[thelist] tracking spammers

Lee Kowalkowski lee.kowalkowski at googlemail.com
Mon Jul 18 03:35:36 CDT 2011


On 17 July 2011 04:48, Renoir Boulanger <renoirb at gmail.com> wrote:
> I would suggest one thing.
>
> The symfony framework has this auto gemerated hidden field implementing CSRF. It is in fact a string generated ising a shared secret and will accept posts coming with that field who gets validated.
>
> I did not read about how exactly symfony implements it but it is a good starting point.
>
> I doubt that you can accept posts coming from your own server because it is in the nature of a post to submit to a url from code... we just hooe its from our own and not for misleading reasons.

I guessed that "posts coming from your own server" was meant to mean
check the refer[r]er header.  This, along with CSRF prevention (like
what Nan Harbison suggested in his reply), will assume the client is a
web browser, in many cases, spam bots are not.  The workaround for
CSRF prevention in a spam bot will to be to issue a GET before a POST
to acquire the necessary hidden field values and cookies, from what
I've seen, there are spam bots that are capable of this.

Spam bots generally have two forensic traits: speed, and irrelevant content.

Speed is significantly easier to detect automatically, but a spammer
could always create a slow bot with negligible loss of throughput by
staggering the requests, these don't exist yet as far as I know.  A
30-second no-POST interval on your GET should see off all spam bots
for now at least.  This would be trivial to implement using a
short-lived persistent cookie that you don't want returned, but better
implemented within in server-side session state to guarantee the POST
is at least 30 seconds after the GET.

Irrelevant content is much more effort to detect, but will always be present.

-- 
Lee
www.webdeavour.co.uk


More information about the thelist mailing list