Hi Michael.
Can you think of any good reason to accept a submission via a known open
proxy? You can grab a maintained open proxy list and use it for a while
Rolan-style... to tag potential spam as an experiment. Every market is
different, but in the tech world I see no valid reason to accept
connections from known open proxies (they are always spam). As a
competitive SEO, I know of no easier way to automate web connections
than via open proxies.
Bot nets are still a problem and all the big boys use them so maybe get
used to a little spam here and there as well.
-=john
Michael Southwell michael.southwell-at-nyphp.com |nyphp dev/internal
group use| wrote:
I thought I was following best practices (
http://www.nyphp.org/phundamentals/spoofed_submission.php ) in
creating a comment form for a restaurant client (There is no security
issue here; the comments are emailed):
I stored a random token in the session:
session_start();
if ( ! isset( $_SESSION['secret'] ) ) $_SESSION['secret'] = uniqid(
rand(), TRUE );
I hid that token in the form:
<form action="comments.php" method="post" onSubmit="return
checkForm(this)">
<input type="hidden" name="secret" value="<?= $_SESSION['secret'] ?>" />
Upon submission, I checked for the token:
if ( $_POST['secret'] !== $_SESSION['secret'] ) die( 'invalid form
submission' );
But I still got obvious spoofed submissions, not very many of them,
and all vapid and often nonsensical (a sample: "I consider that beside
Your site there is future!"), but still maddening. So I added a
five-minute timeout:
if ( ! isset( $_SESSION['timeout'] ) ) {
$timeout = time() + 5 * 60;
$_SESSION['timeout'] = $timeout;
}
and checked for that as well:
$now = time();
if ( $_POST['secret'] !== $_SESSION['secret'] || $now >
$_SESSION['timeout'] ) die( 'invalid form submission' );
But this hasn't helped much; I still get a few of them, though I can't
figure out how they can be generated. Any advice?
Michael Southwell, Vice President for Education
New York PHP
http://www.nyphp.com/training - In-depth PHP Training Courses
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
--
-------------------------------------------------------------
Your web server traffic log file is the most important source of web business
information available. Do you know where your logs are right now? Do you know
who else has access to your log files? When they were last archived? Where
those archives are? --John Andrews Competitive Webmaster and SEO Blogging at
http://www.johnon.com
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
