Randazzo Filippo <[EMAIL PROTECTED]> 2006-08-16: > In my (recent) experience, this problem is not related with the form > but directly with the database.. The spammer seems using an automatic > bot that is sending content to generic database fields (so my > suggestion would be changing the table field names to strange ones > instead of changing field names of the form); Let me tell you what > happened to me: I have a small guestbook in ASP (not self made, is a > free code found online) used by me and 7 more friends for a private > fanta-soccer-game website (so absolutely not a visited website). I > begun to have those spam messages in it and I fgured out the > following: I had since the beginnning the possibility to > enable-disable the form fields 'sender email' and 'sender website' > and, being only 8 ppl, I disabled them immediately during the > guestbook installation: checkingthe database after the spamming I > found those fields in the database FULL WITH INFO even if there was no > input field in the form.
This script is simply broken security-wise, it should not accept sender email/website fields in the submitted form data when those fields have not been part of the form it sent to the browser. Changing field names is just security by obscurity, even if it might help in cases where spambots rely on known field names. > Thats why I can tell tah tis problem is not > form-related. Solutions (possibility that I had from this premade > guestbook): > 1) enable Session ID check (so the post must be submitted from the > form and not from outside) > 2) enable cookies (to prevent spamming the gustbook with multiple > comments) > 3) enable the loved/hated security images > > P.S: another system that seems working (I'm testing it) is to put the > guestbook pages on a different server from the main website (im > including it in a <iframe>).. Seems that this is confusing the bots.. > > /lurking mode on > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manuel > Krummenacher > Sent: martedì, 15. agosto 2006 18:01 > To: [email protected] > Subject: Re: [swinog] Formmailer-Scripts and Spam > > > Matthias Hertzog wrote: > > b) Web-user has to enter a unique number (generated image) in the form > > to prove, he's a human being. > Works fine, but you think of the visually impaired. There are captchas > which provide the number also as sound. But I wouldn't use captchas on > business websites, it's to annoying for the users to type in the number. > > c) Badword-Filtering in the formmail-script, some reqular expressions > > a.s.o. > > Often it helps if you give the fields "unsuspicious" names. "meinfeld4" > instead of "recipient" and so on... > > I use mod_security [1] with the rules from gotroot.com. mod_security > blocks the spam before the form gets processed. Additionally, it > protects the server from SQL-injection and other attacks. > > Greets, > Manuel > > > [1] http://www.modsecurity.org/ > _______________________________________________ > swinog mailing list > [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog > _______________________________________________ > swinog mailing list > [email protected] > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog -- Daniel Roethlisberger <[EMAIL PROTECTED]> _______________________________________________ swinog mailing list [email protected] http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
