Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
  1. #1
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,985
    Thanks
    203
    Thanked 2,536 Times in 2,514 Posts

    How do pests evade email address restrictions?

    I have a free classified ads section on my website which is intended for use
    only by people with a certain specialised interest.

    To reduce spam and unwanted/inappropriate ads, ads from people with emails addresses @yahoo and @hotmail are not permitted unless authorised in advance by the webmaster. However, a number of pests (almost invaraibly from India) have been able to post spam ads in spite of this restriction.

    How are the pests managing to get around the block? Are they using some old browser, or a Mac or something? The page only loads if JavaScript is enabled (<noscript>) and other scripts (which cut out bad language etc.) seem to work fine. Here is the relevant script called by onBlur=bannedguys(this) from the email address field :-


    function bannedguys(which) {
    var banned = new Array ('yahoo', 'co.in', 'hotmail', 'rediffmail', 'webmaster@', 'india', 'indiya', 'egy', 'pak', 'sify', 'banned');
    var emailadd = which.value;

    for (i = 0; i < banned.length; i++) {
    if (emailadd.indexOf(banned[i]) != -1) {
    blocked=1; // block banned persons
    document.adinputform.reset(); // and reset the form
    var blank="VOID";
    which.value=blank;
    alert ("Sorry, "+truename+"! You are not permitted to post an ad from\nthat email address without obtaining clearance in advance. ");
    which.focus();
    return false;
    }
    }
    }

    If the value of blocked is 1 then the form should not (and does not) submit.

    Any suggestions on pest control (or preferably extermination) would be much appreciated!

  • #2
    Senior Coder
    Join Date
    Jul 2004
    Location
    New Zealand
    Posts
    1,315
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Is this your only block? Javascript? Goodness man, what happens if they have Javascript disabled? What if they don't even use your form to send the information?
    Forget style. Code to semantics. Seperate style from structure, and structure from behaviour.
    I code to specs, and test only in Firefox (unless stated otherwise).

  • #3
    Supreme Master coder! glenngv's Avatar
    Join Date
    Jun 2002
    Location
    Philippines
    Posts
    11,043
    Thanks
    0
    Thanked 251 Times in 247 Posts
    You should be using server-side language to do the blocking of email address and not only rely on javascript. As hemebond pointed out, javascript can be disabled. And even if it's enabled, client-side validation can be easily bypassed. For example, in your case, if the bannedguys() function is called on form onsubmit, executing this in the address bar will nullify the onsubmit.

    javascript:document.forms[0].onsubmit=null;void(0);

  • #4
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,985
    Thanks
    203
    Thanked 2,536 Times in 2,514 Posts
    Quote Originally Posted by hemebond
    Goodness man, what happens if they have Javascript disabled? What if they don't even use your form to send the information?
    I did mention that the page will not load if JavaScript is disabled, but is re-directed via <noscript> in the head section.

    I am afraid that I do not see how the information can be sent (an advert posted) without using the form. The PERL script will only accept data from that web page and no other.

    The reason why I have not done this server-side is that I want to be able to easily unblock access from legitimate @yahoo and @hotmail users who submit their ads for approval first.

    However, thank you for your comments.

  • #5
    Mega-ultimate member
    Join Date
    Jun 2002
    Location
    Winona, MN - The land of 10,000 lakes
    Posts
    1,855
    Thanks
    1
    Thanked 45 Times in 42 Posts
    Simple,

    I create a form on my server with the action to the same place as the action on your form. Then I take the page (when I have javascript enabled) and put it on my server (again, with the form posting to your server).

    Now, if you don't have any server side validation, your server will accept the data from my server and boom. My spam is there!

    You should probably implement some type of server side processing to check before adding the listing. Some methods include:

    1) Checking the referrer (this would stop my attack)
    2) Sending an email confirmation to an administrator for all submissions with a link to approve the entry

    or some other technique

    Edit: Didn't read your comment about the perl script. You probably have someone spoofing the referrer then

  • #6
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,985
    Thanks
    203
    Thanked 2,536 Times in 2,514 Posts
    Thank you bcarl314! All ads are in fact copied to the administrator and the site emphasises very strongly that unsuitable/improper ads will be deleted instantly. In practice a few hours may elapse (night time). The advertiser receives an automatic confirmation which again emphasises that ads which evade our (quite elaborate) filters will be removed right away.

    Your technique seems rather elaborate and time-consuming bearing in mind the warnings given above. Would any anyone really find it worthwhile to go to such lengths just to post an ad? I have the gut feeling that the Indians are evading the filter by some much simpler means. (They are of course doubtless victims of some racket which claims to pay them for placing ads on websites. I should say that nearly all these ads are unwanted/inappropriate rather that profane/indecent or otherwise improper).

    At one time I did have referrer checking in operation, but this created some problems and some people were unable to place ads if their browser blanked out the referrer.

    There are quite complicated JavaScript filters which (both in the ad heading and the main text) prevent bad language, block certain words such as "casino", "wager", "lottery", "Viagra" (and so forth) and also "www." ".com" and many others. These filters seem to work, that is no ad containing them has been successfully posted. So I repeat - how can the pests enter an unauthorised email address?

  • #7
    Regular Coder
    Join Date
    Feb 2005
    Posts
    400
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Can you give us a link, so we can poke around the real code?

    Along the lines of what glenngv said, the email validation portion could be selectively knocked out by typeing into the URL-bar

    javascript:void(function bannedguys(){})

  • #8
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,985
    Thanks
    203
    Thanked 2,536 Times in 2,514 Posts
    Sure, Harry!


    (I will delete this after 24 hours as I have the idea that pests hang around this site as well!)

    I can well see how javascript:void(function bannedguys(){}) would knock this script out but if the pests know how to do that they could knock out other filters as well, and as I say that has not happened.

    Try entering an @yahoo address, and if you want try entering an ad with words like "lottery" or "wager" in.

    Feel free to post an ad but it will be deleted within a short time.
    Last edited by Philip M; 04-20-2005 at 07:20 AM.

  • #9
    Regular Coder
    Join Date
    Feb 2005
    Posts
    400
    Thanks
    0
    Thanked 0 Times in 0 Posts
    How cool! My father built model trains--mostly HO, but some O and even a working inch-and-half scale steam engine.

    I put any ads I try to post, I'll put into the empty 'other items' category and include my nick so you'll know it's only me.

  • #10
    Regular Coder
    Join Date
    Feb 2005
    Posts
    400
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Well, I forgot to keep hitting the 'other items' radio button and put an ad in locomotives, sorry.

    Bad e-mail addresses can be sneaked in without killing your scripts. Unlike all the other validation scripts which are called onblur, the email field is checked onchange. Different event handlers have different priorities and fire at different times. In this case if you type a banned address and them click submit, the onsubmit of the form will fire before the onchange of the email field.

  • #11
    Supreme Master coder! glenngv's Avatar
    Join Date
    Jun 2002
    Location
    Philippines
    Posts
    11,043
    Thanks
    0
    Thanked 251 Times in 247 Posts
    Quote Originally Posted by Philip M
    I did mention that the page will not load if JavaScript is disabled, but is re-directed via <noscript> in the head section.
    But I can load the page with Javascript enabled and then when the page has loaded, I disable Javascript. I can now submit the form without your validation. That's just what I did a while ago and I was able to post test@yahoo.com.

  • #12
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,985
    Thanks
    203
    Thanked 2,536 Times in 2,514 Posts
    Thank you glenngv! I think you have found the answer. I had not realised that JavaScript could be disabled after the page had loaded.
    Even so, it is odd that in this case people do not seem to have evaded the smutengine() filters which block bad/unwanted words.

    Harry - thanks also. But is an armadillo a marsupial? I thought it was a reptile but I may have got it wrong as we don't have many wandering about in the UK.

    "In this case if you type a banned address and them click submit, the onsubmit of the form will fire before the onchange of the email field."

    I tested the ad form by filling in everything except the email address, then finally the email address test@yahoo.com, then the submit button but it still worked correctly (i.e. the rejection message appeared). I am using IE 5.5 and possibly other browsers work differently as you say.

    I also tried typing javascript:void(function bannedguys(){}) into the address bar, but it had no effect and @yahoo.com was still blocked.
    Last edited by Philip M; 04-20-2005 at 07:37 AM.

  • #13
    Regular Coder
    Join Date
    Feb 2005
    Posts
    400
    Thanks
    0
    Thanked 0 Times in 0 Posts
    No, they aren't; they're xenarthrans -- a group of mammals essentially exclusive to South American that include sloths and anteaters. There's just a limit to how much junk I could think up and type into your form, all while trying to bypass your scripts without completely disabling or bypassing them.

  • #14
    Regular Coder
    Join Date
    Feb 2005
    Posts
    400
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Huh. I was basing the javascript:void(function bannedguys(){}) thing on what I thought I knew, but I should have known that I know less. Anyway, javascript:alert(bannedguys=0) definitely does the trick with a simple URL-bar command.

  • #15
    Supreme Master coder! glenngv's Avatar
    Join Date
    Jun 2002
    Location
    Philippines
    Posts
    11,043
    Thanks
    0
    Thanked 251 Times in 247 Posts
    There are many ways to disable/bypass client-side validation. It all boils down to one thing, you always need a server-side validation. You can have both although it may be redundant but server-side validation totally ensures validity of user inputs.


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •