Re: [swinog] Formmailer-Scripts and Spam
> I will never recommend PHP to a customer or even a friend; however I > heard about an Apache module (by SuSE apparently) which is designed as a > security layer for mod_perl and mod_php. I haven't even tried it yet, but > I will the next time I need to support others' bad decisions. If you know what you are doing and develop PhP application with security in mind from the first moment, 95% of all potential PhP exploits can be avoided. Absolutely strict, brutal and dictatoric input validation as a first action of the application is a must in any PhP project. Only variables explicitly allowed to pass should be passed and checked at least for their data types and sizes. Plus additional checks if needed. The CPU cost of such checks are fairly low. On a sidenote: mail() is not very optimal solution for mailings anyway, full SMTP stack implementations such as PHPMailer are better, although not exploit free solution. -- Kirill Ponazdyr Technical Director Codeangels Solutions GmbH Tel: +41 (0)43 844 90 10 Fax: +41 (0)43 844 90 12 http://www.codeangels.ch http://www.codeangels.com ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
On Wed, Aug 16, 2006 at 07:29:25AM +0200, Tonnerre LOMBARD wrote: > The good thing about PHP's builtin input sanitizing and security functions > is that they contain the majority of bugs. mail() is one of them. ;-) I will never recommend PHP to a customer or even a friend; however I heard about an Apache module (by SuSE apparently) which is designed as a security layer for mod_perl and mod_php. I haven't even tried it yet, but I will the next time I need to support others' bad decisions. http://opensuse.org/Apparmor ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
RE: [swinog] Formmailer-Scripts and Spam
An interesting tool is Akismet: http://akismet.com/ We are using this in our Wordpress blogs and it is meant to be used against comment spam in blogs, but as formmailer spam is basically the same why not use it here too. Something like Spamassassin as a web service for comment spam. The API description and several implementations are available on the site. Daniel P.S. kismet: arabic for "fate" das Kismet - im Islam das dem Menschen von Allah zugeteilte, unabänderliche Schicksal ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
Glogger Steven wrote: Well, IMHO this is no better than my solution using JS What do you do if someone has cookies disabled? I for my part often reject cookies 'just because' when I dont feel they're really needed... java script is client side. it only prevents that a form can be submittet. what if you circumvent that and post directly? as we know, simulating a post ist quite easy: telnet to host port 80: "POST /superposter/gna.php HTTP/1.1\r\n Host: www.blabla.ch \r\n User-Agent: whatever you want\r\n Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,image/png,*/*;q=0.5\r\n Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n Keep-Alive: 300\r\n Connection: keep-alive\r\n Referer: www.blabla.ch/urli/index.php Cookie: PHPSESSID-111\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 100\n \r\n action=login&nick=username&password=password&submit=LOGIN \r\n" if you get that you cannot check if he used your javascript or not ,-) he might check your session-id, but what if the client gets a session id and uses that one to fill in the form. that soo easy :-) (i'm using such a tool as a proxy for an online game since about 5 years ,-)) you still didn't get the point Look at my post from 15.08.2006 18:59 I dont prevent a user from sending the form - I know this is pointless But rather I use JS to write some (optionally dynamic) value into the form before sending. If that value isn't present in the POST request the formmailer script refuses to send the mail. This effictively defeats any non-JS-aware machine including spammers, robots and lynx. Like i said earlier this can be combined with dynamic data close to what Markus Wild also said for example by using some varying string containing a timestamp or something like that. This is a step more effective than Markus' idea with the session as it not only requires to gather a very up2date version of the form but additionally the execution of JS You could write a function which calculates the value so you can't just easily copypaste it out and so on.. The forms I'm using this on have not ever been abused anymore since the introduction of the JS-Check since it would really require massive user interaction Matt ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
> Markus Wild wrote: > > One that is less cumbersome than the "type in the word in the weird > > image" approach is to set a cookie-like hidden parameter from the > > server when it generates the form (I'm assuming php or perl behind > Well, IMHO this is no better than my solution using JS > What do you do if someone has cookies disabled? I said "cookie-like", not cookies: with "some encrypted hash" being some encrypted (and binhex64 encoded) serialized record containing the sending IP, a timestamp and whatever else you fancy including. Cheers, Markus ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
About that lynx discussion... I don't think you're losing a single customer because your websites don't support lynx. Usually people want to see a picture of the product they're buying. And then there's the aspect, of who your target-market is. Usually it's not the Linux-Geek (and even if it is, you're better off to sell stuff with images - see thinkgeek.com). Cheers, Viktor Matthias Keller wrote: Markus Wild wrote: One that is less cumbersome than the "type in the word in the weird image" approach is to set a cookie-like hidden parameter from the server when it generates the form (I'm assuming php or perl behind a dynamic server). In the cookie you can put the timestamp and encode the thing using a simple cipher. When you get the cookie back, you check whether the timestamp is within a reasonable range. The spambot would have to refetch the original form, insert his crap and resubmit it, since it's not able to generate the hidden parameter on its own. Most (all?) won't do that. Well, IMHO this is no better than my solution using JS What do you do if someone has cookies disabled? I for my part often reject cookies 'just because' when I dont feel they're really needed... So I dont know which part of all surfers is bigger, those with lynx or those with js disabled Actually in the last 7 day there wasn't a SINGLE lynx hitting ALL of my hosted domains... But of course this is always a matter of opinion and it can vary a lot depending on the website. But IMHO if a user using lynx cant add an entry to a guestbook this is no big loss for me... Just my 2c Matt ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
RE: [swinog] Formmailer-Scripts and Spam
> Well, IMHO this is no better than my solution using JS What > do you do if someone has cookies disabled? > I for my part often reject cookies 'just because' when I dont > feel they're really needed... java script is client side. it only prevents that a form can be submittet. what if you circumvent that and post directly? as we know, simulating a post ist quite easy: telnet to host port 80: "POST /superposter/gna.php HTTP/1.1\r\n Host: www.blabla.ch \r\n User-Agent: whatever you want\r\n Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,image/png,*/*;q=0.5\r\n Accept-Encoding: gzip,deflate\r\n Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n Keep-Alive: 300\r\n Connection: keep-alive\r\n Referer: www.blabla.ch/urli/index.php Cookie: PHPSESSID-111\r\n Content-Type: application/x-www-form-urlencoded\r\n Content-Length: 100\n \r\n action=login&nick=username&password=password&submit=LOGIN \r\n" if you get that you cannot check if he used your javascript or not ,-) he might check your session-id, but what if the client gets a session id and uses that one to fill in the form. that soo easy :-) (i'm using such a tool as a proxy for an online game since about 5 years ,-)) -steven ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
Markus Wild wrote: One that is less cumbersome than the "type in the word in the weird image" approach is to set a cookie-like hidden parameter from the server when it generates the form (I'm assuming php or perl behind a dynamic server). In the cookie you can put the timestamp and encode the thing using a simple cipher. When you get the cookie back, you check whether the timestamp is within a reasonable range. The spambot would have to refetch the original form, insert his crap and resubmit it, since it's not able to generate the hidden parameter on its own. Most (all?) won't do that. Well, IMHO this is no better than my solution using JS What do you do if someone has cookies disabled? I for my part often reject cookies 'just because' when I dont feel they're really needed... So I dont know which part of all surfers is bigger, those with lynx or those with js disabled Actually in the last 7 day there wasn't a SINGLE lynx hitting ALL of my hosted domains... But of course this is always a matter of opinion and it can vary a lot depending on the website. But IMHO if a user using lynx cant add an entry to a guestbook this is no big loss for me... Just my 2c Matt ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
Randazzo Filippo <[EMAIL PROTECTED]> 2006-08-16: > In my (recent) experience, this problem is not related with the form > but directly with the database.. The spammer seems using an automatic > bot that is sending content to generic database fields (so my > suggestion would be changing the table field names to strange ones > instead of changing field names of the form); Let me tell you what > happened to me: I have a small guestbook in ASP (not self made, is a > free code found online) used by me and 7 more friends for a private > fanta-soccer-game website (so absolutely not a visited website). I > begun to have those spam messages in it and I fgured out the > following: I had since the beginnning the possibility to > enable-disable the form fields 'sender email' and 'sender website' > and, being only 8 ppl, I disabled them immediately during the > guestbook installation: checkingthe database after the spamming I > found those fields in the database FULL WITH INFO even if there was no > input field in the form. This script is simply broken security-wise, it should not accept sender email/website fields in the submitted form data when those fields have not been part of the form it sent to the browser. Changing field names is just security by obscurity, even if it might help in cases where spambots rely on known field names. > Thats why I can tell tah tis problem is not > form-related. Solutions (possibility that I had from this premade > guestbook): > 1) enable Session ID check (so the post must be submitted from the > form and not from outside) > 2) enable cookies (to prevent spamming the gustbook with multiple > comments) > 3) enable the loved/hated security images > > P.S: another system that seems working (I'm testing it) is to put the > guestbook pages on a different server from the main website (im > including it in a ).. Seems that this is confusing the bots.. > > /lurking mode on > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manuel > Krummenacher > Sent: martedì, 15. agosto 2006 18:01 > To: swinog@swinog.ch > Subject: Re: [swinog] Formmailer-Scripts and Spam > > > Matthias Hertzog wrote: > > b) Web-user has to enter a unique number (generated image) in the form > > to prove, he's a human being. > Works fine, but you think of the visually impaired. There are captchas > which provide the number also as sound. But I wouldn't use captchas on > business websites, it's to annoying for the users to type in the number. > > c) Badword-Filtering in the formmail-script, some reqular expressions > > a.s.o. > > Often it helps if you give the fields "unsuspicious" names. "meinfeld4" > instead of "recipient" and so on... > > I use mod_security [1] with the rules from gotroot.com. mod_security > blocks the spam before the form gets processed. Additionally, it > protects the server from SQL-injection and other attacks. > > Greets, > Manuel > > > [1] http://www.modsecurity.org/ > ___ > swinog mailing list > swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog -- Daniel Roethlisberger <[EMAIL PROTECTED]> ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
RE: [swinog] Formmailer-Scripts and Spam
/lurking mode off Hi folks In my (recent) experience, this problem is not related with the form but directly with the database.. The spammer seems using an automatic bot that is sending content to generic database fields (so my suggestion would be changing the table field names to strange ones instead of changing field names of the form); Let me tell you what happened to me: I have a small guestbook in ASP (not self made, is a free code found online) used by me and 7 more friends for a private fanta-soccer-game website (so absolutely not a visited website). I begun to have those spam messages in it and I fgured out the following: I had since the beginnning the possibility to enable-disable the form fields 'sender email' and 'sender website' and, being only 8 ppl, I disabled them immediately during the guestbook installation: checkingthe database after the spamming I found those fields in the database FULL WITH INFO even if there was no input field in the form. Thats why I can tell tah tis problem is not form-related. Solutions (possibility that I had from this premade guestbook): 1) enable Session ID check (so the post must be submitted from the form and not from outside) 2) enable cookies (to prevent spamming the gustbook with multiple comments) 3) enable the loved/hated security images Hopes this helps Cheers Filippo P.S: another system that seems working (I'm testing it) is to put the guestbook pages on a different server from the main website (im including it in a ).. Seems that this is confusing the bots.. /lurking mode on -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manuel Krummenacher Sent: martedì, 15. agosto 2006 18:01 To: swinog@swinog.ch Subject: Re: [swinog] Formmailer-Scripts and Spam Matthias Hertzog wrote: > b) Web-user has to enter a unique number (generated image) in the form > to prove, he's a human being. Works fine, but you think of the visually impaired. There are captchas which provide the number also as sound. But I wouldn't use captchas on business websites, it's to annoying for the users to type in the number. > c) Badword-Filtering in the formmail-script, some reqular expressions > a.s.o. Often it helps if you give the fields "unsuspicious" names. "meinfeld4" instead of "recipient" and so on... I use mod_security [1] with the rules from gotroot.com. mod_security blocks the spam before the form gets processed. Additionally, it protects the server from SQL-injection and other attacks. Greets, Manuel [1] http://www.modsecurity.org/ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
Salut, On Tue, Aug 15, 2006 at 11:39:15PM +0200, Steven Glogger wrote: > for the php users i've found a solution where i patched tha mail() function > to not allow linefeeds etc. in header and to: lines. > i've documented it some time ago here: > http://wiki.hidden.ch/index.php/PHP#Patch_von_mail.c_f.FCr_mail.28.29-funkti > on The good thing about PHP's builtin input sanitizing and security functions is that they contain the majority of bugs. mail() is one of them. ;-) Tonnerre pgprRBLPektlZ.pgp Description: PGP signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
On Tue, Aug 15, 2006 at 05:35:26PM +0200, Matthias Hertzog wrote: > We're facing a growing amount of automatically generated HTTP POST > requests, all containing spamvertising links like We all do... > a) Spamfilter of recipient shall filter that If you are the only recipient and your spamfilter is good... but it doesn't take the load off the server and the net. > b) Web-user has to enter a unique number (generated image) in the form to > prove, he's a human being. Quite a problem to keep accessibility for blind users. > c) Badword-Filtering in the formmail-script, some reqular expressions a.s.o. I prefer bayes filtering for that. My way to do it is available at https://sourceforge.net/projects/spfgb (public domain). I used it for a guestbook but the system can be adapted (Quit ugly code yet, but working quite well!). Regards Peter -- Wie finde ich heraus wie ich etwas herausfinde: http://sourcepole.ch/sources/tips/antwort-findungs-howto.html http://catb.org/~esr/faqs/smart-questions.html ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
RE: [swinog] Formmailer-Scripts and Spam
> > > And what if they do send the 123? > > > They wont they will - i've seen some spammers really trying to analyze some feedback forms, etc. - next day the customer "fixed" it somehow, and the spammer found out again how to circumvent it. for the php users i've found a solution where i patched tha mail() function to not allow linefeeds etc. in header and to: lines. i've documented it some time ago here: http://wiki.hidden.ch/index.php/PHP#Patch_von_mail.c_f.FCr_mail.28.29-funkti on (i'm not telling you that THIS is the solution, but it helped a lot if you do hosting and have some dummy users ;-)) but also for me: the correct way to suppress such spam is directly at the source (in this case the formmail/mailer/whatever script). this can be some session tricks, captchas (btw: http://sam.zoy.org/pwntcha/ is really impressive; seems that spammers have the knowledge to circumvent captchas) are ways to "harden" your script. -steven ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
One that is less cumbersome than the "type in the word in the weird image" approach is to set a cookie-like hidden parameter from the server when it generates the form (I'm assuming php or perl behind a dynamic server). In the cookie you can put the timestamp and encode the thing using a simple cipher. When you get the cookie back, you check whether the timestamp is within a reasonable range. The spambot would have to refetch the original form, insert his crap and resubmit it, since it's not able to generate the hidden parameter on its own. Most (all?) won't do that. Cheers, Markus ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
@MK: Your method implies, that the user has a javascript enabled browser, else the post would fail. This means in the end you loose customers, because they're surfing with lynx. Peter On 8/15/06, Matthias Keller <[EMAIL PROTECTED]> wrote: Tonnerre LOMBARD wrote: > Salut, > > On Tue, Aug 15, 2006 at 06:59:21PM +0200, Matthias Keller wrote: > >> Correct. >> And that's the way it works :) >> consider this: >> >> >> ... >> >> >> If the post.php receives the POST request without $_POST["somefield"] >> == "123" it refuses to send the mail... >> > > And what if they do send the 123? > They wont Because that would need some user interaction upon collecting the data at the first time. And just in CASE they would start with it - no worries, you can always make it more dynamic.. consider using some formula which involves the current day which gets calculated on the client AND on the server side or whatever... As long as they dont evaluate the javascript VERY regularly they cant spam - and i dont think they'll go so far as to executing JS as it's lots more complicated than just capturing form data and is potentially dangerous (infinite loops and stuff) As you said - these are SCRIPTS and as soon as you start to require something not doable by scripts you make it MUCH harder for them. Matt ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog -- Confidentiality Note: This message is intended only for the use of the named recipients and may contain confidential and/or privileged information. If you are not the intended recipient, please contact the sender and delete this message. Any unauthorized use of the information contained in this message is prohibited. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
Tonnerre LOMBARD wrote: Salut, On Tue, Aug 15, 2006 at 06:59:21PM +0200, Matthias Keller wrote: Correct. And that's the way it works :) consider this: ... If the post.php receives the POST request without $_POST["somefield"] == "123" it refuses to send the mail... And what if they do send the 123? They wont Because that would need some user interaction upon collecting the data at the first time. And just in CASE they would start with it - no worries, you can always make it more dynamic.. consider using some formula which involves the current day which gets calculated on the client AND on the server side or whatever... As long as they dont evaluate the javascript VERY regularly they cant spam - and i dont think they'll go so far as to executing JS as it's lots more complicated than just capturing form data and is potentially dangerous (infinite loops and stuff) As you said - these are SCRIPTS and as soon as you start to require something not doable by scripts you make it MUCH harder for them. Matt ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
Salut, On Tue, Aug 15, 2006 at 06:59:21PM +0200, Matthias Keller wrote: > Correct. > And that's the way it works :) > consider this: > > > ... > > > If the post.php receives the POST request without $_POST["somefield"] > == "123" it refuses to send the mail... And what if they do send the 123? Tonnerre pgpbyibyctcUd.pgp Description: PGP signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
Tonnerre LOMBARD wrote: Salut, On Tue, Aug 15, 2006 at 06:19:21PM +0200, Matthias Keller wrote: One thing I have been pretty successful in blocking spam is javascript... Of course one can argue not all browser support or execute JS but today when every 3rd site completely relies on JS this is no valid point anymore IMHO I use a onSubmit script which sets a variable before submitting. only if this value is received correctly in the script the form is processed... Do you really think a spammer will sit in front of his browser typing in all the spam? Those are scripts, and these scripts just send you data without ever considering to look at your JavaScript foo. Correct. And that's the way it works :) consider this: ... If the post.php receives the POST request without $_POST["somefield"] == "123" it refuses to send the mail... Since the scripts won't interprete javascript they wont send the 123 as a value for somefield and thus all their tries wont succeed Matt ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
On Tue, 2006-08-15 at 17:35 +0200, Matthias Hertzog wrote: > We're facing a growing amount of automatically generated HTTP POST requests, > all containing spamvertising links We are also struggling with this issue, but not only since a few days or weeks. I get 3-6 abused forms each day! IMO it's the 'programmers' fault, who should parse the rubbish, which his form receives. Here two cool links (sorry, in german): http://www.heise.de/security/artikel/66815 http://forum.jswelt.de/tutorials-php/28074-spam-ueber-kontakt-formulare-verhindern.html Cheerz - Dan ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
Salut, On Tue, Aug 15, 2006 at 06:19:21PM +0200, Matthias Keller wrote: > One thing I have been pretty successful in blocking spam is javascript... > Of course one can argue not all browser support or execute JS but today > when every 3rd site completely relies on JS this is no valid point > anymore IMHO > I use a onSubmit script which sets a variable before submitting. only if > this value is received correctly in the script the form is processed... Do you really think a spammer will sit in front of his browser typing in all the spam? Those are scripts, and these scripts just send you data without ever considering to look at your JavaScript foo. Tonnerre pgpUgWzuBczlI.pgp Description: PGP signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
Jeroen Massar wrote: Matthias Hertzog wrote: Hi Folks! We're facing a growing amount of automatically generated HTTP POST requests, all containing spamvertising links like http://19.altribeati.com/homoerectus/ As far as i know, there are the following ways to handle that: Does anyone out there has better ideas? How have you solved that problem? What about not having stupid scripts like formmail!? There are only very few cases where this can be useful and in those cases the destination address should be fixed. Then at least the person who is using the script gets the crap and not other people. There was a similar question on NANOG last couple of days, where somebody was wondering how to block the webcafe's downstream from spamming: top it at the source. In your case that is clearly the formmail. Even some badly written scripts with fixed recipients have been abused in the past - seen and fixed lots of em on my server Often they insert a reply-to or from header in the mail containing the senders e-mail If this field isn't properly validated it's very easy to send thousands of spams with header injection So don't feel so safe if you use fixed recipients... One thing I have been pretty successful in blocking spam is javascript... Of course one can argue not all browser support or execute JS but today when every 3rd site completely relies on JS this is no valid point anymore IMHO I use a onSubmit script which sets a variable before submitting. only if this value is received correctly in the script the form is processed... Matt ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
Matthias Hertzog wrote: b) Web-user has to enter a unique number (generated image) in the form to prove, he's a human being. Works fine, but you think of the visually impaired. There are captchas which provide the number also as sound. But I wouldn't use captchas on business websites, it's to annoying for the users to type in the number. c) Badword-Filtering in the formmail-script, some reqular expressions a.s.o. Often it helps if you give the fields "unsuspicious" names. "meinfeld4" instead of "recipient" and so on... I use mod_security [1] with the rules from gotroot.com. mod_security blocks the spam before the form gets processed. Additionally, it protects the server from SQL-injection and other attacks. Greets, Manuel [1] http://www.modsecurity.org/ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
Salut, On Tue, Aug 15, 2006 at 05:35:26PM +0200, Matthias Hertzog wrote: > b) Web-user has to enter a unique number (generated image) in the form to > prove, he's a human being. The problem here is that spam bots are apparrently exceptionally good already at reading these characters out of the picture. In fact, they are even better than the average human reader, that's at least my experience. Also note this screenshot to the topic: http://www.thedailywtf.com/images/200608/look_harder.JPG Tonnerre pgpht7RgWaJ19.pgp Description: PGP signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
Matthias Hertzog wrote: Hi Folks! We're facing a growing amount of automatically generated HTTP POST requests, all containing spamvertising links like http://19.altribeati.com/homoerectus/ As far as i know, there are the following ways to handle that: a) Spamfilter of recipient shall filter that Thus you want to be a spam source? :) Listing this as option Z would give you some credit as simply having thought of it, having it as option A though doesn't give you the benefit of the doubt... b) Web-user has to enter a unique number (generated image) in the form to prove, he's a human being. Captcha's are easily defeated. But they indeed deter a bit. See http://sam.zoy.org/pwntcha/ for more details. There have been people claiming that it is discrimination against folks who have bad sight/blind etc as they won't be able to complete it. But one can then easily claim that Flash also falls in that slot ;) c) Badword-Filtering in the formmail-script, some reqular expressions a.s.o. Effectively what you want to do is run SpamAssassin over the submitted content. Does anyone out there has better ideas? How have you solved that problem? What about not having stupid scripts like formmail!? There are only very few cases where this can be useful and in those cases the destination address should be fixed. Then at least the person who is using the script gets the crap and not other people. There was a similar question on NANOG last couple of days, where somebody was wondering how to block the webcafe's downstream from spamming: top it at the source. In your case that is clearly the formmail. Greets, Jeroen signature.asc Description: OpenPGP digital signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Formmailer-Scripts and Spam
> Hi Folks! > > We're facing a growing amount of automatically generated HTTP POST > requests, all containing spamvertising links like > http://19.altribeati.com/homoerectus/ > > As far as i know, there are the following ways to handle that: > > a) Spamfilter of recipient shall filter that What about implementing a spam filter on your host? formmail should call sendmail -i -t. You should be able to do a pre-queue filtering (with milter or with postfix pre-queue filtering with amavis) to prevent the mail from being sent. Regards. Jean-Pierre -- HILOTEC Engineering + Consulting AG Energietechnik und Datensysteme Tel: +41 34 402 74 00 - http://www.hilotec.com/ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] Formmailer-Scripts and Spam
Hi Folks! We're facing a growing amount of automatically generated HTTP POST requests, all containing spamvertising links like http://19.altribeati.com/homoerectus/ As far as i know, there are the following ways to handle that: a) Spamfilter of recipient shall filter that b) Web-user has to enter a unique number (generated image) in the form to prove, he's a human being. c) Badword-Filtering in the formmail-script, some reqular expressions a.s.o. Does anyone out there has better ideas? How have you solved that problem? Best wishes, Matthias _ mhs @ internet AG Zürcherstrasse 204, CH - 9014 St. Gallen Phone +41 71 274 93 93, Fax +41 71 274 93 94 http://www.mhs.ch _ ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
