[thelist] tracking spammers
Lee Kowalkowski
lee.kowalkowski at googlemail.com
Mon Jul 18 03:35:36 CDT 2011
On 17 July 2011 04:48, Renoir Boulanger <renoirb at gmail.com> wrote:
> I would suggest one thing.
>
> The symfony framework has this auto gemerated hidden field implementing CSRF. It is in fact a string generated ising a shared secret and will accept posts coming with that field who gets validated.
>
> I did not read about how exactly symfony implements it but it is a good starting point.
>
> I doubt that you can accept posts coming from your own server because it is in the nature of a post to submit to a url from code... we just hooe its from our own and not for misleading reasons.
I guessed that "posts coming from your own server" was meant to mean
check the refer[r]er header. This, along with CSRF prevention (like
what Nan Harbison suggested in his reply), will assume the client is a
web browser, in many cases, spam bots are not. The workaround for
CSRF prevention in a spam bot will to be to issue a GET before a POST
to acquire the necessary hidden field values and cookies, from what
I've seen, there are spam bots that are capable of this.
Spam bots generally have two forensic traits: speed, and irrelevant content.
Speed is significantly easier to detect automatically, but a spammer
could always create a slow bot with negligible loss of throughput by
staggering the requests, these don't exist yet as far as I know. A
30-second no-POST interval on your GET should see off all spam bots
for now at least. This would be trivial to implement using a
short-lived persistent cookie that you don't want returned, but better
implemented within in server-side session state to guarantee the POST
is at least 30 seconds after the GET.
Irrelevant content is much more effort to detect, but will always be present.
--
Lee
www.webdeavour.co.uk
More information about the thelist
mailing list