Re: [PHP-DOC] spam protection for user notes
On Sat, 25 Feb 2006, Nuno Lopes wrote: spam assasin is already there: /opt/ecelerity/3rdParty/bin/spamassassin -L -e 8 Whats the version? I'll install the same version on my machine and do some tests. [EMAIL PROTECTED] root]# /opt/ecelerity/3rdParty/bin/spamassassin --version SpamAssassin version 2.64 Bah, it isn't marking the spam notes as such: X-Spam-Status: No, hits=3.1 required=5.0 tests=DATE_MISSING,FROM_NO_LOWER autolearn=no version=2.64 It isn't hiting any useful rule. And the bayesian filter isn't working.. Does it need training? What about feeding the notes that are marked as spam to 'sa-learn --spam' ? Any other crazy idea? Nuno
Re: [PHP-DOC] spam protection for user notes
Hi Sean, Sean Coates wrote: [...] I'd prefer the dual-opt-in-like behaviour where the user is mailed and asked to confirm that he/she submitted the note. After say 10 unconfirmed mails by a particular address, they could get blacklisted. +1 for this solution, if spamassasin does not work. BTW, I just made some changes to the notes scripts to use new, shorter URLs. Thanks, much better! Friedhelm
Re: [PHP-DOC] spam protection for user notes
I realise that. So why don't we set it so you have to provide a valid email to be able to submit a note? M Sean Coates wrote: Another option (in the short-term) is to simply required a valid email address (most of the spam seems to come from the default '[EMAIL PROTECTED]' or 'php-general@lists.php.net'). Haven't checked the code recently, but I'm pretty sure a blank name results in php-general@lists.php.net and a name with no domain (Bob) gets osu1 appended ([EMAIL PROTECTED]). S
Re: [PHP-DOC] spam protection for user notes
Its an idea.. Instead of the captcha image, we can use a similar system that is used in the php.net e-mails. When a note is submited, we send an e-mail, and only when the user clicks on the link, his note is accepted. Nuno - Original Message - I realise that. So why don't we set it so you have to provide a valid email to be able to submit a note? M Sean Coates wrote: Another option (in the short-term) is to simply required a valid email address (most of the spam seems to come from the default '[EMAIL PROTECTED]' or 'php-general@lists.php.net'). Haven't checked the code recently, but I'm pretty sure a blank name results in php-general@lists.php.net and a name with no domain (Bob) gets osu1 appended ([EMAIL PROTECTED]). S
Re: [PHP-DOC] spam protection for user notes
On Tue, 21 Feb 2006, Sean Coates wrote: I would oppose a CAPTCHA, they are evil. Do you have a better solution? Run the note's text through a spam checker on the server before posting it... Derick
Re: [PHP-DOC] spam protection for user notes
On Tue, 21 Feb 2006, Sean Coates wrote: I would oppose a CAPTCHA, they are evil. Do you have a better solution? Run the note's text through a spam checker on the server before posting it... Derick OK, if you are able to setup that on the master server, please do so ;) I'll then patch the user notes script to use it (just tell me what I need to run). Thanks, Nuno
Re: [PHP-DOC] spam protection for user notes
Run the note's text through a spam checker on the server before posting it... OK, if you are able to setup that on the master server, please do so ;) I'll then patch the user notes script to use it (just tell me what I need to run). Spam checkers don't work (particularly well). Especially for non-mail. I'd prefer the dual-opt-in-like behaviour where the user is mailed and asked to confirm that he/she submitted the note. After say 10 unconfirmed mails by a particular address, they could get blacklisted. BTW, I just made some changes to the notes scripts to use new, shorter URLs. S
Re: [PHP-DOC] spam protection for user notes
On Sat, 25 Feb 2006, Nuno Lopes wrote: On Tue, 21 Feb 2006, Sean Coates wrote: I would oppose a CAPTCHA, they are evil. Do you have a better solution? Run the note's text through a spam checker on the server before posting it... Derick OK, if you are able to setup that on the master server, please do so ;) I'll then patch the user notes script to use it (just tell me what I need to run). spam assasin is already there: /opt/ecelerity/3rdParty/bin/spamassassin -L -e 8 regards, Derick
Re: [PHP-DOC] spam protection for user notes
spam assasin is already there: /opt/ecelerity/3rdParty/bin/spamassassin -L -e 8 Piping user notes through spamassassin won't help--at least without some special config that I don't know about. For example, all notes would end up with headers like the following, because they're not actually mail: X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=ALL_TRUSTED,MISSING_SUBJECT autolearn=failed version=3.0.1 ALL_TRUSTED means that the message didn't pass through any untrusted SMTP hosts (no hosts in this case). It's also obviously missing a subject header. S
Re: [PHP-DOC] spam protection for user notes
On Sat, 25 Feb 2006, Nuno Lopes wrote: On Tue, 21 Feb 2006, Sean Coates wrote: I would oppose a CAPTCHA, they are evil. Do you have a better solution? Run the note's text through a spam checker on the server before posting it... Derick OK, if you are able to setup that on the master server, please do so ;) I'll then patch the user notes script to use it (just tell me what I need to run). spam assasin is already there: /opt/ecelerity/3rdParty/bin/spamassassin -L -e 8 Whats the version? I'll install the same version on my machine and do some tests. Nuno
Re: [PHP-DOC] spam protection for user notes
[sorry for the previous incomplete e-mail] spam assasin is already there: /opt/ecelerity/3rdParty/bin/spamassassin -L -e 8 Piping user notes through spamassassin won't help--at least without some special config that I don't know about. man spamassassin says: -C path, --configpath=path, --config-file=path Path to standard configuration dir So, we can bundle a special config file in php-master-web tuned for our needs :) I'm emerging spamassassin ATM and I'll do some tests. Nuno
Re: [PHP-DOC] spam protection for user notes
Piping user notes through spamassassin won't help--at least without some special config that I don't know about. man spamassassin says: -C path, --configpath=path, --config-file=path Path to standard configuration dir Cool. Out of curiosity, what does your config file look like? S
Re: [PHP-DOC] spam protection for user notes
actually its not a config file, its a config dir :)
I have many files in /usr/share/spamassassin, although not all are
needed for us.
Ok.. what directives are you using? (-:
Anyway, I think the best thing to do now is to implement a function to
pass the note through spamassassin and display the result (X-Spam-Status
line) in the e-mail that is sent to the notes list, so that we can check
if we need to tweak the configuration.
I did something like this in my quick tests:
$d = array(
0 = array(pipe, r), // stin
1 = array(pipe, w), // stdout
2 = array(pipe, w) // stderr
);
$proc = proc_open('/path/to/spamassassin -L -e 8', $d, $p);
fclose($p[2]); // keep it open if you want to read stderr
fwrite($p[0], $originalNoteText);
fclose($p0]);
$noteWithHeaders = stream_get_contents($p[1]);
fclose($p[1]);
S
Re: [PHP-DOC] spam protection for user notes
I did something like this in my quick tests: Nevermind, I see you've got it under control. S
Re: [PHP-DOC] spam protection for user notes
On Sat, 25 Feb 2006, Nuno Lopes wrote: spam assasin is already there: /opt/ecelerity/3rdParty/bin/spamassassin -L -e 8 Whats the version? I'll install the same version on my machine and do some tests. [EMAIL PROTECTED] root]# /opt/ecelerity/3rdParty/bin/spamassassin --version SpamAssassin version 2.64 Derick
Re: [PHP-DOC] spam protection for user notes
Just my 2 cents on the use of spamassassin, how will it react to PHP code and the like? M Nuno Lopes wrote: [sorry for the previous incomplete e-mail] spam assasin is already there: /opt/ecelerity/3rdParty/bin/spamassassin -L -e 8 Piping user notes through spamassassin won't help--at least without some special config that I don't know about. man spamassassin says: -C path, --configpath=path, --config-file=path Path to standard configuration dir So, we can bundle a special config file in php-master-web tuned for our needs :) I'm emerging spamassassin ATM and I'll do some tests. Nuno
Re: [PHP-DOC] spam protection for user notes
Spammers suck. I would be in favour of implementing a basic mathematical skill-testing question a la Lukas Smith's blog at http://pooteeweet.org -- it is a protection method that is still accessible to the visually impaired, unlike classic CAPTCHA. Dan On 2/21/06, Friedhelm Betz [EMAIL PROTECTED] wrote: Hi all, user notes are spammed in recent days/weeks. Should we protect the submission form in some sane way (CAPTCHA)? Friedhelm
Re: [PHP-DOC] spam protection for user notes
On Tue, 21 Feb 2006, Dan Scott wrote: Spammers suck. I would be in favour of implementing a basic mathematical skill-testing question a la Lukas Smith's blog at http://pooteeweet.org -- it is a protection method that is still accessible to the visually impaired, unlike classic CAPTCHA. Agreed, spammers suck, but CAPTCHAs too. Don't let the spammers win! :) Derick
Re: [PHP-DOC] spam protection for user notes
Derick Rethans wrote: On Tue, 21 Feb 2006, Dan Scott wrote: Spammers suck. I would be in favour of implementing a basic mathematical skill-testing question a la Lukas Smith's blog at http://pooteeweet.org -- it is a protection method that is still accessible to the visually impaired, unlike classic CAPTCHA. Agreed, spammers suck, but CAPTCHAs too. Yeah, I don't like CAPTCHAs either. Mainly for the reason Dan outlined. Don't let the spammers win! :) Not at all ;-) What about: basic mathematical skill-testing question ? Friedhelm
RE: [PHP-DOC] spam protection for user notes
How about this one, I've been experimenting with, uses plain HTML obfuscating the code with various css techiques. http://ren.dotgeek.org/ex/captchacss.php http://ren.dotgeek.org/ex/captchacss.phps Jared I don't think that the math-test would prevent much spam. It's very easy to automatically read and solve these equations. Would a verified note submission (e.g. the user provides his eMail- address and he gets a message where he has to click on a link to publish his note) be a better solution? Personally, I think that even that may be bypassed. Viele Grüße Sebastian Am 21.02.2006 um 12:56 schrieb Friedhelm Betz: Derick Rethans wrote: On Tue, 21 Feb 2006, Dan Scott wrote: Spammers suck. I would be in favour of implementing a basic mathematical skill-testing question a la Lukas Smith's blog at http://pooteeweet.org -- it is a protection method that is still accessible to the visually impaired, unlike classic CAPTCHA. Agreed, spammers suck, but CAPTCHAs too. Yeah, I don't like CAPTCHAs either. Mainly for the reason Dan outlined. Don't let the spammers win! :) Not at all ;-) What about: basic mathematical skill-testing question ? Friedhelm
Re: [PHP-DOC] spam protection for user notes
This CSS-obfuscation would generate problems with text-only readers (lynx or braille terminals), so I don't think it's a good idea. Viele Grüße Sebastian Am 21.02.2006 um 13:49 schrieb Jared Williams: How about this one, I've been experimenting with, uses plain HTML obfuscating the code with various css techiques. http://ren.dotgeek.org/ex/captchacss.php http://ren.dotgeek.org/ex/captchacss.phps Jared I don't think that the math-test would prevent much spam. It's very easy to automatically read and solve these equations. Would a verified note submission (e.g. the user provides his eMail- address and he gets a message where he has to click on a link to publish his note) be a better solution? Personally, I think that even that may be bypassed. Viele Grüße Sebastian Am 21.02.2006 um 12:56 schrieb Friedhelm Betz: Derick Rethans wrote: On Tue, 21 Feb 2006, Dan Scott wrote: Spammers suck. I would be in favour of implementing a basic mathematical skill-testing question a la Lukas Smith's blog at http://pooteeweet.org -- it is a protection method that is still accessible to the visually impaired, unlike classic CAPTCHA. Agreed, spammers suck, but CAPTCHAs too. Yeah, I don't like CAPTCHAs either. Mainly for the reason Dan outlined. Don't let the spammers win! :) Not at all ;-) What about: basic mathematical skill-testing question ? Friedhelm
RE: [PHP-DOC] spam protection for user notes
Well atm, no lynx or braille terminals can submit a bug (afaik) so not sure how much of a problem that is. Jared This CSS-obfuscation would generate problems with text-only readers (lynx or braille terminals), so I don't think it's a good idea. Viele Grüße Sebastian Am 21.02.2006 um 13:49 schrieb Jared Williams: How about this one, I've been experimenting with, uses plain HTML obfuscating the code with various css techiques. http://ren.dotgeek.org/ex/captchacss.php http://ren.dotgeek.org/ex/captchacss.phps Jared I don't think that the math-test would prevent much spam. It's very easy to automatically read and solve these equations. Would a verified note submission (e.g. the user provides his eMail- address and he gets a message where he has to click on a link to publish his note) be a better solution? Personally, I think that even that may be bypassed. Viele Grüße Sebastian Am 21.02.2006 um 12:56 schrieb Friedhelm Betz: Derick Rethans wrote: On Tue, 21 Feb 2006, Dan Scott wrote: Spammers suck. I would be in favour of implementing a basic mathematical skill-testing question a la Lukas Smith's blog at http://pooteeweet.org -- it is a protection method that is still accessible to the visually impaired, unlike classic CAPTCHA. Agreed, spammers suck, but CAPTCHAs too. Yeah, I don't like CAPTCHAs either. Mainly for the reason Dan outlined. Don't let the spammers win! :) Not at all ;-) What about: basic mathematical skill-testing question ? Friedhelm
Re: [PHP-DOC] spam protection for user notes
Sebastian-H. Picklum wrote: Hmm, you are completely right. But it's still not that accessible for our fellow programmers who are visually impaired. I have 4961 messages in my PHP-Notes box that I simply haven't had the motivation to check. Note weeding is a tedious and thankless task, so I'm all-for tools that will make this easier. I like the CSS CAPTCHA, but it seems relatively easy to break. If we do go to a non-handicap-friendly (pardon my use of the word handicap if it's not PC this week) solution, we could always add a note along the lines of Note to the visually impaired: this form contains spam protection in the form of a CAPTCHA image. We're sorry that this is inconvenient for you. To submit a note, please send email to [EMAIL PROTECTED], and we would be happy to handle the note submission for you. to the submission form. The volume here would be minimal. S
Re: [PHP-DOC] spam protection for user notes
Okay, posting to php-notes@ would be another solution. But on the other hand: Why don't we check the submitted notes for specific words that are only used in SPAM messages in the first place and mark them as suspicious on [EMAIL PROTECTED] So the SPAM-Protection is transparent and finding possible unwanted messages is easier. Note weeding in the current form is really not that comfortable. An interface where you can see all newly submitted notes that have not been rejected or deleted (or verified) already would safe a lot of time. That way, every message gets reviewed. Viele Grüße Sebastian Am 21.02.2006 um 19:13 schrieb Sean Coates: Sebastian-H. Picklum wrote: Hmm, you are completely right. But it's still not that accessible for our fellow programmers who are visually impaired. I have 4961 messages in my PHP-Notes box that I simply haven't had the motivation to check. Note weeding is a tedious and thankless task, so I'm all-for tools that will make this easier. I like the CSS CAPTCHA, but it seems relatively easy to break. If we do go to a non-handicap-friendly (pardon my use of the word handicap if it's not PC this week) solution, we could always add a note along the lines of Note to the visually impaired: this form contains spam protection in the form of a CAPTCHA image. We're sorry that this is inconvenient for you. To submit a note, please send email to [EMAIL PROTECTED], and we would be happy to handle the note submission for you. to the submission form. The volume here would be minimal. S
Re: [PHP-DOC] spam protection for user notes
+1 to If you experience difficulty with the CAPTCHA image, you can submit a note by sending an email to [EMAIL PROTECTED] There's no need to limit this option to the visually impaired; it's also applicable to Mr. Joe Text Browser. :) Agreed. S
Re: [PHP-DOC] spam protection for user notes
On Tue, 21 Feb 2006, Sean Coates wrote: If we do go to a non-handicap-friendly (pardon my use of the word handicap if it's not PC this week) solution, we could always add a note along the lines of Note to the visually impaired: this form contains spam protection in the form of a CAPTCHA image. I would oppose a CAPTCHA, they are evil. Derick
Re: [PHP-DOC] spam protection for user notes
I would oppose a CAPTCHA, they are evil. Do you have a better solution? S
Re: [PHP-DOC] spam protection for user notes
I don't like those annoying images either. But we must do something.. I'm tired of receiving a lot of spam notes every day. Using the same system as the bugs site seems to be the best choice.. because my attempts to stop spam (by checking IPs blacklists and by using words blacklist) didn't work for long. BTW, I don't agree with an 'accept' system. With that, almost zero notes will be approved each day, because no one will like to take the responsability to approve a note. Delete/reject is much simpler and provides a faster way to have good notes on-line. Nuno
Re: [PHP-DOC] spam protection for user notes
Another option (in the short-term) is to simply required a valid email address (most of the spam seems to come from the default '[EMAIL PROTECTED]' or 'php-general@lists.php.net'). M Nuno Lopes wrote: I don't like those annoying images either. But we must do something.. I'm tired of receiving a lot of spam notes every day. Using the same system as the bugs site seems to be the best choice.. because my attempts to stop spam (by checking IPs blacklists and by using words blacklist) didn't work for long. BTW, I don't agree with an 'accept' system. With that, almost zero notes will be approved each day, because no one will like to take the responsability to approve a note. Delete/reject is much simpler and provides a faster way to have good notes on-line. Nuno
Re: [PHP-DOC] spam protection for user notes
Another option (in the short-term) is to simply required a valid email address (most of the spam seems to come from the default '[EMAIL PROTECTED]' or 'php-general@lists.php.net'). Haven't checked the code recently, but I'm pretty sure a blank name results in php-general@lists.php.net and a name with no domain (Bob) gets osu1 appended ([EMAIL PROTECTED]). S
RE: [PHP-DOC] spam protection for user notes
Sebastian-H. Picklum wrote: Hmm, you are completely right. But it's still not that accessible for our fellow programmers who are visually impaired. I have 4961 messages in my PHP-Notes box that I simply haven't had the motivation to check. Note weeding is a tedious and thankless task, so I'm all-for tools that will make this easier. I like the CSS CAPTCHA, but it seems relatively easy to break. Yeah, I got distracted by trying a similar inline SVG captcha, as it has a lot more opportunity for obfuscation, as can define fonts/glyphs etc. The CSS could be more difficult. Looking at add-note.php, something simple like adding a hidden form field with some random code, and ensuring it's the same value on submission would aleast prevent spammers directly POST'ing to it. Jared
Re: [PHP-DOC] spam protection for user notes
Ohhh. Since when do we have that? Seems that I missed the news... :-) Sebastian Am 21.02.2006 um 19:44 schrieb Sean Coates: Sebastian-H. Picklum wrote: Note weeding in the current form is really not that comfortable. An interface where you can see all newly submitted notes that have not been rejected or deleted (or verified) already would safe a lot of time. That way, every message gets reviewed. Like so? http://www.phpdoc.info/notes/manage.php (-: S
Re: [PHP-DOC] spam protection for user notes
Sebastian-H. Picklum wrote: Ohhh. Since when do we have that? Seems that I missed the news... :-) It's been around for quite a while. 1.5 years, I'd guess. I blogged about it a few months back. S
Re: [PHP-DOC] spam protection for user notes
Am 21.02.2006 um 19:57 schrieb Nuno Lopes: ... BTW, I don't agree with an 'accept' system. With that, almost zero notes will be approved each day, because no one will like to take the responsability to approve a note. Delete/reject is much simpler and provides a faster way to have good notes on-line. ... Well, after looking at http://www.phpdoc.info/notes/manage.php, I think now that approving notes is really not neccessary. The green color is imho sufficient to identify quickly the notes that need to be reviewed. :-) Sebastian
