[thelist] spammers - perpetrators

Bob Meetin bobm at dottedi.biz
Sun Jan 27 20:49:39 CST 2008 

With Phil and Paul's help and some googling here's what I have:

http://www.dottedi.biz/codesamples/scripts/comment_form.php
http://www.dottedi.biz/codesamples/scripts/comment_form.txt (text 
version - see the code)

Assuming I implemented it correctly with the session, I have added the 
token for $_POST and $_SESSION. I also added some basic email checking 
and use a function to escape data for anything that would go into a 
database (disabled here).  I also have it set up so that it will filter 
out inappropriate content and use of 'http' in a field. 

Anyone care to take a look/see and see if the logic is better and the 
form less vulnerable?

-Bob

Phil Turmel wrote:
> Bob Meetin wrote:
>   
>> This is an older thread, so I didn't strip out the original problem or 
>> Phil's suggestions.  It took me a while to get back to this. 
>>     
>
> I thought it looked strangely familiar....
>
>   
>> I like/liked the idea of sending an email acknowledgement but if it's a 
>> vulnerability then it goes south. 
>>     
>
> Yes, it's vulnerable.  There really is no way to prevent a spammer from
> bouncing off your webserver if you auto-acknowledge form submissions.
> Having new spammer tricks annoy a webmaster is part of the job of a
> webmaster.  Allowing your webserver to send spam to *others* is
> absolutely unacceptable (and is likely to get your server blacklisted).
>
> Not that you shouldn't acknowledge the submission--just do it in the web
> page you serve up on successful submission.  Any *real* user will see that.
>
>   
>> About the session-based random token - I set up a randomly generated, 
>> hidden variable that is regenerated, every time the form is accessed, if 
>> it does not exist the form will not submit.  Is this what you are 
>> saying?  Is it adequate to check that the variable exists or must I 
>> check that the variable matches when the form is submitted?
>>     
>
> Yes, make sure it matches.  If it doesn't match or doesn't exist, the
> user might have all cookies turned off, so a message to that effect
> would be appropriate.  If you only check that the field exists, the
> spammer can fill it with junk just like any other text field in the form.
>
>   
>> Someone, perhaps Joel, said to test to make sure that the post is coming 
>> from the website in question.  How would I go about that?  This is 
>> shared hosting so the IP address of the server won't be absolute, but 
>> undoubtedly a start.
>>     
>
> Matching a session-specific random token achieves this on the side,
> without having to check IP addresses.
>
>   
>> About the database injection stuff, it is probably due to the above and 
>> not qualifying the integrity of the content thoroughly enough.  That 
>> seems easy enough to solve.
>>
>> Much thanks, Bob
>>

More information about the thelist mailing list