Re: [PHP] Comment form spammer

[Gerry D]

My implementation of captcha eliminated chinese spam.

See http://www.lilyregister.com/page/?p=contact

Gerry

On 8/9/06, Micky Hulse <[EMAIL PROTECTED]> wrote:

Hi,

Recently, a client of mine was getting a ton of spam email from a site
called hotbox.com. I updated her form to one with more spam security,
but she is still receiving junk email.

Anyone feel like sharing code snippets that will help beef-up spam
protection for a contact script?

Do you all enable a CAPTCHA system?

Here is what I am currently using in my contact form script to protect
from spam:



# Error text:
$no_go = 'Forbidden - You are not authorized to view this page!';

# First, make sure the form was posted from a browser.
# For basic web-forms, we don't care about anything other than requests
from a browser:
if(!isset($_SERVER['HTTP_USER_AGENT'])) { die($no_go); exit(); }
# Make sure the form was indeed POST'ed (requires your html form to use
action="post"):
if(!$_SERVER['REQUEST_METHOD'] == "POST") { die($no_go); exit(); }
# Host names from where the form is authorized to be posted from:
$auth_hosts = array("site1.com", "site2.com");
# Where have we been posted from?
$from_array = parse_url(strtolower($_SERVER['HTTP_REFERER']));
# Test to see if the $from_array used www to get here.
$www_used = strpos($from_array['host'], "www.");
# Make sure the form was posted from an approved host name:
if(!in_array(($www_used === false ? $from_array['host'] :
substr(stristr($from_array['host'], '.'), 1)), $auth_hosts)) {
//log_bad_request();
header("HTTP/1.0 403 Forbidden");
exit();
}
# Attempt to defend against header injections:
$bad_strings = array("Content-Type:", "MIME-Version:",
"Content-Transfer-Encoding:", "bcc:", "cc:");
# Loop through each POST'ed value and test if it contains one of the
$bad_strings:
foreach($_POST as $k => $v) {
foreach($bad_strings as $v2) {
if(strpos($v, $v2) !== false) {
log_bad_request();
header("HTTP/1.0 403 Forbidden");
exit();
}
}
}
# Made it past spammer test, free up some memory and continue rest of
script:
unset($k, $v, $v2, $bad_strings, $auth_hosts, $from_array, $www_used);

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Comment form spammer

[Micky Hulse]

Richard Lynch wrote:

I rolled my own, because I thought it would be a useful learning
experience.


Sounds like what I am thinking.  :)


And, I kinda sorta documented it.
Well, I put the source up on-line anyway. :-)
So here's one crude hack way to do it, if you just want the basics of
how it's done:
http://voodookings.net/eyesonly_example.htm


Kick-butt! Thanks for sharing.  :D


After you pass the CAPTCHA, it links to source.

The connect.inc file is not available, as it has database password in
it, but other than pg_connect() there is nothing interesting in there
anyway.
...
Note that if you are already using SESSIONs, then you could just toss
the $token in $_SESSION -- I, however, was not, and did not want to
start issuing cookies just for the CAPTCHA to work.


Hehe, sounds like what I am thinking... I really do not even want to 
touch her site much as I am working on a re-design now and probably 
going to use a CMS to manage content. But, I will still be using the 
contact form, so all you your (and others) help is greatly appreciated.



The web2 dictionary is Webster's older dictionary, now in the public
domain, and is installed on my server by the webhost -- so presumably
is readily available.


Nice, was not aware of that dictionary, googling now. :)


I also intentionally added zero "noise" to my CAPTCHA -- though you
obviously can make the PNG as complicated as you like.
I figure if the spammers want to OCR the CAPTCHA, I'm just gonna take
the damn guestbook down.


Lol, ya... that is kinda where I am coming from. If my client does not 
solve her probs after I fix-up the contact form script, then I will 
suggest she just asks folks to use an email program and manually contact 
her.


Did I mention "spammer suck" already? Well, at least they are good 
motivators.


Thanks Richard, you rock!

Cheers,
Micky

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Comment form spammer

[Micky Hulse]

Richard Lynch wrote:

You can tie up their connection, wasting your connection...


If it were my own site, I might think about doing something like wasting 
my connection...



I suppose you could do:
header("Location: 127.0.0.1");
and then they'd be trying to surf to their own computer, if they are
following re-directs in their hack attempt...
Though odds are really good they are watching for that.


Oooh, good call. Interesting idea. I was thinking about doing something 
with a header redirect, but I also did not want to do anything too crazy 
- mostly because it is not my sight.



Bottom line:
Nope, probably not much you can do.
More's the pity.


Yep. I think I will just leave it at die();

Many thanks for the input.
Cheers! :D
Micky

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Comment form spammer

[Richard Lynch]

On Wed, August 9, 2006 11:42 pm, Micky Hulse wrote:
> Micky Hulse wrote:
>> I just commented-out all of the PHP in the old script and added one
>> line: die("#%$#@ off!");
>
> Actually... is there anything more I can do at this point to fight
> back?
>   Can I use something better than die()? Or, is it best just to let
> them
> figure it out and go away?

You can tie up their connection, wasting your connection...

I suppose you could do:

header("Location: 127.0.0.1");

and then they'd be trying to surf to their own computer, if they are
following re-directs in their hack attempt...

Though odds are really good they are watching for that.

Bottom line:

Nope, probably not much you can do.

More's the pity.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Comment form spammer

[Richard Lynch]

On Wed, August 9, 2006 11:33 pm, Micky Hulse wrote:
> Yeah, I would prefer to not setup a CAPTCHA too (although, I would
> like
> to learn how to script one)... hopefully implementing your (and
> everyone
> else's) great suggestions will really make my script hard to spam.

I rolled my own, because I thought it would be a useful learning
experience.

And, I kinda sorta documented it.

Well, I put the source up on-line anyway. :-)

So here's one crude hack way to do it, if you just want the basics of
how it's done:

http://voodookings.net/eyesonly_example.htm

After you pass the CAPTCHA, it links to source.

The connect.inc file is not available, as it has database password in
it, but other than pg_connect() there is nothing interesting in there
anyway.

You're on your own converting the oh-so-complicated (not!) SQL to
MySQL instead of PostgreSQL...

I'm pretty sure just changing mysql_query() and flipping $connection,
$query to $query, $connection will do it.

Note that if you are already using SESSIONs, then you could just toss
the $token in $_SESSION -- I, however, was not, and did not want to
start issuing cookies just for the CAPTCHA to work.

The web2 dictionary is Webster's older dictionary, now in the public
domain, and is installed on my server by the webhost -- so presumably
is readily available.

I also intentionally added zero "noise" to my CAPTCHA -- though you
obviously can make the PNG as complicated as you like.

I figure if the spammers want to OCR the CAPTCHA, I'm just gonna take
the damn guestbook down.

Though I later did that kinda thing for a client, and it ain't as
tricky as one might think...

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Comment form spammer

[Micky Hulse]

Micky Hulse wrote:
I just commented-out all of the PHP in the old script and added one 
line: die("#%$#@ off!");


Actually... is there anything more I can do at this point to fight back? 
 Can I use something better than die()? Or, is it best just to let them 
figure it out and go away?


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Comment form spammer

[Micky Hulse]

Micky Hulse wrote:
Recently, a client of mine was getting a ton of spam email from a site 
called hotbox.com. I updated her form to one with more spam security, 
but she is still receiving junk email.


Hi all, thanks for the great responses (on/off list). I just realized 
that the spammer is not actually using the form to submit the spam, they 
are using the script directly... duH!


When I updated the form, I did not change the name or remove the old 
script... so she kept receiving tons of spam.


I just commented-out all of the PHP in the old script and added one 
line: die("#%$#@ off!");


Now that that is fixed, time to impliment all of your suggestions for 
making my script better. Thanks all for pointing-out the security holes 
and coding mistakes.


:: pats all who helped on back ::

You guys/gals rock!

Cheers,
Micky

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Comment form spammer

[Micky Hulse]

Quick note to Kevin Waterson:

Hehe, I think all this talk about spam sent my response to your reply 
into your spam filter... I got a bounce back. Thanks for help though... 
let me know if there is any way I can re-send the email without a 
bounce-back.


Richard Lynch wrote:

If you are not already, PLEASE make sure that any headers you pass in
to mail(), including the "to", "subject", and "headers" args (1, 2,
and 4 args) do *NOT* have any newlines in the user-input data.


Sounds good to me. Thanks for pointing that out.

I just found this link:

*Form Post Hijacking*


Looks like the above article mentions the same thing and proposes this 
as a fix:


$_POST['email'] = preg_replace("/\r/", "", $_POST['email']); 
$_POST['email'] = preg_replace("/\n/", "", $_POST['email']);


This is another good one:

*Email Injection*



Cuz if you ain't doing that, you're not just letting them spam your
client, but also letting them inject spam to ALL OF US!
Don't do that. :-)


Man, spammers suck! I just had someone take over my own domain a 
couple weeks ago... thank god for Spam Assassin and Cpanel!  :D



I also just trash anybody trying to send HTML "enhanced" (cough,
cough) email through the website form -- You KNOW only a spammer is
going to sit there and type HTML into an email form on a website.
if (strip_tags($body) != $body) { die("spammer"); }


Ahh, good point. So, with the above line, you are saying:

If the message body stripped of all html tags is not equal to the 
message body, then kill the script? Ah, makes perfect sense... a great 
way to test for html spam. Thanks for sharing!   :D



Do you all enable a CAPTCHA system?


I did on one site that was just getting pounded -- Actually it was a
guestbook with site-owner approval, so the junk never went public, but
that didn't stop the automated spammers from trying anyway, and the
client sure didn't want to scroll through hundreds of "posts" to find
the one real one.  Sigh.


Man, that sucks. SMFing spammers. They really are annoying.


I *hate* CAPTCHA for various reasons, but I was stuck for any other
solution that would stop the junk...


Yeah, I would prefer to not setup a CAPTCHA too (although, I would like 
to learn how to script one)... hopefully implementing your (and everyone 
else's) great suggestions will really make my script hard to spam.


Thanks Richard, I really appreciate... you are always very helpful and 
your advice is top-notch.  :)


Cheers,
Micky

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Comment form spammer

[Richard Lynch]

On Wed, August 9, 2006 3:17 pm, Micky Hulse wrote:
> Recently, a client of mine was getting a ton of spam email from a site
> called hotbox.com. I updated her form to one with more spam security,
> but she is still receiving junk email.

If you are not already, PLEASE make sure that any headers you pass in
to mail(), including the "to", "subject", and "headers" args (1, 2,
and 4 args) do *NOT* have any newlines in the user-input data.

Cuz if you ain't doing that, you're not just letting them spam your
client, but also letting them inject spam to ALL OF US!

Don't do that. :-)

> Anyone feel like sharing code snippets that will help beef-up spam
> protection for a contact script?

I also just trash anybody trying to send HTML "enhanced" (cough,
cough) email through the website form -- You KNOW only a spammer is
going to sit there and type HTML into an email form on a website.

if (strip_tags($body) != $body) { die("spammer"); }

> Do you all enable a CAPTCHA system?

I did on one site that was just getting pounded -- Actually it was a
guestbook with site-owner approval, so the junk never went public, but
that didn't stop the automated spammers from trying anyway, and the
client sure didn't want to scroll through hundreds of "posts" to find
the one real one.  Sigh.

I *hate* CAPTCHA for various reasons, but I was stuck for any other
solution that would stop the junk...

YMMV

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php