Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    Regular Coder
    Join Date
    Aug 2002
    Location
    USA
    Posts
    625
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Overcoming BOT Spammers...

    Hi,

    Someone mentioned that not one but two of their php-based Guest Books had been spammed by bots. I haven't gotten the details of how this was accomplished, so does anyone have any idea..? Apparently, they are porn sites and such, and they post hundreds of messages to the GB daily.

    Would it be correct to assume that the bots were harvesting the URI and form field variables that passed the data to the php script to do it remotely..? If so, can this be accomplished passing the data using "get" or "post?"

    Even so, wouldn't domain blocking be effective against this, or simply blocking all requests from domains outside your own, for example? Or what about converting the form field values to variables, defined in external docs, etc..?

    At any rate, I'd be interested in knowing how these bots might have spammed these php scripts, if you anyone has had any experience with this, and how it might be prevented...


    thanks, for any insight,


    -james
    "God so loved the world that he gave his only begotten son, so that whosoever believed in him would not perish, but have everlasting life. For God did not send his son into the world to condemn the world, but so that through him the world might be saved. "

  • #2
    Regular Coder
    Join Date
    May 2006
    Location
    Wales
    Posts
    820
    Thanks
    1
    Thanked 82 Times in 79 Posts
    You'd need some sort of verification, such as a simple maths question to verify that the poster is human. E.g. one of my shoutboxes kept getting spammed, so I created a simple maths question - a random number between 1 and 12 squared. Since then I have had 1 piece of spam in over a month, compared to the daily spam.

  • #3
    Senior Coder
    Join Date
    Jul 2005
    Location
    UK
    Posts
    1,051
    Thanks
    6
    Thanked 13 Times in 13 Posts
    Domain blocking isn't effective because bots crawl sites and submit to forms as if they were users. One or more of the following steps will solve any issues:

    1) Ask a question to which only a legitimate user will know, related to the site.
    2) Don't accept any comments including links.
    3) Include a field that's hidden with CSS that bots fill in but humans don't - if it's filled in, block the comment.

    I use both 1 and 2 on all my sites and don't get spam comments.

  • #4
    Regular Coder
    Join Date
    Aug 2002
    Location
    USA
    Posts
    625
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Mwnciau View Post
    You'd need some sort of verification, such as a simple maths question to verify that the poster is human. E.g. one of my shoutboxes kept getting spammed, so I created a simple maths question - a random number between 1 and 12 squared. Since then I have had 1 piece of spam in over a month, compared to the daily spam.
    Hi,,,

    Thanks for the feedback..!

    I've been out of the loop for over 3 years, so I was unaware...I suppose, that's why these random graphics-based numbers appeared for authentication. Although, I don't know the technology, or why a single, simple graphic would not do, since a bot cannot read it...

    At any rate, thanks for your input..!

    -james
    "God so loved the world that he gave his only begotten son, so that whosoever believed in him would not perish, but have everlasting life. For God did not send his son into the world to condemn the world, but so that through him the world might be saved. "

  • #5
    Regular Coder
    Join Date
    Aug 2002
    Location
    USA
    Posts
    625
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Pennimus View Post
    Domain blocking isn't effective because bots crawl sites and submit to forms as if they were users. One or more of the following steps will solve any issues:

    1) Ask a question to which only a legitimate user will know, related to the site.
    2) Don't accept any comments including links.
    3) Include a field that's hidden with CSS that bots fill in but humans don't - if it's filled in, block the comment.

    I use both 1 and 2 on all my sites and don't get spam comments.
    Thanks 4 the response..!

    So, $_SERVER["HTTP_REFERER"]; is useless then...

    How about a simple check box, like terms of service or something...? Or would converting the form field values to variables and storing them in an external file work or no..? I have no idea how intelligent these bots are...


    -james
    "God so loved the world that he gave his only begotten son, so that whosoever believed in him would not perish, but have everlasting life. For God did not send his son into the world to condemn the world, but so that through him the world might be saved. "

  • #6
    Senior Coder Mhtml's Avatar
    Join Date
    Jun 2002
    Location
    Sydney, Australia
    Posts
    3,531
    Thanks
    0
    Thanked 1 Time in 1 Post
    So, $_SERVER["HTTP_REFERER"]; is useless then...
    Never trust ANY data that is sent from the client side, you have to code everything right from the start as if it was malicious. You can spoof everything and anything, a lesson I once learnt the hard way (thanks Spookster! ).

    Another alternative is to use CAPTCHA (don't think this was mentioned?).
    Omnis mico antequam dominus Spookster!

  • #7
    Regular Coder
    Join Date
    Aug 2002
    Location
    USA
    Posts
    625
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Mhtml View Post
    Never trust ANY data that is sent from the client side, you have to code everything right from the start as if it was malicious. You can spoof everything and anything, a lesson I once learnt the hard way (thanks Spookster! ).

    Another alternative is to use CAPTCHA (don't think this was mentioned?).
    Thanks 4 your input..!

    Keeping in mind serverside scripting is more secure, can someone give me an example of how I might code another security measure into the script below:


    Code:
    <?php
    
    $cmnts = $_POST["cmnts"];
    $guest = $_POST["guest"];
    $dte = date("[m/d/y, g:i a] ");
    $strng = "<br>\n" . $dte . "<br>" . $guest . " wrote: <br>" . $cmnts . "<br>";
    $file = "test.txt";
    $refer = $_SERVER["HTTP_REFERER"];
    $errmsg = "Permission Denied"; 
    if($refer){ 
    $fp = fopen($file, "a"); 
    flock($fp, LOCK_EX);
    fputs($fp, $strng);
    flock($fp, LOCK_UN);
    $gb = file_get_contents($file);
    fclose($fp);
    
    echo "<div id=\"oDiv4\" style=\"position: absolute;top: 10px;left: 10px;width: 450px;\"><form><input type=\"button\" value=\"Hide Guestbook\" onclick=\"javascript:window.top.location.replace('addcomment.php');\"></form><br>" . stripslashes($gb) . "</div>";
    }
    else{
    echo $errmsg;
    }
    
    ?>

    I'm sure the code is more than a little amateurish, but I've been away for some time, and I NEVER was anything more than a hack coder anyway....

    I'm using Javascript error checking for the form, below is a link to the script:

    http://motox.ekigroup.com/guesttest/...addcomment.php


    btw, I have no idea what CAPTCHA is.

    Any help is getting it secure are appreciated..!


    thanks..!

    -james
    "God so loved the world that he gave his only begotten son, so that whosoever believed in him would not perish, but have everlasting life. For God did not send his son into the world to condemn the world, but so that through him the world might be saved. "

  • #8
    Regular Coder
    Join Date
    Aug 2002
    Location
    USA
    Posts
    625
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by jamescover View Post
    btw, I have no idea what CAPTCHA is.
    ok, disregard the above, I looked it up on wikipedia...

    http://en.wikipedia.org/wiki/Captcha

    -james
    "God so loved the world that he gave his only begotten son, so that whosoever believed in him would not perish, but have everlasting life. For God did not send his son into the world to condemn the world, but so that through him the world might be saved. "

  • #9
    Supreme Overlord Spookster's Avatar
    Join Date
    May 2002
    Location
    Marion, IA USA
    Posts
    6,273
    Thanks
    4
    Thanked 83 Times in 82 Posts
    Captcha is fine but asking a random question that the user must fill in the answer is about 100% effective. If you now register for our forums here you will notice we ask a random question that you must answer in order to complete the registration. This eliminates automated bots. They are unable to answer the questions.
    Spookster
    CodingForums Supreme Overlord
    All Hail Spookster

  • #10
    Regular Coder
    Join Date
    Aug 2002
    Location
    USA
    Posts
    625
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Spookster View Post
    Captcha is fine but asking a random question that the user must fill in the answer is about 100% effective. If you now register for our forums here you will notice we ask a random question that you must answer in order to complete the registration. This eliminates automated bots. They are unable to answer the questions.

    Spookster, I appreciate your response..!

    To be honest, though, my dog, finally, after 13 years, just died this evening after being sick since February, and I'm not really in the right frame of mind to even think about coding.

    But I really do appreciate your effort to help..!

    Please, forgive me if I don't respond further....




    -james
    "God so loved the world that he gave his only begotten son, so that whosoever believed in him would not perish, but have everlasting life. For God did not send his son into the world to condemn the world, but so that through him the world might be saved. "


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •