/lurking mode off Hi folks In my (recent) experience, this problem is not related with the form but directly with the database.. The spammer seems using an automatic bot that is sending content to generic database fields (so my suggestion would be changing the table field names to strange ones instead of changing field names of the form); Let me tell you what happened to me: I have a small guestbook in ASP (not self made, is a free code found online) used by me and 7 more friends for a private fanta-soccer-game website (so absolutely not a visited website). I begun to have those spam messages in it and I fgured out the following: I had since the beginnning the possibility to enable-disable the form fields 'sender email' and 'sender website' and, being only 8 ppl, I disabled them immediately during the guestbook installation: checkingthe database after the spamming I found those fields in the database FULL WITH INFO even if there was no input field in the form. Thats why I can tell tah tis problem is not form-related. Solutions (possibility that I had from this premade guestbook): 1) enable Session ID check (so the post must be submitted from the form and not from outside) 2) enable cookies (to prevent spamming the gustbook with multiple comments) 3) enable the loved/hated security images
Hopes this helps Cheers Filippo P.S: another system that seems working (I'm testing it) is to put the guestbook pages on a different server from the main website (im including it in a <iframe>).. Seems that this is confusing the bots.. /lurking mode on -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manuel Krummenacher Sent: martedì, 15. agosto 2006 18:01 To: [email protected] Subject: Re: [swinog] Formmailer-Scripts and Spam Matthias Hertzog wrote: > b) Web-user has to enter a unique number (generated image) in the form > to prove, he's a human being. Works fine, but you think of the visually impaired. There are captchas which provide the number also as sound. But I wouldn't use captchas on business websites, it's to annoying for the users to type in the number. > c) Badword-Filtering in the formmail-script, some reqular expressions > a.s.o. Often it helps if you give the fields "unsuspicious" names. "meinfeld4" instead of "recipient" and so on... I use mod_security [1] with the rules from gotroot.com. mod_security blocks the spam before the form gets processed. Additionally, it protects the server from SQL-injection and other attacks. Greets, Manuel [1] http://www.modsecurity.org/ _______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog _______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
