RE: Problem with Hackers on Donation form through Authorize.net
Al, I see values like this all of the time. In most cases, I'll see values like -1, -1' or 1' for input fields. I use a custom function to scan all form vars and if there is a match... I typically ban the IP address for a period of time. You'll *likely* find a pattern to the IP addresses that are problematic. Many IP subnets are repeat offenders. ~Che -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Sunday, February 17, 2013 6:38 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net I added another filter today... I have always checked all form submissions for the bad keywords but I noticed that many of the attacks seem to start with them entering 1 or -1 as the first and or last name. Probably too lazy to put more keystrokes in when they are setting up the script. So now if a 1 or -1 is entered in any field that has the word name within the field name, they get added to my list of banned IP addresses and if they go to any page on any of the websites I run, they get an error page that looks like the website is down Anyone else seeing a lot of form submissions with -1 or 1 as the name? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354560 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
I added another filter today... I have always checked all form submissions for the bad keywords but I noticed that many of the attacks seem to start with them entering 1 or -1 as the first and or last name. Probably too lazy to put more keystrokes in when they are setting up the script. So now if a 1 or -1 is entered in any field that has the word name within the field name, they get added to my list of banned IP addresses and if they go to any page on any of the websites I run, they get an error page that looks like the website is down Anyone else seeing a lot of form submissions with -1 or 1 as the name? At 08:48 AM 2/16/2013, you wrote: What would be an appropriate length of time for a session variable for a hacker who's doing what you described: If they read in the form page and then submit it using a script for many days without re-reading the original form it will appear to the server that they took days to fill. Would the same hold true for session session variables? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354556 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
Anyone else seeing a lot of form submissions with -1 or 1 as the name? Yup - I get that sometimes. Or, an attempt to enter the same web or email address entered into EVERY field. and I'm still getting weird *something* errors sent to me from a site that look like: mypate.cfm?action=whateverResult:+no+post+sending+forms+are+found; What the heck is that? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354557 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
What would be an appropriate length of time for a session variable for a hacker who's doing what you described: If they read in the form page and then submit it using a script for many days without re-reading the original form it will appear to the server that they took days to fill. Would the same hold true for session session variables? -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, February 15, 2013 11:18 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net If they read in the form page and then submit it using a script for many days without re-reading the original form, it will appear to the server that they took days to fill. So testing for more than a few hours should be good... sessions might work but they should expire quickly... then if the session variable is not present you know they took too long. At 10:04 PM 2/15/2013, you wrote: You mean, by staying on the page so long that it's an indication that he's hacking the form or the cfc method that does the processing instead of doing a normal form submit like typical user would? And what if the hacker has cookies disabled? And are you suggesting that a session variable wouldn't be as good as a cookie? Thanks for the feedback... Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354554 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
You can set the session timeout to about 45 minutes and it should work.. if they try to submit the page using the same session the next day, it will time out. At 08:48 AM 2/16/2013, Rick Faircloth wrote: What would be an appropriate length of time for a session variable for a hacker who's doing what you described: If they read in the form page and then submit it using a script for many days without re-reading the original form it will appear to the server that they took days to fill. Would the same hold true for session session variables? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354555 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
CFFormProtect works well (for me). I need to a PHP version of this. I'm sure there's one out there. May have to write my own. Your blog is running CF ? -Original Message- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: Monday, February 11, 2013 11:46 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net As an FYI, my blog never had a lot of spam, but it was pretty regular. When I started using CFFP, it dropped dramatically. I can't even remember my last spam comment. On Mon, Feb 11, 2013 at 10:43 AM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the recommendation, Dave. It seems like an all-in-one approach, like CFFormProtect, might be the only way to beat this thing! I'll go check it out... Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, February 11, 2013 11:30 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354531 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
My blog? Running CF? Wow. Um, yes. :) Running BlogCFC, an open source blog-ware. On Fri, Feb 15, 2013 at 7:05 AM, Revolution houseoffusion_...@internetemail.info wrote: CFFormProtect works well (for me). I need to a PHP version of this. I'm sure there's one out there. May have to write my own. Your blog is running CF ? -Original Message- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: Monday, February 11, 2013 11:46 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net As an FYI, my blog never had a lot of spam, but it was pretty regular. When I started using CFFP, it dropped dramatically. I can't even remember my last spam comment. On Mon, Feb 11, 2013 at 10:43 AM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the recommendation, Dave. It seems like an all-in-one approach, like CFFormProtect, might be the only way to beat this thing! I'll go check it out... Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, February 11, 2013 11:30 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354538 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
You have to be careful not to interfere with normal donations. When I fill out forms using chrome, chrome fills in my name, address and phone number. It might take me only 15 seconds to fill out my donation form.. You can determine if he bypasses your form by setting a cookie on the form page with the datestamp encrypted... and check it on the processing page. you can tell how much time from form page load to submit.If it is more than about an hour, he probably didn't fill out the form and submit it as you would expect. The hacking has slowed down some; there's only been three or four attempts in the last couple of days. Nothing I've done, since it's apparently a human hacker, and the only thing I'm using now is a CF-generated captcha set to medium. So, that's not stopping the hacker. Perhaps the hacker has just moved on to another target for awhile. When (not if...) it starts up again, I'm going to try the javascript timing function, timing when a form element is first clicked and making sure it takes at least 2 minutes until the form is submitted, or I'll fail the transaction. None of the hacker's attempts have taken more than about 1 min 15 sec, and most are about 15-30 seconds, so, hopefully, that will be just enough of an irritant to run the hacker off. If the hacker is bypassing my form, however, which depends on javascript to function, and is attacking my CFC which submits the form when all CF validation is passed via CFHTTP, I wonder if the hacker can still submit the form with javascript turned off? How would I go about determining just what the hacker's process is? And if the hacker is disabled javascript, I guess I can use a session variable in CF to check the time for the start and end of form input. But if, he's (or she's) attacking the CFC method directly, would the form timing even be relevant? I wish I could send enough of an electric shock through hackers' keyboards to knock them out for an hour...maybe someday. I can only hope! -Original Message- From: UXB [mailto:denn...@uxbinternet.com] Sent: Wednesday, February 13, 2013 9:23 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net Part of the verification in the processing can be reliant upon something executing in JavaScript and being passed in with the form submission. While I do not disagree with your statements anything that is part of the form data that can be generated by JavaScript can be submitted without it by, as you said, capturing a real form submission and then simulating it. The final protection has to be server side because you cannot rely on the data sent by the client. The idea with these kinds of protections is to make it sufficiently inconvenient for an attacker to go to the trouble and move on to the next guy who is easier to exploit. Abuse can be a hard problem to solve. Very! It is almost always proportional to the potential gain of the abuse. In Rick's case there is a fairly high financial gain to be had by the verification of credit card numbers. Like you we had a donation page for a client and they too were getting a large number of abusive submissions until we but it behind a signup/login page that required a valid email address and a easy to read captcha. In that case it solved the issue and they had no more problems but then they were clearing the CC numbers manually so there was always human oversight. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354543 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
You have to be careful not to interfere with normal donations. When I fill out forms using chrome, chrome fills in my name, address and phone number. It might take me only 15 seconds to fill out my donation form.. Yes, I've thought about that. There's some sections of the form that are only shown if a user answers question a certain way, so that does take a little longer, even with autofill. I had a few hack attempts today, and some of them were submitted faster than the Javascript time limit imposed, so the hacker must have JS turned off. A few other attempts were stopped by the captcha, so there must be a bot involved in some attempts, as well. You can determine if he bypasses your form by setting a cookie on the form page with the datestamp encrypted... and check it on the processing page. you can tell how much time from form page load to submit. If it is more than about an hour, he probably didn't fill out the form and submit it as you would expect. You mean, by staying on the page so long that it's an indication that he's hacking the form or the cfc method that does the processing instead of doing a normal form submit like typical user would? And what if the hacker has cookies disabled? And are you suggesting that a session variable wouldn't be as good as a cookie? Thanks for the feedback... Rick -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Friday, February 15, 2013 7:21 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net You have to be careful not to interfere with normal donations. When I fill out forms using chrome, chrome fills in my name, address and phone number. It might take me only 15 seconds to fill out my donation form.. You can determine if he bypasses your form by setting a cookie on the form page with the datestamp encrypted... and check it on the processing page. you can tell how much time from form page load to submit.If it is more than about an hour, he probably didn't fill out the form and submit it as you would expect. The hacking has slowed down some; there's only been three or four attempts in the last couple of days. Nothing I've done, since it's apparently a human hacker, and the only thing I'm using now is a CF-generated captcha set to medium. So, that's not stopping the hacker. Perhaps the hacker has just moved on to another target for awhile. When (not if...) it starts up again, I'm going to try the javascript timing function, timing when a form element is first clicked and making sure it takes at least 2 minutes until the form is submitted, or I'll fail the transaction. None of the hacker's attempts have taken more than about 1 min 15 sec, and most are about 15-30 seconds, so, hopefully, that will be just enough of an irritant to run the hacker off. If the hacker is bypassing my form, however, which depends on javascript to function, and is attacking my CFC which submits the form when all CF validation is passed via CFHTTP, I wonder if the hacker can still submit the form with javascript turned off? How would I go about determining just what the hacker's process is? And if the hacker is disabled javascript, I guess I can use a session variable in CF to check the time for the start and end of form input. But if, he's (or she's) attacking the CFC method directly, would the form timing even be relevant? I wish I could send enough of an electric shock through hackers' keyboards to knock them out for an hour...maybe someday. I can only hope! -Original Message- From: UXB [mailto:denn...@uxbinternet.com] Sent: Wednesday, February 13, 2013 9:23 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net Part of the verification in the processing can be reliant upon something executing in JavaScript and being passed in with the form submission. While I do not disagree with your statements anything that is part of the form data that can be generated by JavaScript can be submitted without it by, as you said, capturing a real form submission and then simulating it. The final protection has to be server side because you cannot rely on the data sent by the client. The idea with these kinds of protections is to make it sufficiently inconvenient for an attacker to go to the trouble and move on to the next guy who is easier to exploit. Abuse can be a hard problem to solve. Very! It is almost always proportional to the potential gain of the abuse. In Rick's case there is a fairly high financial gain to be had by the verification of credit card numbers. Like you we had a donation page for a client and they too were getting a large number of abusive submissions until we but it behind a signup/login page that required a valid email address and a easy to read captcha. In that case it solved the issue and they had no more problems but then they were clearing the CC numbers manually so there was always human
RE: Problem with Hackers on Donation form through Authorize.net
If they read in the form page and then submit it using a script for many days without re-reading the original form, it will appear to the server that they took days to fill. So testing for more than a few hours should be good... sessions might work but they should expire quickly... then if the session variable is not present you know they took too long. At 10:04 PM 2/15/2013, you wrote: You mean, by staying on the page so long that it's an indication that he's hacking the form or the cfc method that does the processing instead of doing a normal form submit like typical user would? And what if the hacker has cookies disabled? And are you suggesting that a session variable wouldn't be as good as a cookie? Thanks for the feedback... Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354553 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
I wonder if the hacker can still submit the form with JavaScript turned off? How would I go about determining just what the hacker's process is? At a base level they can copy your form page to their local server then manipulate the form submitting it to your cfc directly. I have seen people even write scripts to open the form page to obtain the server generated settings in the form and then repost them back with scripted manipulated fields. As Justin so aptly said: Abuse can be a hard problem to solve. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354515 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Thanks for the feedback, Justin... -Original Message- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Tuesday, February 12, 2013 6:01 PM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net Forget the form page the bots/humans are not even seeing it they are attacking your processing cfc directly. Your protection has to be server side since any JavaScript on the form page is ignored. They are submitting form data directly to your CFC processing page. Part of the verification in the processing can be reliant upon something executing in JavaScript and being passed in with the form submission. This is how CFFormProtect works (looks for and tracks timing, keystrokes, mouse movement, etc.). This data is tracked and passed in to the form and the server runs checks against it to determine whether the script ran and events occurred that you would expect to see in a real environment vs. an automated script (it does have some server-side checks as well such as Akismet lookups, etc.). It is true that an attacker could capture one real submission between the browser and the server and modify their scripts to submit the appropriate data to make it appear as though a script ran and those form fields were populated naturally when they actually weren't, though an attacker would need to be pretty persistent to go through all that trouble. The idea with these kinds of protections is to make it sufficiently inconvenient for an attacker to go to the trouble and move on to the next guy who is easier to exploit. One of the sites I ran years ago had a problem with people scripting the signup process to generate accounts (even to the point of generating e-mail accounts to use for the e-mail validation process). We really didn't want to use a CAPTCHA, so we ended up randomizing the form field names (and creating a map of the random names to the real names as a session variable when the form was generated so we could match them back up when it was submitted). This prevented the process script from being hit directly and would have forced them to load the actual signup page first, parse all the fieldnames out, and then run the submission again. They could have automated this as well, but never did (perhaps because it was too inconvenient and there were easier targets to go after). The earlier idea of automatically rejecting transactions and transparently showing a reject notice after a couple of failures is a good anti-abuse measure in this instance. If logs are being kept, they can be reviewed periodically and anyone who looks like they may have been accidentally rejected can be contacted again later to recapture their donation if needed. Abuse can be a hard problem to solve. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354493 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Thanks, Dennis! -Original Message- From: UXB [mailto:denn...@uxbinternet.com] Sent: Tuesday, February 12, 2013 5:31 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net button for my form is just a regular button that triggers an AJAX function that sends the data to a CFC for further processing and then submission Forget the form page the bots/humans are not even seeing it they are attacking your processing cfc directly. Your protection has to be server side since any JavaScript on the form page is ignored. They are submitting form data directly to your CFC processing page. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354494 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Part of the verification in the processing can be reliant upon something executing in JavaScript and being passed in with the form submission. While I do not disagree with your statements anything that is part of the form data that can be generated by JavaScript can be submitted without it by, as you said, capturing a real form submission and then simulating it. The final protection has to be server side because you cannot rely on the data sent by the client. The idea with these kinds of protections is to make it sufficiently inconvenient for an attacker to go to the trouble and move on to the next guy who is easier to exploit. Abuse can be a hard problem to solve. Very! It is almost always proportional to the potential gain of the abuse. In Rick's case there is a fairly high financial gain to be had by the verification of credit card numbers. Like you we had a donation page for a client and they too were getting a large number of abusive submissions until we but it behind a signup/login page that required a valid email address and a easy to read captcha. In that case it solved the issue and they had no more problems but then they were clearing the CC numbers manually so there was always human oversight. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354497 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
The hacking has slowed down some; there's only been three or four attempts in the last couple of days. Nothing I've done, since it's apparently a human hacker, and the only thing I'm using now is a CF-generated captcha set to medium. So, that's not stopping the hacker. Perhaps the hacker has just moved on to another target for awhile. When (not if...) it starts up again, I'm going to try the javascript timing function, timing when a form element is first clicked and making sure it takes at least 2 minutes until the form is submitted, or I'll fail the transaction. None of the hacker's attempts have taken more than about 1 min 15 sec, and most are about 15-30 seconds, so, hopefully, that will be just enough of an irritant to run the hacker off. If the hacker is bypassing my form, however, which depends on javascript to function, and is attacking my CFC which submits the form when all CF validation is passed via CFHTTP, I wonder if the hacker can still submit the form with javascript turned off? How would I go about determining just what the hacker's process is? And if the hacker is disabled javascript, I guess I can use a session variable in CF to check the time for the start and end of form input. But if, he's (or she's) attacking the CFC method directly, would the form timing even be relevant? I wish I could send enough of an electric shock through hackers' keyboards to knock them out for an hour...maybe someday. I can only hope! -Original Message- From: UXB [mailto:denn...@uxbinternet.com] Sent: Wednesday, February 13, 2013 9:23 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net Part of the verification in the processing can be reliant upon something executing in JavaScript and being passed in with the form submission. While I do not disagree with your statements anything that is part of the form data that can be generated by JavaScript can be submitted without it by, as you said, capturing a real form submission and then simulating it. The final protection has to be server side because you cannot rely on the data sent by the client. The idea with these kinds of protections is to make it sufficiently inconvenient for an attacker to go to the trouble and move on to the next guy who is easier to exploit. Abuse can be a hard problem to solve. Very! It is almost always proportional to the potential gain of the abuse. In Rick's case there is a fairly high financial gain to be had by the verification of credit card numbers. Like you we had a donation page for a client and they too were getting a large number of abusive submissions until we but it behind a signup/login page that required a valid email address and a easy to read captcha. In that case it solved the issue and they had no more problems but then they were clearing the CC numbers manually so there was always human oversight. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354498 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Looks interesting. IP-based blocking may be a good way to go for my donation form. -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Tuesday, February 12, 2013 12:07 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I came across an interesting way to get the country from the IP address.. http://www.mximize.com/getting-country-by-ip-based-on-geolite I might set this up and block non North American IPs... At 04:43 PM 2/11/2013, Les Mizzell wrote: One site of mine for a dance company used to get a ton of spam through contact forms. Everybody hated CAPTCHA, so I put a simple question with radio button choices: A cow goes? a. quack b. woof c. moo d. chirp VERY low tech, but believe it or not, we've not gotten a single piece of bot spam since! Wouldn't advise this for most uses though... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354475 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Another good thought! Thanks! -Original Message- From: Byron Mann [mailto:byronos...@gmail.com] Sent: Tuesday, February 12, 2013 1:57 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net A fairly inexpensive and easy to implement fraud screening service is maxmind minfraud. It's something like 0.005 per transaction methinks. Another method I didn't see in the thread was doing an email confirmation before performing the cc transaction. Like send an email to the user with a unique ID the user must click to verify a legit email address was used. Can still be bot'd but requires a bit more work on their part, which might be enough discourage since there are a lot of other places for them to go do their dirtiness. Byron Mann Lead Engineer Architect HostMySite.com On Feb 11, 2013 11:13 AM, Rick Faircloth r...@whitestonemedia.com wrote: Hi, guys... I'm been running my first eCommerce setup with a donation page/form using Authorize.net. Things have been running fine, excepts for spammers using the donation form to find legitmate CC numbers so they could abuse the card in other ways. I've assumed, up to this point, that the spammers are bots, not humans. The spam attempts happened every 15-30 seconds for about an hour, then they stop. Very few are able to successfully process a transaction, but I'm trying to stop the form from being submitted. I've tried honey-pot traps, then moved to CF's captcha (at its default level of difficulty). So far, the spam attempts keep coming and my client is wondering if they need to get someone (besides me) to handle the donations since I can't seem to stop the spam. I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... Thoughts on this? I've got to get a solution working. Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354476 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
Good morning everyone, That verification solution will also work with screen readers making it possible for disabled Web surfers to use that form. Good going although CFFormProtect would eliminate the captcha all together. Peter Donahue - Original Message - From: Al Musella, DPM muse...@virtualtrials.com To: cf-talk cf-talk@houseoffusion.com Sent: Monday, February 11, 2013 11:06 PM Subject: Re: Problem with Hackers on Donation form through Authorize.net I came across an interesting way to get the country from the IP address.. http://www.mximize.com/getting-country-by-ip-based-on-geolite I might set this up and block non North American IPs... At 04:43 PM 2/11/2013, Les Mizzell wrote: One site of mine for a dance company used to get a ton of spam through contact forms. Everybody hated CAPTCHA, so I put a simple question with radio button choices: A cow goes? a. quack b. woof c. moo d. chirp VERY low tech, but believe it or not, we've not gotten a single piece of bot spam since! Wouldn't advise this for most uses though... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354478 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
Your right we do routinely get real donations from a few places like Puerto Rico and Mexico (which both happen to be part of north america)... as well as most of Europe and Japan. We actually got real donations from China and even Nigeria so we can't block any coutry outright. So I am not going to bother blocking countries. We had another run of someone trying yesterday.. I detected it on the 3rd attmept (all of which failed).. then he (or she) tried about 30 more times where I just sent the fake failure notice without letting it hit the credit card processor. On 2/12/2013 12:06 PM, Al Musella, DPM wrote: I came across an interesting way to get the country from the IP address.. http://www.mximize.com/getting-country-by-ip-based-on-geolite I might set this up and block non North American IPs... i would check w/your client first. not everybody outside NA is bent on conducting fraud. and will you exclude users from Mexico, Puerto Rico, etc.? and keep in mind that IP-to-country conversion isn't fool-proof as it is, never-mind when folks actively try to defeat it. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354480 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
We had another run of someone trying yesterday.. I detected it on the 3rd attmept (all of which failed).. then he (or she) tried about 30 more times where I just sent the fake failure notice without letting it hit the credit card processor. I like this approach on two fronts. First it protects you and your merchant account, and second it gives the attacker a false negative on card numbers that may have been otherwise valid which could help save the cardholder from a lot of bogus charges down the line. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354481 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
All of my attempts over the last couple of months have been under 2 minutes apart. It takes a lot longer than that to fill out the donation form. I think I'm going to try a timing function to determine the time of the first click of the form and the click of the submit button, and if the times is less than 12ms (2 minutes), I'm going to reject the submission. Nothing else is working, I might as well try that. If it's a bot doing the spamming, it probably won't wait. If it's a person, doing the spamming, they won't know why they're getting the failure notice. Any problems with this approach? -Original Message- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Tuesday, February 12, 2013 2:36 PM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net We had another run of someone trying yesterday.. I detected it on the 3rd attmept (all of which failed).. then he (or she) tried about 30 more times where I just sent the fake failure notice without letting it hit the credit card processor. I like this approach on two fronts. First it protects you and your merchant account, and second it gives the attacker a false negative on card numbers that may have been otherwise valid which could help save the cardholder from a lot of bogus charges down the line. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354482 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Sometimes I hate this work... even though I've got it made as a freelancer. I still hate this work at times. Maybe I'll just go work at Lowes... -Original Message- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Tuesday, February 12, 2013 2:36 PM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net We had another run of someone trying yesterday.. I detected it on the 3rd attmept (all of which failed).. then he (or she) tried about 30 more times where I just sent the fake failure notice without letting it hit the credit card processor. I like this approach on two fronts. First it protects you and your merchant account, and second it gives the attacker a false negative on card numbers that may have been otherwise valid which could help save the cardholder from a lot of bogus charges down the line. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354483 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
If so, this won't work because I don't use an actual button with a type of submit. The submit button for my form is just a regular button that triggers an AJAX function that sends the data to a CFC for further processing and then submission in the CFC to Authorize.net. From this you can conclude at 99% that the spammers are human. Bot very unlikely execute Ajax functions, not even any Javascript. Then Captcha won't help. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354484 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
button for my form is just a regular button that triggers an AJAX function that sends the data to a CFC for further processing and then submission Forget the form page the bots/humans are not even seeing it they are attacking your processing cfc directly. Your protection has to be server side since any JavaScript on the form page is ignored. They are submitting form data directly to your CFC processing page. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354486 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
Forget the form page the bots/humans are not even seeing it they are attacking your processing cfc directly. Your protection has to be server side since any JavaScript on the form page is ignored. They are submitting form data directly to your CFC processing page. Part of the verification in the processing can be reliant upon something executing in JavaScript and being passed in with the form submission. This is how CFFormProtect works (looks for and tracks timing, keystrokes, mouse movement, etc.). This data is tracked and passed in to the form and the server runs checks against it to determine whether the script ran and events occurred that you would expect to see in a real environment vs. an automated script (it does have some server-side checks as well such as Akismet lookups, etc.). It is true that an attacker could capture one real submission between the browser and the server and modify their scripts to submit the appropriate data to make it appear as though a script ran and those form fields were populated naturally when they actually weren't, though an attacker would need to be pretty persistent to go through all that trouble. The idea with these kinds of protections is to make it sufficiently inconvenient for an attacker to go to the trouble and move on to the next guy who is easier to exploit. One of the sites I ran years ago had a problem with people scripting the signup process to generate accounts (even to the point of generating e-mail accounts to use for the e-mail validation process). We really didn't want to use a CAPTCHA, so we ended up randomizing the form field names (and creating a map of the random names to the real names as a session variable when the form was generated so we could match them back up when it was submitted). This prevented the process script from being hit directly and would have forced them to load the actual signup page first, parse all the fieldnames out, and then run the submission again. They could have automated this as well, but never did (perhaps because it was too inconvenient and there were easier targets to go after). The earlier idea of automatically rejecting transactions and transparently showing a reject notice after a couple of failures is a good anti-abuse measure in this instance. If logs are being kept, they can be reviewed periodically and anyone who looks like they may have been accidentally rejected can be contacted again later to recapture their donation if needed. Abuse can be a hard problem to solve. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354487 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Problem with Hackers on Donation form through Authorize.net
Hi, guys... I'm been running my first eCommerce setup with a donation page/form using Authorize.net. Things have been running fine, excepts for spammers using the donation form to find legitmate CC numbers so they could abuse the card in other ways. I've assumed, up to this point, that the spammers are bots, not humans. The spam attempts happened every 15-30 seconds for about an hour, then they stop. Very few are able to successfully process a transaction, but I'm trying to stop the form from being submitted. I've tried honey-pot traps, then moved to CF's captcha (at its default level of difficulty). So far, the spam attempts keep coming and my client is wondering if they need to get someone (besides me) to handle the donations since I can't seem to stop the spam. I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... Thoughts on this? I've got to get a solution working. Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354451 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354453 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Thanks for the recommendation, Dave. It seems like an all-in-one approach, like CFFormProtect, might be the only way to beat this thing! I'll go check it out... Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, February 11, 2013 11:30 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354454 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
As an FYI, my blog never had a lot of spam, but it was pretty regular. When I started using CFFP, it dropped dramatically. I can't even remember my last spam comment. On Mon, Feb 11, 2013 at 10:43 AM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the recommendation, Dave. It seems like an all-in-one approach, like CFFormProtect, might be the only way to beat this thing! I'll go check it out... Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, February 11, 2013 11:30 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354455 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Thanks for the feedback, Ray, Dave... Does CFFormProtect actually submit a form? I haven't parsed through the code, yet, but I'm trying to determine if it just runs some tests for validation or does it continue on to submit the form. The form and processing I've code is quite extensive and involves jQuery on the client side for validation, then CF validation in a CFC, then, if all's well, I used cfhttps to submit the form to Authorize.net. I've got to figure out just how CFFormProtect fits into this equation. I've implemented it per the instructions, but I'm not sure just what type of processing environment it's supposed to fit into. I did get one successful transaction that I submitted to process with CFFormProtect implemented, but the second on didn't pass CFFormProtect and I didn't get a form response (success/failure) back from the AJAX submission function. If anyone cares to look, the form is at http://uso.whitestonemedia.com/modules/donate/donation-form.cfm That's the development site. Rick -Original Message- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: Monday, February 11, 2013 11:46 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net As an FYI, my blog never had a lot of spam, but it was pretty regular. When I started using CFFP, it dropped dramatically. I can't even remember my last spam comment. On Mon, Feb 11, 2013 at 10:43 AM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the recommendation, Dave. It seems like an all-in-one approach, like CFFormProtect, might be the only way to beat this thing! I'll go check it out... Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, February 11, 2013 11:30 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354459 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
No, it returns a pass/fail type response.In your example, I'd probably add it after you do client side validation and CF validation, but before the hit to Authorize.net. On Mon, Feb 11, 2013 at 12:48 PM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the feedback, Ray, Dave... Does CFFormProtect actually submit a form? I haven't parsed through the code, yet, but I'm trying to determine if it just runs some tests for validation or does it continue on to submit the form. The form and processing I've code is quite extensive and involves jQuery on the client side for validation, then CF validation in a CFC, then, if all's well, I used cfhttps to submit the form to Authorize.net. I've got to figure out just how CFFormProtect fits into this equation. I've implemented it per the instructions, but I'm not sure just what type of processing environment it's supposed to fit into. I did get one successful transaction that I submitted to process with CFFormProtect implemented, but the second on didn't pass CFFormProtect and I didn't get a form response (success/failure) back from the AJAX submission function. If anyone cares to look, the form is at http://uso.whitestonemedia.com/modules/donate/donation-form.cfm That's the development site. Rick -Original Message- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: Monday, February 11, 2013 11:46 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net As an FYI, my blog never had a lot of spam, but it was pretty regular. When I started using CFFP, it dropped dramatically. I can't even remember my last spam comment. On Mon, Feb 11, 2013 at 10:43 AM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the recommendation, Dave. It seems like an all-in-one approach, like CFFormProtect, might be the only way to beat this thing! I'll go check it out... Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, February 11, 2013 11:30 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354460 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
After more unsuccessful testing, I'm assuming that the form button at the end of the form needs to be an actual button with a type of submit to work with CFFormProtect? If so, this won't work because I don't use an actual button with a type of submit. The submit button for my form is just a regular button that triggers an AJAX function that sends the data to a CFC for further processing and then submission in the CFC to Authorize.net. If I put: cfset Cffp = CreateObject(component,cfformprotect.cffpVerify).init() / cfif Cffp.testSubmission(form) cfmail to = r...@whitestonemedia.com from = r...@whitestonemedia.com subject = Form Passed CFFormProtect Text! Form passed CFFormProtect test! /cfmail [ send data to authorize.net using arguments passed to method... ] [ send acknowledgement emails to donors, etc ] cfelse cfset authorizeStruct.FORMPOSTSTATUS = 'invalid' cfset authorizeStruct.TRANSACTIONSTATUS = 'Transaction not processed...' cfreturn authorizeStruct / /cfif Even when I know the form values are correct, I get the failed notices at the end. So somehow the form values aren't passing the tests for CFFormProtect. I see there's mention of logFailure() and 'logFailedTests' and logFile' in the notes, but I haven't figured out where to use those. Thoughts? Rick -Original Message- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: Monday, February 11, 2013 2:02 PM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net No, it returns a pass/fail type response.In your example, I'd probably add it after you do client side validation and CF validation, but before the hit to Authorize.net. On Mon, Feb 11, 2013 at 12:48 PM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the feedback, Ray, Dave... Does CFFormProtect actually submit a form? I haven't parsed through the code, yet, but I'm trying to determine if it just runs some tests for validation or does it continue on to submit the form. The form and processing I've code is quite extensive and involves jQuery on the client side for validation, then CF validation in a CFC, then, if all's well, I used cfhttps to submit the form to Authorize.net. I've got to figure out just how CFFormProtect fits into this equation. I've implemented it per the instructions, but I'm not sure just what type of processing environment it's supposed to fit into. I did get one successful transaction that I submitted to process with CFFormProtect implemented, but the second on didn't pass CFFormProtect and I didn't get a form response (success/failure) back from the AJAX submission function. If anyone cares to look, the form is at http://uso.whitestonemedia.com/modules/donate/donation-form.cfm That's the development site. Rick -Original Message- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: Monday, February 11, 2013 11:46 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net As an FYI, my blog never had a lot of spam, but it was pretty regular. When I started using CFFP, it dropped dramatically. I can't even remember my last spam comment. On Mon, Feb 11, 2013 at 10:43 AM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the recommendation, Dave. It seems like an all-in-one approach, like CFFormProtect, might be the only way to beat this thing! I'll go check it out... Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, February 11, 2013 11:30 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354461 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
On Mon, Feb 11, 2013 at 1:45 PM, Rick Faircloth r...@whitestonemedia.comwrote: After more unsuccessful testing, I'm assuming that the form button at the end of the form needs to be an actual button with a type of submit to work with CFFormProtect? Not as far as I know. I'm a bit rusty on the API, but here is how BlogCFC uses it: cfif application.usecfp and not isLoggedIn() cfset cffp = createObject(component,cfformprotect.cffpVerify).init() / !--- now we can test the form submission --- cfif not cffp.testSubmission(form) cfset arrayAppend(aErrors, Your comment has been flagged as spam.) / /cfif /cfif If for some reason your Form struct wasn't, well, the Form, but it was somewhere else, you would just pass that data in. I *believe* it does look at somethings in terms of a form post, but it isn't tied to just that. If so, this won't work because I don't use an actual button with a type of submit. The submit button for my form is just a regular button that triggers an AJAX function that sends the data to a CFC for further processing and then submission in the CFC to Authorize.net. If I put: cfset Cffp = CreateObject(component,cfformprotect.cffpVerify).init() / cfif Cffp.testSubmission(form) Even when I know the form values are correct, I get the failed notices at the end. So somehow the form values aren't passing the tests for CFFormProtect. I see there's mention of logFailure() and 'logFailedTests' and logFile' in the notes, but I haven't figured out where to use those. I'd figure it out. ;) Also, have you tried contacting the project admin? http://cfformprotect.riaforge.org/ -- === Raymond Camden, Adobe Developer Evangelist Email : raymondcam...@gmail.com Blog : www.raymondcamden.com Twitter: cfjedimaster ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354462 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
I have just gone through this... A big problem is that the owner complains and the credit card company charges you a penalty and if many get through they can dump you. At first, I banned the IP address when someone tried 3 times unsuccessfuly. That worked for about a day then they would come back and try again, but with different IPs. Must be real people and not a bot. Then I tried something different... if someone tries 3 times without success, I flag the IP address and then when they submit a donation, I return the page that says it failed (and I do not even send it on to the credit card company). I also flag the entire subnet to make it harder to get around. Most are from south america and china.. should probably reject any non north american ip.. A few people have called me and told me they tried to make a donation and they get rejected for no apparent reason.. in which case I take the donation by phone. I went about a month without 1 complaint so it might be working! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354463 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Thanks for the info, Al... It is a royal pain trying to deal with these hackers. I might just try a combination of two things: 1) a honey pot to catch the humans when it's empty 2) a captcha for the bots who, supposedly, can't read them Wonder if that would work? -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Monday, February 11, 2013 4:32 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net I have just gone through this... A big problem is that the owner complains and the credit card company charges you a penalty and if many get through they can dump you. At first, I banned the IP address when someone tried 3 times unsuccessfuly. That worked for about a day then they would come back and try again, but with different IPs. Must be real people and not a bot. Then I tried something different... if someone tries 3 times without success, I flag the IP address and then when they submit a donation, I return the page that says it failed (and I do not even send it on to the credit card company). I also flag the entire subnet to make it harder to get around. Most are from south america and china.. should probably reject any non north american ip.. A few people have called me and told me they tried to make a donation and they get rejected for no apparent reason.. in which case I take the donation by phone. I went about a month without 1 complaint so it might be working! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354464 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
One site of mine for a dance company used to get a ton of spam through contact forms. Everybody hated CAPTCHA, so I put a simple question with radio button choices: A cow goes? a. quack b. woof c. moo d. chirp VERY low tech, but believe it or not, we've not gotten a single piece of bot spam since! Wouldn't advise this for most uses though... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354465 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Boy was that a stupid, not-thought-out approach! I was so focused on separating the spamming humans from the spamming bots, I came up with a solution that wouldn't let human or bot submit a form, whether the human was a legitimate donor, or not! Duh! (It's been a long day... time to go to Outback!) Rick -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Monday, February 11, 2013 4:40 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net Thanks for the info, Al... It is a royal pain trying to deal with these hackers. I might just try a combination of two things: 1) a honey pot to catch the humans when it's empty 2) a captcha for the bots who, supposedly, can't read them Wonder if that would work? -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Monday, February 11, 2013 4:32 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net I have just gone through this... A big problem is that the owner complains and the credit card company charges you a penalty and if many get through they can dump you. At first, I banned the IP address when someone tried 3 times unsuccessfuly. That worked for about a day then they would come back and try again, but with different IPs. Must be real people and not a bot. Then I tried something different... if someone tries 3 times without success, I flag the IP address and then when they submit a donation, I return the page that says it failed (and I do not even send it on to the credit card company). I also flag the entire subnet to make it harder to get around. Most are from south america and china.. should probably reject any non north american ip.. A few people have called me and told me they tried to make a donation and they get rejected for no apparent reason.. in which case I take the donation by phone. I went about a month without 1 complaint so it might be working! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354466 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
I came across an interesting way to get the country from the IP address.. http://www.mximize.com/getting-country-by-ip-based-on-geolite I might set this up and block non North American IPs... At 04:43 PM 2/11/2013, Les Mizzell wrote: One site of mine for a dance company used to get a ton of spam through contact forms. Everybody hated CAPTCHA, so I put a simple question with radio button choices: A cow goes? a. quack b. woof c. moo d. chirp VERY low tech, but believe it or not, we've not gotten a single piece of bot spam since! Wouldn't advise this for most uses though... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354469 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
A fairly inexpensive and easy to implement fraud screening service is maxmind minfraud. It's something like 0.005 per transaction methinks. Another method I didn't see in the thread was doing an email confirmation before performing the cc transaction. Like send an email to the user with a unique ID the user must click to verify a legit email address was used. Can still be bot'd but requires a bit more work on their part, which might be enough discourage since there are a lot of other places for them to go do their dirtiness. Byron Mann Lead Engineer Architect HostMySite.com On Feb 11, 2013 11:13 AM, Rick Faircloth r...@whitestonemedia.com wrote: Hi, guys... I'm been running my first eCommerce setup with a donation page/form using Authorize.net. Things have been running fine, excepts for spammers using the donation form to find legitmate CC numbers so they could abuse the card in other ways. I've assumed, up to this point, that the spammers are bots, not humans. The spam attempts happened every 15-30 seconds for about an hour, then they stop. Very few are able to successfully process a transaction, but I'm trying to stop the form from being submitted. I've tried honey-pot traps, then moved to CF's captcha (at its default level of difficulty). So far, the spam attempts keep coming and my client is wondering if they need to get someone (besides me) to handle the donations since I can't seem to stop the spam. I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... Thoughts on this? I've got to get a solution working. Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354472 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
On 2/12/2013 12:06 PM, Al Musella, DPM wrote: I came across an interesting way to get the country from the IP address.. http://www.mximize.com/getting-country-by-ip-based-on-geolite I might set this up and block non North American IPs... i would check w/your client first. not everybody outside NA is bent on conducting fraud. and will you exclude users from Mexico, Puerto Rico, etc.? and keep in mind that IP-to-country conversion isn't fool-proof as it is, never-mind when folks actively try to defeat it. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354473 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
