| Author |
Web form used by spammers
|
|
| Paul H 2006-07-10, 7:19 pm |
| I am using the latest version of FormMail.pl on a standard web form. I am
getting dozen of emails a day that have been sent via my webform, probably
using a bot (so I am told).
How can I stop this?
Can I force visitors to use one of those randomly generated numbers that you
see on the login page of some websites to stop automated use of my web form?
Can this be done on a static HTML page?
Thanks
Paul
| |
| Sign Generator 2006-07-10, 7:19 pm |
| What you want is called a "CAPTCHA" dynamic image, search Google...
THis will make the random image that spammer would have to prove he is
human. This does not stop all, some spammers are real people and will
verify...
----
http://www.WHAK.com edy!
| |
| Andy Mabbett 2006-07-10, 7:19 pm |
| In message <1152177083.824066.36090@m79g2000cwm.googlegroups.com>, Sign
Generator <homeless.panhandler@XXXXXXXXXX> writes
>What you want is called a "CAPTCHA" dynamic image, search Google...
>THis will make the random image that spammer would have to prove he is
>human.
....and that they have good eyesight.
--
Andy Mabbett
Say "NO!" to compulsory ID Cards: <http://www.no2id.net/>
Free Our Data: <http://www.freeourdata.org.uk>
| |
| Brian Cryer 2006-07-10, 7:19 pm |
| "Andy Mabbett" <usenet200309@pigsonthewing.org.uk> wrote in message
news:O3AZUcbJHOrEFww6@pigsonthewing.org.uk...
> In message <1152177083.824066.36090@m79g2000cwm.googlegroups.com>, Sign
> Generator <homeless.panhandler@XXXXXXXXXX> writes
>
> ...and that they have good eyesight.
Andy, I'm sure you meant that in jest (at least that's how I took it the
first time I read your reply), but you have raised a very good point. This
implies that any site that uses a captcha image cannot call itself
accessible, so presumably it won't be used on any US/UK government websites
....?
--
Brian Cryer
www.cryer.co.uk/brian
| |
|
|
| David Dorward 2006-07-10, 7:19 pm |
| Brian Cryer wrote:
[color=darkred]
> Andy, I'm sure you meant that in jest (at least that's how I took it the
> first time I read your reply), but you have raised a very good point. This
> implies that any site that uses a captcha image cannot call itself
> accessible, so presumably it won't be used on any US/UK government websites
> ...?
Unless there was an accessible alternative... in theory. Sadly the
state of accessibility is pretty poor with a lot of sites slapping WCAG
logos everywhere while having large numbers of obvious level A flaws.
More on the accessibility of CAPTCHA: http://www.w3.org/TR/turingtest/
| |
| Brian Cryer 2006-07-10, 7:19 pm |
| "Karl Groves" <karl@NOSPAMkarlcore.com> wrote in message
news:Xns97F85A4A467E0karlkarlcorecom@216.196.97.136...
> "Paul H" <nospam@nospam.com> wrote in
> news:hZGdncqoWY7JWTHZnZ2dnUVZ8qOdnZ2d@eclipse.net.uk:
>
>
> Don't.
> http://www.google.com/search?q=form...l+vulnerability
The first page of results all looked quite old. They support the case for
not using formmail say 4 years ago, but what about now?
--
Brian Cryer
www.cryer.co.uk/brian
| |
| Auggie 2006-07-10, 7:19 pm |
|
"Paul H" <nospam@nospam.com> wrote in message
news:hZGdncqoWY7JWTHZnZ2dnUVZ8qOdnZ2d@eclipse.net.uk...
> I am using the latest version of FormMail.pl on a standard web form. I am
> getting dozen of emails a day that have been sent via my webform, probably
> using a bot (so I am told).
>
> How can I stop this?
>
> Can I force visitors to use one of those randomly generated numbers that
you
> see on the login page of some websites to stop automated use of my web
form?
> Can this be done on a static HTML page?
I had a similar problem from both bots and real people using my forms to
spam me.
For the bots:
My forms use a postback flag to let the ASP page know it was a postback
to send the form. I used to use:
<input type='hidden' name='postb' value='y'>
I made that dynamic instead, where the NAME was the day of the week and the
VALUE was the month and year, so it might end up as:
<input type='hidden' name='Thursday' value='July2006'>
and my form handler would check on that name and value pair before sending
the email to me.
For the people:
For the real people sending spam through the form those all came from
the Netherlands, Poland or Russia... so in that case I just set my form to
reject all emails posted from IP addresses from those countries.
| |
| Andy Mabbett 2006-07-10, 7:19 pm |
| In message <nvudnbq19532YjHZnZ2dnUVZ8qqdnZ2d@pipex.net>, Brian Cryer
<brian.cryer@127.0.0.1.ntlworld.com> writes
>"Andy Mabbett" <usenet200309@pigsonthewing.org.uk> wrote in message
>news:O3AZUcbJHOrEFww6@pigsonthewing.org.uk...
>
>Andy, I'm sure you meant that in jest (at least that's how I took it
>the first time I read your reply), but you have raised a very good
>point.
No, I wasn't joking and yes, I raised a good point.
>This implies that any site that uses a captcha image cannot call itself
>accessible, so presumably it won't be used on any US/UK government
>websites
>...?
Well, it would be nice to think that the government abided by its own
standards, but experience shows that's all-too-often often not the case
:-(
--
Andy Mabbett
Say "NO!" to compulsory ID Cards: <http://www.no2id.net/>
Free Our Data: <http://www.freeourdata.org.uk>
| |
| David Dorward 2006-07-10, 7:19 pm |
| Brian Cryer wrote:
[color=darkred]
> The first page of results all looked quite old. They support the case for
> not using formmail say 4 years ago, but what about now?
Not to mention that there are several formmail.pls out there. Including
Matt's Formail (which is infamous for its security holes) and NMS
Formail (which was written as a sane drop in replacement for it)
| |
|
| Paul H wrote:
> I am using the latest version of FormMail.pl on a standard web form. I am
> getting dozen of emails a day that have been sent via my webform, probably
> using a bot (so I am told).
>
> How can I stop this?
>
> Can I force visitors to use one of those randomly generated numbers that you
> see on the login page of some websites to stop automated use of my web form?
> Can this be done on a static HTML page?
>
> Thanks
>
> Paul
>
>
I've been using a free form processor from www.tectite.comand haven't
had any problems as yet. Allowed email recipients or domains are
embedded in the PHP itself and not viewable without being on the server.
Users must submit fields chosen by you in order to send mail.
--
Wayne
http://www.glenmeadows.us
With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
—Steven Weinberg
| |
|
| In article <hZGdncqoWY7JWTHZnZ2dnUVZ8qOdnZ2d@eclipse.net.uk>,
nospam@nospam.com says...
> I am using the latest version of FormMail.pl on a standard web form. I am
> getting dozen of emails a day that have been sent via my webform, probably
> using a bot (so I am told).
>
> How can I stop this?
>
> Can I force visitors to use one of those randomly generated numbers that you
> see on the login page of some websites to stop automated use of my web form?
> Can this be done on a static HTML page?
Some spammers and other miscreants scan IP ranges, looking for
certain filenames. Specifically, the default names for abusable
scripts.
Change the filename of the script to something else, that doesn't
suggest what it is.
--
Earn Money With Your Web Site
http://www.WebSponsorZone.Net
Web Site Advertising Directory
| |
| William Tasso 2006-07-10, 7:20 pm |
| Fleeing from the madness of the Aioe.org NNTP Server jungle
<usenet2006@THE-DOMAIN-IN.SIG> stumbled into news:alt.www.webmaster
and said:
> ...
> Some spammers and other miscreants scan IP ranges, looking for
> certain filenames. Specifically, the default names for abusable
> scripts.
>
> Change the filename of the script to something else, that doesn't
> suggest what it is.
better still, fix-it so it ain't abusable.
--
William Tasso
http://williamtasso.com/words/what-is-usenet.asp
| |
| thoughtcube@gmail.com 2006-07-10, 7:20 pm |
| Sign Generator wrote:
> What you want is called a "CAPTCHA" dynamic image, search Google...
> THis will make the random image that spammer would have to prove he is
> human. This does not stop all, some spammers are real people and will
> verify...
>
> ----
> http://www.WHAK.com edy!
Yes, a CAPTCHA is a simple solution to this sort of problem. There are
free captchas and free captcha services available, see Wikipedia
(http://en.wikipedia.org/wiki/Captcha) for a list.
Regarding the 'you need good eyesight' argument made elsewhere in this
thread - and it is a justified argument - there are solutions for this.
Captchas are being devised that are not just visual but also auditory
(but then you'll need good hearing...). In another direction, some free
captcha services let you determine the difficulty level of your
captchas (e.g. http://www.humandoorway.com/), so you can tune them up
or down, depending on the percentage of failures, etc.
| |
| Charles Sweeney 2006-07-10, 7:20 pm |
| Paul H wrote
> I am using the latest version of FormMail.pl on a standard web form. I
> am getting dozen of emails a day that have been sent via my webform,
> probably using a bot (so I am told).
>
> How can I stop this?
>
> Can I force visitors to use one of those randomly generated numbers
> that you see on the login page of some websites to stop automated use
> of my web form? Can this be done on a static HTML page?
You can't "force" your visitors to do anything.
If you put a resource online that is made freely available to the world,
then you must expect to get hit with allsorts.
There's only so much you can do about controlling it before it becomes
counter-productive.
--
Charles Sweeney
http://CharlesSweeney.com
| |
| Charles Sweeney 2006-07-10, 7:20 pm |
| wrote
> Sign Generator wrote:
>
> Yes, a CAPTCHA is a simple solution to this sort of problem. There are
> free captchas and free captcha services available, see Wikipedia
> (http://en.wikipedia.org/wiki/Captcha) for a list.
There's only one CAPTCHA. It's a Trademark.
--
Charles Sweeney
http://CharlesSweeney.com
| |
|
| Charles Sweeney wrote:
> wrote
>
>
> There's only one CAPTCHA. It's a Trademark.
The latest Nucleus Captcha plugin also offers a mathematical version -
no need to read weird fonts in an obfuscating background - just a
little calculation does it.
No idea if that would not be called a 'CAPTCHA' ?
--
Els http://locusmeus.com/
Now playing: INXS - Suicide Blonde
| |
| Toby Inkster 2006-07-10, 7:20 pm |
| Brian Cryer wrote:
> Karl Groves wrote:
>
>
> The first page of results all looked quite old. They support the case for
> not using formmail say 4 years ago, but what about now?
FormMail.pl[1] hasn't been updated in over four years, so four-year-old
vulnerabilities are still current vulnerabilities.
____
1. And by this I'm referring to just the original Matt's Script Archive
script, and not any of the many more recent clones, some of which may fare
better.
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
| |
| Toby Inkster 2006-07-10, 7:20 pm |
| Auggie wrote:
> I made that dynamic instead, where the NAME was the day of the week and the
> VALUE was the month and year, so it might end up as:
> <input type='hidden' name='Thursday' value='July2006'>
> and my form handler would check on that name and value pair before sending
> the email to me.
And if I try to submit the form at 12:01am on Friday?
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
| |
| Mark Goodge 2006-07-10, 7:20 pm |
| On 8 Jul 2006 10:32:17 GMT, Charles Sweeney put finger to keyboard and
typed:
> wrote
>
>
>There's only one CAPTCHA. It's a Trademark.
Not in the UK it isn't. At least, there's no record of it in the
Patent Office Trademark Database.
Mark
--
Please give me one! http://www.pleasegivemeone.com
| |
| Jerry Stuckle 2006-07-10, 7:20 pm |
| Mark Goodge wrote:
> On 8 Jul 2006 10:32:17 GMT, Charles Sweeney put finger to keyboard and
> typed:
>
>
>
>
> Not in the UK it isn't. At least, there's no record of it in the
> Patent Office Trademark Database.
>
> Mark
It is here in the U.S.
http://tess2.uspto.gov/bin/showfiel...state=g1g7o.2.1
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Jerry Stuckle 2006-07-10, 7:20 pm |
| Toby Inkster wrote:
> Auggie wrote:
>
>
>
>
> And if I try to submit the form at 12:01am on Friday?
>
A better way is to create a random string of characters. Store the
string both in a hidden field in the forum and in the session. Compare
them when you go to send the email, then erase the one in the session.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Charles Sweeney 2006-07-10, 7:20 pm |
| Mark Goodge wrote
> On 8 Jul 2006 10:32:17 GMT, Charles Sweeney put finger to keyboard and
> typed:
>
> Not in the UK it isn't. At least, there's no record of it in the
> Patent Office Trademark Database.
I could be pedantic here. In the UK it's not a "Trademark" it's a "Trade
Mark", Mark!
--
Charles Sweeney
http://CharlesSweeney.com
| |
| Charles Sweeney 2006-07-10, 7:20 pm |
| Jerry Stuckle wrote
> A better way is to create a random string of characters. Store the
> string both in a hidden field in the forum and in the session.
> Compare them when you go to send the email, then erase the one in the
> session.
I tried this recently after a suggestion from Justin about passing a token.
Doesn't work against bots. They pick up the hidden field and POST it
together with the session ID (in PHP as I tested it) so get through.
I noticed that the session ID was automatically sent with POST requests if
cookies were disabled (which would be the case with a bot/script). I was
familiar with this in GET requests, but didn't realise it also happened
with POST requests.
I imagine you could configure (PHP in this case) to not pass the ID at all,
but that would block humans who had cookies disabled, which for me is not
an option.
--
Charles Sweeney
http://CharlesSweeney.com
| |
| Jerry Stuckle 2006-07-10, 7:20 pm |
| Charles Sweeney wrote:
> Jerry Stuckle wrote
>
>
>
>
> I tried this recently after a suggestion from Justin about passing a token.
> Doesn't work against bots. They pick up the hidden field and POST it
> together with the session ID (in PHP as I tested it) so get through.
>
> I noticed that the session ID was automatically sent with POST requests if
> cookies were disabled (which would be the case with a bot/script). I was
> familiar with this in GET requests, but didn't realise it also happened
> with POST requests.
>
> I imagine you could configure (PHP in this case) to not pass the ID at all,
> but that would block humans who had cookies disabled, which for me is not
> an option.
>
Charles,
Yes, the session id is passed to the browser - that's how PHP keeps
track of which session is attached to which user.
But I'm talking about putting a different string in the hidden field and
in the session. No, it won't keep bots from fetching the page and
resubmitting it. But it will keep the bots from fetching the page once
(or not at all) and submitting it multiple times, which is what most
bots do.
But you have to ensure you get a unique token when your page is first
displayed, and ensure you clear it before you send the email.
No, it won't stop all bots. You need to use various CAPTCHA
implementations or similar for that. But it has the advantage of not
requiring user input and stops a lot of bots.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Toby Inkster 2006-07-10, 7:20 pm |
| Mark Goodge wrote:
> Not in the UK it isn't. At least, there's no record of it in the
> Patent Office Trademark Database.
That just means it's not a *registered* trademark. Doesn't mean it's not a
trademark. ® versus ™. That said, "CAPTCHA", registered or not, seems
to be undergoing genericide.
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
| |
|
| Charles Sweeney wrote:
> Jerry Stuckle wrote
>
>
> The problem here is diminishing returns. I find many CAPTCHA-type
> images difficult to read, and it wouldn't be the first time I got one
> wrong.
>
> I suppose it's a question of balance, how far you are prepared to go
> to stop bots, against making things awkward for users.
>
> --
> Charles Sweeney
> http://CharlesSweeney.com
I use a javascript link or button event to reload the security image if it
can't be read. One of those things that should be required if you're using
CAPTCHA. Simple to do and saves a lot of aggravation.
--
dp
|
|
|
|
| Copyright 2003 - 2008 forum4designers.com Software forum Computer Hardware reviews |