Jump to content

Archived

This topic is now archived and is closed to further replies.

jcombs_31

best option for securing forms

Recommended Posts

I don't want to have a user input from an image file to send a simple email or sign a guestbook, but I have a couple sites that are getting hammered by spam throught these two forms. I don't think a timestamp will stop it, and the ip range is always different, so what's the best way to block it without creating images with text?

Share this post


Link to post
Share on other sites
Depends on the set up ... maybe setting a session variable to ensure that the form is being accessed from your site.

Share this post


Link to post
Share on other sites
[!--quoteo(post=340644:date=Jan 28 2006, 10:33 AM:name=jcombs_31)--][div class=\'quotetop\']QUOTE(jcombs_31 @ Jan 28 2006, 10:33 AM) [snapback]340644[/snapback][/div][div class=\'quotemain\'][!--quotec--]
I don't want to have a user input from an image file to send a simple email or sign a guestbook, but I have a couple sites that are getting hammered by spam throught these two forms. I don't think a timestamp will stop it, and the ip range is always different, so what's the best way to block it without creating images with text?
[/quote]

Are you using forms that contain an email address. If so then you are going to need a rewrite.
Checking that the form is being run from your server is no good because hackers are skilled at
hacking round these checks. Any form that contains an email address to send the email to are
an open invitation to spammers.



Share this post


Link to post
Share on other sites
[!--quoteo(post=340777:date=Jan 28 2006, 11:36 PM:name=ShaunW)--][div class=\'quotetop\']QUOTE(ShaunW @ Jan 28 2006, 11:36 PM) [snapback]340777[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Are you using forms that contain an email address. If so then you are going to need a rewrite.
Checking that the form is being run from your server is no good because hackers are skilled at
hacking round these checks. Any form that contains an email address to send the email to are
an open invitation to spammers.
[/quote]

This answer didn't exactly help in any way other than telling me to protect my forms, which is what my topic was about.

Share this post


Link to post
Share on other sites
[!--quoteo(post=341134:date=Jan 30 2006, 07:53 AM:name=jcombs_31)--][div class=\'quotetop\']QUOTE(jcombs_31 @ Jan 30 2006, 07:53 AM) [snapback]341134[/snapback][/div][div class=\'quotemain\'][!--quotec--]
This answer didn't exactly help in any way other than telling me to protect my forms, which is what my topic was about.
[/quote]


make them confirm what they are sending out. then you can add constraints like form tokens and time validations and the like. ie if they confirm too quickly etc,

Share this post


Link to post
Share on other sites
I don't want a user to have to confirm adding a simple guestbook or feedback entry. I never see any email forms on sites that require any extra user interaction. I can see maybe for a site that you are purchasing something that you validate with an image. I'm looking for a solution that is not obtrusive to the user who is actually using the form.

I'm not sure what type of session variable actually could check if this is a real user on my site. I really don't know how these spam bots work. Do they actually open up a browswer?

Share this post


Link to post
Share on other sites
Just a quick question. Are we talking about a form with action='self' or is the form processing handled by a separate script?

Share this post


Link to post
Share on other sites
[!--quoteo(post=349327:date=Feb 25 2006, 11:29 AM:name=AndyB)--][div class=\'quotetop\']QUOTE(AndyB @ Feb 25 2006, 11:29 AM) [snapback]349327[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Just a quick question. Are we talking about a form with action='self' or is the form processing handled by a separate script?
[/quote]

script on the same page, so the form would be submitting to PHP_SELF

Share this post


Link to post
Share on other sites
Maybe something like this would work:
[code]<?php
session_start();
$now = time();
$delta_t = 60; // seconds delay required between uses
if (isset($_SESSION['time_sent'])) {
    $previous = $_SESSION['time_sent'];
    if (($now - $previous) < $delta_t) {
        // your form code here
    } else {
        // be patient!!
    }
}
$_SESSION['time_sent'] = $now;
?>[/code]

Share this post


Link to post
Share on other sites
[!--quoteo(post=349363:date=Feb 25 2006, 03:05 PM:name=AndyB)--][div class=\'quotetop\']QUOTE(AndyB @ Feb 25 2006, 03:05 PM) [snapback]349363[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Maybe something like this would work:
[code]<?php
session_start();
$now = time();
$delta_t = 60; // seconds delay required between uses
if (isset($_SESSION['time_sent'])) {
    $previous = $_SESSION['time_sent'];
    if (($now - $previous) < $delta_t) {
        // your form code here
    } else {
        // be patient!!
    }
}
$_SESSION['time_sent'] = $now;
?>[/code]
[/quote]

yea, but that only helps with a time interval. If they only submit one per day, or one every 10 minutes, it wouldn't prevent anything. I'm sure this has to be a very common problem people solve.

Share this post


Link to post
Share on other sites
I've had my share of episodes of a zillion emails showing up, and the only thing I've found that actually worked - because the morons who spam have all sorts of sleazy tricks - was making it a manual process to use a form, i.e. a captcha. It also stopped 100% of those "Wow I really liked your site. Visit mine at www.bodypartsenhancementwillsaveyourlovelife.com"

At the moment I have one client site where the webhost, the client, and I have agreed to simply shut off the email server for a week in the hope that it'll make the spammers find another target. Getting a 1000 bounced emails from AOL addresses in a day is tough to take!

If it will lessen the pain, you're welcome to use my [a href=\"http://www.digitalmidget.com/php_noob/captcha.php\" target=\"_blank\"]captcha script package[/a].

Share this post


Link to post
Share on other sites
[!--quoteo(post=349427:date=Feb 25 2006, 06:15 PM:name=AndyB)--][div class=\'quotetop\']QUOTE(AndyB @ Feb 25 2006, 06:15 PM) [snapback]349427[/snapback][/div][div class=\'quotemain\'][!--quotec--]
I've had my share of episodes of a zillion emails showing up, and the only thing I've found that actually worked - because the morons who spam have all sorts of sleazy tricks - was making it a manual process to use a form, i.e. a captcha. It also stopped 100% of those "Wow I really liked your site. Visit mine at www.bodypartsenhancementwillsaveyourlovelife.com"

At the moment I have one client site where the webhost, the client, and I have agreed to simply shut off the email server for a week in the hope that it'll make the spammers find another target. Getting a 1000 bounced emails from AOL addresses in a day is tough to take!

If it will lessen the pain, you're welcome to use my [a href=\"http://www.digitalmidget.com/php_noob/captcha.php\" target=\"_blank\"]captcha script package[/a].
[/quote]

I guess it's the way I have to go, just didn't think it would have to go that far. I read a great article from sitepoint on setting up the class, just was looking for another solution.

Share this post


Link to post
Share on other sites
I know this is an old topic but here's my tupence:

To prevent spam from contact froms etc. I limit the number of posts/ messages/ contacts per IP in an hour/day.
The captcha way is foolproof however.

-steve


Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.