Jump to content

best option for securing forms


jcombs_31

Recommended Posts

I don't want to have a user input from an image file to send a simple email or sign a guestbook, but I have a couple sites that are getting hammered by spam throught these two forms. I don't think a timestamp will stop it, and the ip range is always different, so what's the best way to block it without creating images with text?
Link to comment
Share on other sites

[!--quoteo(post=340644:date=Jan 28 2006, 10:33 AM:name=jcombs_31)--][div class=\'quotetop\']QUOTE(jcombs_31 @ Jan 28 2006, 10:33 AM) [snapback]340644[/snapback][/div][div class=\'quotemain\'][!--quotec--]
I don't want to have a user input from an image file to send a simple email or sign a guestbook, but I have a couple sites that are getting hammered by spam throught these two forms. I don't think a timestamp will stop it, and the ip range is always different, so what's the best way to block it without creating images with text?
[/quote]

Are you using forms that contain an email address. If so then you are going to need a rewrite.
Checking that the form is being run from your server is no good because hackers are skilled at
hacking round these checks. Any form that contains an email address to send the email to are
an open invitation to spammers.



Link to comment
Share on other sites

[!--quoteo(post=340777:date=Jan 28 2006, 11:36 PM:name=ShaunW)--][div class=\'quotetop\']QUOTE(ShaunW @ Jan 28 2006, 11:36 PM) [snapback]340777[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Are you using forms that contain an email address. If so then you are going to need a rewrite.
Checking that the form is being run from your server is no good because hackers are skilled at
hacking round these checks. Any form that contains an email address to send the email to are
an open invitation to spammers.
[/quote]

This answer didn't exactly help in any way other than telling me to protect my forms, which is what my topic was about.
Link to comment
Share on other sites

[!--quoteo(post=341134:date=Jan 30 2006, 07:53 AM:name=jcombs_31)--][div class=\'quotetop\']QUOTE(jcombs_31 @ Jan 30 2006, 07:53 AM) [snapback]341134[/snapback][/div][div class=\'quotemain\'][!--quotec--]
This answer didn't exactly help in any way other than telling me to protect my forms, which is what my topic was about.
[/quote]


make them confirm what they are sending out. then you can add constraints like form tokens and time validations and the like. ie if they confirm too quickly etc,
Link to comment
Share on other sites

  • 4 weeks later...
I don't want a user to have to confirm adding a simple guestbook or feedback entry. I never see any email forms on sites that require any extra user interaction. I can see maybe for a site that you are purchasing something that you validate with an image. I'm looking for a solution that is not obtrusive to the user who is actually using the form.

I'm not sure what type of session variable actually could check if this is a real user on my site. I really don't know how these spam bots work. Do they actually open up a browswer?
Link to comment
Share on other sites

[!--quoteo(post=349327:date=Feb 25 2006, 11:29 AM:name=AndyB)--][div class=\'quotetop\']QUOTE(AndyB @ Feb 25 2006, 11:29 AM) [snapback]349327[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Just a quick question. Are we talking about a form with action='self' or is the form processing handled by a separate script?
[/quote]

script on the same page, so the form would be submitting to PHP_SELF
Link to comment
Share on other sites

Maybe something like this would work:
[code]<?php
session_start();
$now = time();
$delta_t = 60; // seconds delay required between uses
if (isset($_SESSION['time_sent'])) {
    $previous = $_SESSION['time_sent'];
    if (($now - $previous) < $delta_t) {
        // your form code here
    } else {
        // be patient!!
    }
}
$_SESSION['time_sent'] = $now;
?>[/code]
Link to comment
Share on other sites

[!--quoteo(post=349363:date=Feb 25 2006, 03:05 PM:name=AndyB)--][div class=\'quotetop\']QUOTE(AndyB @ Feb 25 2006, 03:05 PM) [snapback]349363[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Maybe something like this would work:
[code]<?php
session_start();
$now = time();
$delta_t = 60; // seconds delay required between uses
if (isset($_SESSION['time_sent'])) {
    $previous = $_SESSION['time_sent'];
    if (($now - $previous) < $delta_t) {
        // your form code here
    } else {
        // be patient!!
    }
}
$_SESSION['time_sent'] = $now;
?>[/code]
[/quote]

yea, but that only helps with a time interval. If they only submit one per day, or one every 10 minutes, it wouldn't prevent anything. I'm sure this has to be a very common problem people solve.
Link to comment
Share on other sites

I've had my share of episodes of a zillion emails showing up, and the only thing I've found that actually worked - because the morons who spam have all sorts of sleazy tricks - was making it a manual process to use a form, i.e. a captcha. It also stopped 100% of those "Wow I really liked your site. Visit mine at www.bodypartsenhancementwillsaveyourlovelife.com"

At the moment I have one client site where the webhost, the client, and I have agreed to simply shut off the email server for a week in the hope that it'll make the spammers find another target. Getting a 1000 bounced emails from AOL addresses in a day is tough to take!

If it will lessen the pain, you're welcome to use my [a href=\"http://www.digitalmidget.com/php_noob/captcha.php\" target=\"_blank\"]captcha script package[/a].
Link to comment
Share on other sites

[!--quoteo(post=349427:date=Feb 25 2006, 06:15 PM:name=AndyB)--][div class=\'quotetop\']QUOTE(AndyB @ Feb 25 2006, 06:15 PM) [snapback]349427[/snapback][/div][div class=\'quotemain\'][!--quotec--]
I've had my share of episodes of a zillion emails showing up, and the only thing I've found that actually worked - because the morons who spam have all sorts of sleazy tricks - was making it a manual process to use a form, i.e. a captcha. It also stopped 100% of those "Wow I really liked your site. Visit mine at www.bodypartsenhancementwillsaveyourlovelife.com"

At the moment I have one client site where the webhost, the client, and I have agreed to simply shut off the email server for a week in the hope that it'll make the spammers find another target. Getting a 1000 bounced emails from AOL addresses in a day is tough to take!

If it will lessen the pain, you're welcome to use my [a href=\"http://www.digitalmidget.com/php_noob/captcha.php\" target=\"_blank\"]captcha script package[/a].
[/quote]

I guess it's the way I have to go, just didn't think it would have to go that far. I read a great article from sitepoint on setting up the class, just was looking for another solution.
Link to comment
Share on other sites

  • 2 months later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.