[thelist] spammers - perpetrators
Bob Meetin
bobm at dottedi.biz
Sun Jan 27 20:49:39 CST 2008
With Phil and Paul's help and some googling here's what I have:
http://www.dottedi.biz/codesamples/scripts/comment_form.php
http://www.dottedi.biz/codesamples/scripts/comment_form.txt (text
version - see the code)
Assuming I implemented it correctly with the session, I have added the
token for $_POST and $_SESSION. I also added some basic email checking
and use a function to escape data for anything that would go into a
database (disabled here). I also have it set up so that it will filter
out inappropriate content and use of 'http' in a field.
Anyone care to take a look/see and see if the logic is better and the
form less vulnerable?
-Bob
Phil Turmel wrote:
> Bob Meetin wrote:
>
>> This is an older thread, so I didn't strip out the original problem or
>> Phil's suggestions. It took me a while to get back to this.
>>
>
> I thought it looked strangely familiar....
>
>
>> I like/liked the idea of sending an email acknowledgement but if it's a
>> vulnerability then it goes south.
>>
>
> Yes, it's vulnerable. There really is no way to prevent a spammer from
> bouncing off your webserver if you auto-acknowledge form submissions.
> Having new spammer tricks annoy a webmaster is part of the job of a
> webmaster. Allowing your webserver to send spam to *others* is
> absolutely unacceptable (and is likely to get your server blacklisted).
>
> Not that you shouldn't acknowledge the submission--just do it in the web
> page you serve up on successful submission. Any *real* user will see that.
>
>
>> About the session-based random token - I set up a randomly generated,
>> hidden variable that is regenerated, every time the form is accessed, if
>> it does not exist the form will not submit. Is this what you are
>> saying? Is it adequate to check that the variable exists or must I
>> check that the variable matches when the form is submitted?
>>
>
> Yes, make sure it matches. If it doesn't match or doesn't exist, the
> user might have all cookies turned off, so a message to that effect
> would be appropriate. If you only check that the field exists, the
> spammer can fill it with junk just like any other text field in the form.
>
>
>> Someone, perhaps Joel, said to test to make sure that the post is coming
>> from the website in question. How would I go about that? This is
>> shared hosting so the IP address of the server won't be absolute, but
>> undoubtedly a start.
>>
>
> Matching a session-specific random token achieves this on the side,
> without having to check IP addresses.
>
>
>> About the database injection stuff, it is probably due to the above and
>> not qualifying the integrity of the content thoroughly enough. That
>> seems easy enough to solve.
>>
>> Much thanks, Bob
>>
More information about the thelist
mailing list