Jump to content


Photo

best option for securing forms


  • Please log in to reply
12 replies to this topic

#1 jcombs_31

jcombs_31
  • Staff Alumni
  • Advanced Member
  • 2,066 posts
  • LocationFL

Posted 28 January 2006 - 03:33 PM

I don't want to have a user input from an image file to send a simple email or sign a guestbook, but I have a couple sites that are getting hammered by spam throught these two forms. I don't think a timestamp will stop it, and the ip range is always different, so what's the best way to block it without creating images with text?

#2 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 28 January 2006 - 03:40 PM

Depends on the set up ... maybe setting a session variable to ensure that the form is being accessed from your site.
Legend has it that reading the manual never killed anyone.
My site

#3 ShaunW

ShaunW
  • New Members
  • Pip
  • Newbie
  • 1 posts

Posted 29 January 2006 - 04:36 AM

[!--quoteo(post=340644:date=Jan 28 2006, 10:33 AM:name=jcombs_31)--][div class=\'quotetop\']QUOTE(jcombs_31 @ Jan 28 2006, 10:33 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
I don't want to have a user input from an image file to send a simple email or sign a guestbook, but I have a couple sites that are getting hammered by spam throught these two forms. I don't think a timestamp will stop it, and the ip range is always different, so what's the best way to block it without creating images with text?
[/quote]

Are you using forms that contain an email address. If so then you are going to need a rewrite.
Checking that the form is being run from your server is no good because hackers are skilled at
hacking round these checks. Any form that contains an email address to send the email to are
an open invitation to spammers.





#4 jcombs_31

jcombs_31
  • Staff Alumni
  • Advanced Member
  • 2,066 posts
  • LocationFL

Posted 30 January 2006 - 12:53 PM

[!--quoteo(post=340777:date=Jan 28 2006, 11:36 PM:name=ShaunW)--][div class=\'quotetop\']QUOTE(ShaunW @ Jan 28 2006, 11:36 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Are you using forms that contain an email address. If so then you are going to need a rewrite.
Checking that the form is being run from your server is no good because hackers are skilled at
hacking round these checks. Any form that contains an email address to send the email to are
an open invitation to spammers.
[/quote]

This answer didn't exactly help in any way other than telling me to protect my forms, which is what my topic was about.

#5 daiwa

daiwa
  • Members
  • PipPip
  • Member
  • 21 posts

Posted 30 January 2006 - 02:19 PM

[!--quoteo(post=341134:date=Jan 30 2006, 07:53 AM:name=jcombs_31)--][div class=\'quotetop\']QUOTE(jcombs_31 @ Jan 30 2006, 07:53 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
This answer didn't exactly help in any way other than telling me to protect my forms, which is what my topic was about.
[/quote]


make them confirm what they are sending out. then you can add constraints like form tokens and time validations and the like. ie if they confirm too quickly etc,

#6 jcombs_31

jcombs_31
  • Staff Alumni
  • Advanced Member
  • 2,066 posts
  • LocationFL

Posted 25 February 2006 - 04:15 PM

I don't want a user to have to confirm adding a simple guestbook or feedback entry. I never see any email forms on sites that require any extra user interaction. I can see maybe for a site that you are purchasing something that you validate with an image. I'm looking for a solution that is not obtrusive to the user who is actually using the form.

I'm not sure what type of session variable actually could check if this is a real user on my site. I really don't know how these spam bots work. Do they actually open up a browswer?

#7 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 25 February 2006 - 04:29 PM

Just a quick question. Are we talking about a form with action='self' or is the form processing handled by a separate script?
Legend has it that reading the manual never killed anyone.
My site

#8 jcombs_31

jcombs_31
  • Staff Alumni
  • Advanced Member
  • 2,066 posts
  • LocationFL

Posted 25 February 2006 - 07:35 PM

[!--quoteo(post=349327:date=Feb 25 2006, 11:29 AM:name=AndyB)--][div class=\'quotetop\']QUOTE(AndyB @ Feb 25 2006, 11:29 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Just a quick question. Are we talking about a form with action='self' or is the form processing handled by a separate script?
[/quote]

script on the same page, so the form would be submitting to PHP_SELF

#9 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 25 February 2006 - 08:05 PM

Maybe something like this would work:
<?php
session_start();
$now = time();
$delta_t = 60; // seconds delay required between uses
if (isset($_SESSION['time_sent'])) {
    $previous = $_SESSION['time_sent'];
    if (($now - $previous) < $delta_t) {
        // your form code here
    } else {
        // be patient!!
    }
}
$_SESSION['time_sent'] = $now;
?>

Legend has it that reading the manual never killed anyone.
My site

#10 jcombs_31

jcombs_31
  • Staff Alumni
  • Advanced Member
  • 2,066 posts
  • LocationFL

Posted 25 February 2006 - 10:19 PM

[!--quoteo(post=349363:date=Feb 25 2006, 03:05 PM:name=AndyB)--][div class=\'quotetop\']QUOTE(AndyB @ Feb 25 2006, 03:05 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Maybe something like this would work:
<?php
session_start();
$now = time();
$delta_t = 60; // seconds delay required between uses
if (isset($_SESSION['time_sent'])) {
    $previous = $_SESSION['time_sent'];
    if (($now - $previous) < $delta_t) {
        // your form code here
    } else {
        // be patient!!
    }
}
$_SESSION['time_sent'] = $now;
?>
[/quote]

yea, but that only helps with a time interval. If they only submit one per day, or one every 10 minutes, it wouldn't prevent anything. I'm sure this has to be a very common problem people solve.

#11 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 25 February 2006 - 11:15 PM

I've had my share of episodes of a zillion emails showing up, and the only thing I've found that actually worked - because the morons who spam have all sorts of sleazy tricks - was making it a manual process to use a form, i.e. a captcha. It also stopped 100% of those "Wow I really liked your site. Visit mine at www.bodypartsenhancementwillsaveyourlovelife.com"

At the moment I have one client site where the webhost, the client, and I have agreed to simply shut off the email server for a week in the hope that it'll make the spammers find another target. Getting a 1000 bounced emails from AOL addresses in a day is tough to take!

If it will lessen the pain, you're welcome to use my [a href=\"http://www.digitalmidget.com/php_noob/captcha.php\" target=\"_blank\"]captcha script package[/a].
Legend has it that reading the manual never killed anyone.
My site

#12 jcombs_31

jcombs_31
  • Staff Alumni
  • Advanced Member
  • 2,066 posts
  • LocationFL

Posted 26 February 2006 - 01:21 AM

[!--quoteo(post=349427:date=Feb 25 2006, 06:15 PM:name=AndyB)--][div class=\'quotetop\']QUOTE(AndyB @ Feb 25 2006, 06:15 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
I've had my share of episodes of a zillion emails showing up, and the only thing I've found that actually worked - because the morons who spam have all sorts of sleazy tricks - was making it a manual process to use a form, i.e. a captcha. It also stopped 100% of those "Wow I really liked your site. Visit mine at www.bodypartsenhancementwillsaveyourlovelife.com"

At the moment I have one client site where the webhost, the client, and I have agreed to simply shut off the email server for a week in the hope that it'll make the spammers find another target. Getting a 1000 bounced emails from AOL addresses in a day is tough to take!

If it will lessen the pain, you're welcome to use my [a href=\"http://www.digitalmidget.com/php_noob/captcha.php\" target=\"_blank\"]captcha script package[/a].
[/quote]

I guess it's the way I have to go, just didn't think it would have to go that far. I read a great article from sitepoint on setting up the class, just was looking for another solution.

#13 steviewdr

steviewdr
  • Moderators
  • Advanced Member
  • 1,364 posts
  • LocationIreland

Posted 06 May 2006 - 03:52 PM

I know this is an old topic but here's my tupence:

To prevent spam from contact froms etc. I limit the number of posts/ messages/ contacts per IP in an hour/day.
The captcha way is foolproof however.

-steve







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users