Re: [OT] Ideas for limiting form submissions
Check out Gimpy, which I believe is what Yahoo uses: http://www.captcha.net/captchas/gimpy/ http://www.captcha.net/ Narins, Josh wrote: Can GIMP be programmatically set up to warp/woof/weird-out an image? Yahoo's warped words works, I bet, since they use it. I'm referring to get getting an anon email account from yahoo.com -Original Message- From: Bill Moseley [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 1:13 PM To: [EMAIL PROTECTED] Subject: [OT] Ideas for limiting form submissions I've got a mod_perl feed-back form that sends mail to a specific address.. Spammers have their bots hitting the form now. The tricks I know of are: - generate a random image of numbers and make the user type in the numbers on the form. Painful for the user and spammers probably have OCR! - require an email and send a confirmation email (like a list subscription) and whitelist some email addresses. But we want to allow anonymous submissions. - limit submissions by IP number to one every X minutes. AOL users may get blocked. - md5 the submission and block duplicates (should do this anyway). BTW -- what would you recommend for caching the md5 strings. Cache::Cache or DBM? I suppose a Cache::Cache file cache would be the easiest. Any other ideas on the easy to implement side?
[OT] Ideas for limiting form submissions
I've got a mod_perl feed-back form that sends mail to a specific address.. Spammers have their bots hitting the form now. The tricks I know of are: - generate a random image of numbers and make the user type in the numbers on the form. Painful for the user and spammers probably have OCR! - require an email and send a confirmation email (like a list subscription) and whitelist some email addresses. But we want to allow anonymous submissions. - limit submissions by IP number to one every X minutes. AOL users may get blocked. - md5 the submission and block duplicates (should do this anyway). BTW -- what would you recommend for caching the md5 strings. Cache::Cache or DBM? I suppose a Cache::Cache file cache would be the easiest. Any other ideas on the easy to implement side? -- Bill Moseley [EMAIL PROTECTED]
RE: [OT] Ideas for limiting form submissions
Some other imperfect solutions: * Take the CRC (or some other hash function) of the message content and reject messages with duplicate CRC (still vulnerable to morphing of the message). * limit submissions by sender to one every X minutes. Avoids the AOL issue, but vulnerable to DDOS and spoofing. * Have the form run some client side code (javascript or VBS) to create the email and send it from the client, so you have more information about the sender (Use something similar to browser or mail client behavior on a mailto:; URI.). Plus, using a client-side script will allow you to turn some of the spammers techniques back on them. If it's a bot, it's likely to either blow up or reject your request. If you send a bunch of extra requests back to suspected bots, you're more likely to crash the bot. For example: * for each request, open a new client window to acknowledge receipt. Clients can deal with it, bots have to be designed to filter it or handle it. * For suspected bot requests, send huge text strings back to the requester to see if the bot has a buffer overflow vulnerability. * CC: the mailto: message back to the sender from the client side to flood their inbox when its a bot. Even if the bot honors the send mail request, you're returning the favor back to the spammers and flooding their system with Emails, too. Even if the bots can continue to hit the submit button, it will reduce the server side processing time for each request, and greatly reduce the number of emails actually sent. Downside is that if they scan the outgoing emails from their machine, they can spam the email address. -Original Message- From: Bill Moseley [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 1:13 PM To: [EMAIL PROTECTED] Subject: [OT] Ideas for limiting form submissions I've got a mod_perl feed-back form that sends mail to a specific address.. Spammers have their bots hitting the form now. The tricks I know of are: - generate a random image of numbers and make the user type in the numbers on the form. Painful for the user and spammers probably have OCR! - require an email and send a confirmation email (like a list subscription) and whitelist some email addresses. But we want to allow anonymous submissions. - limit submissions by IP number to one every X minutes. AOL users may get blocked. - md5 the submission and block duplicates (should do this anyway). BTW -- what would you recommend for caching the md5 strings. Cache::Cache or DBM? I suppose a Cache::Cache file cache would be the easiest. Any other ideas on the easy to implement side? -- Bill Moseley [EMAIL PROTECTED]
Re: [OT] Ideas for limiting form submissions
Bill Moseley wrote: what would you recommend for caching the md5 strings. Cache::Cache or DBM? I suppose a Cache::Cache file cache would be the easiest. In order of speed: IPC::MM BerkeleyDB (with built-in locking) Cache::Mmap Cache::FileBackend (from Cache::Cache -- no need to use Cache::Cache front-end unless you want expiration) IPC::MM is shared memory, so it won't persist data across restarts. - Perrin
RE: [OT] Ideas for limiting form submissions
Can GIMP be programmatically set up to warp/woof/weird-out an image? Yahoo's warped words works, I bet, since they use it. I'm referring to get getting an anon email account from yahoo.com -Original Message- From: Bill Moseley [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 1:13 PM To: [EMAIL PROTECTED] Subject: [OT] Ideas for limiting form submissions I've got a mod_perl feed-back form that sends mail to a specific address.. Spammers have their bots hitting the form now. The tricks I know of are: - generate a random image of numbers and make the user type in the numbers on the form. Painful for the user and spammers probably have OCR! - require an email and send a confirmation email (like a list subscription) and whitelist some email addresses. But we want to allow anonymous submissions. - limit submissions by IP number to one every X minutes. AOL users may get blocked. - md5 the submission and block duplicates (should do this anyway). BTW -- what would you recommend for caching the md5 strings. Cache::Cache or DBM? I suppose a Cache::Cache file cache would be the easiest. Any other ideas on the easy to implement side? -- Bill Moseley [EMAIL PROTECTED] -- This message is intended only for the personal and confidential use of the designated recipient(s) named above. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and should not be regarded as an offer to sell or as a solicitation of an offer to buy any financial product, an official confirmation of any transaction, or as an official statement of Lehman Brothers. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
Re: [OT] Ideas for limiting form submissions
- Original Message - Subject: RE: [OT] Ideas for limiting form submissions Can GIMP be programmatically set up to warp/woof/weird-out an image? Yahoo's warped words works, I bet, since they use it. I'm referring to get getting an anon email account from yahoo.com They actually use a third-party provider, although if anyone has information about doing this, I'd love to hear about it. Issac
Re: [OT] Ideas for limiting form submissions
At 02:51 PM 12/18/02 -0500, Daniel Koch wrote: Check out Gimpy, which I believe is what Yahoo uses: http://www.captcha.net/captchas/gimpy/ I'm thinking of something along those lines. This problem is this is on Solaris 2.6 w/o root, and I'll bet it would take some time to get The Gimp and GTK and whatever libs installed. So, I'm thinking about creating a directory of say 20 images of words. On the initial request the form creates a random key, and makes that a symlink to one of the images selected at random. That will be the img src link. Then md5 the symlink with a secret word to create a hidden field. The submitter will have to type in the word displayed in the image. On submit md5 all the symlinks with the secret word until a match is found -- match the submitted word text with the real image name, then unlink the symlink and accept the request. Cron can remove old symlinks. If the spammers put in the work to figure out the word by check-summing the images I can use imagemagic to modify the images -- that could be a nice mod_perl handler. See any glaring holes? -- Bill Moseley mailto:[EMAIL PROTECTED]
Re: [OT] Ideas for limiting form submissions
BM == Bill Moseley [EMAIL PROTECTED] writes: BM I've got a mod_perl feed-back form that sends mail to a specific address.. BM Spammers have their bots hitting the form now. The tricks I know of are: Rename your script and the link pointing to it. It will take some time for them to follow. It's not called formmail.pl is it? -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D.Khera Communications, Inc. Internet: [EMAIL PROTECTED] Rockville, MD +1-240-453-8497 AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/
