something?

euh...

that's not exactly how security-images need to be used...
your source of the image with value 18cf8 is

<img src='fonts/18cf8.png'>

so it's rediculously easy to automatically post the form ...
why don't you just call the image foobar.png?

and besides, a real security-image should be composed of randomly rotated characters that are positioned on a rastered/chaotic background.

ah yes....true.......

I called the image the same, as once the user has used it, it is deleted.... but I guess I could save the image name anything really... it was just that two users might have been using the same comment system which if the filename was the same, it would cause a problem?

I am not sure how to generate a random background etc.... never really used GD much!

cheers :)

Then maybe use a randomly generated number that is like say 6 digits long to use as the filename. That way, if two people are using it at the exact same instant, there isn't any sort of problem.

I've now changed the image name to include a random number ... I have also put a check on text for "poker", "casino" and a few other choice words - if these are found - the SQL statement is not shown and the user receives a lovely charming message... ;)

Problem is - I've just got another flaming message!! So the spam script is not using my own comments posting page - otherwise they wouldnt be able to get through!

How can they be posting to my site?! I've done some research on google, and there are loads of "blog spam bots" that post the same sort of "casino" messages etc....

I'll have to change my DB name or something I think..... which I didnt really want to do - as I'll have to change the flaming code!!!!

think I've worked how out it's being done!!
When I first installed the blog system - I decided not to use their templates and wrote my own code for adding comments to the DB and showing posts etc..... trouble is, I left the old comment page behind - so blog/comment.php was still there with no validation on it!!

So - i've gone through all the code which connects to the DB and removed any comments being added to the DB unless they're coming from my own script.... so *hopefully* there will be no more sh*tty annoying blummin spam.

Argh I hate spammers. :mad: