Randazzo Filippo f.randazzo@cybernet.ch 2006-08-16:
In my (recent) experience, this problem is not related with the form but directly with the database.. The spammer seems using an automatic bot that is sending content to generic database fields (so my suggestion would be changing the table field names to strange ones instead of changing field names of the form); Let me tell you what happened to me: I have a small guestbook in ASP (not self made, is a free code found online) used by me and 7 more friends for a private fanta-soccer-game website (so absolutely not a visited website). I begun to have those spam messages in it and I fgured out the following: I had since the beginnning the possibility to enable-disable the form fields 'sender email' and 'sender website' and, being only 8 ppl, I disabled them immediately during the guestbook installation: checkingthe database after the spamming I found those fields in the database FULL WITH INFO even if there was no input field in the form.
This script is simply broken security-wise, it should not accept sender email/website fields in the submitted form data when those fields have not been part of the form it sent to the browser.
Changing field names is just security by obscurity, even if it might help in cases where spambots rely on known field names.
Thats why I can tell tah tis problem is not form-related. Solutions (possibility that I had from this premade guestbook):
- enable Session ID check (so the post must be submitted from the
form and not from outside) 2) enable cookies (to prevent spamming the gustbook with multiple comments) 3) enable the loved/hated security images
P.S: another system that seems working (I'm testing it) is to put the guestbook pages on a different server from the main website (im including it in a <iframe>).. Seems that this is confusing the bots..
/lurking mode on
-----Original Message----- From: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] On Behalf Of Manuel Krummenacher Sent: martedì, 15. agosto 2006 18:01 To: swinog@swinog.ch Subject: Re: [swinog] Formmailer-Scripts and Spam
Matthias Hertzog wrote:
b) Web-user has to enter a unique number (generated image) in the form to prove, he's a human being.
Works fine, but you think of the visually impaired. There are captchas which provide the number also as sound. But I wouldn't use captchas on business websites, it's to annoying for the users to type in the number.
c) Badword-Filtering in the formmail-script, some reqular expressions a.s.o.
Often it helps if you give the fields "unsuspicious" names. "meinfeld4" instead of "recipient" and so on...
I use mod_security [1] with the rules from gotroot.com. mod_security blocks the spam before the form gets processed. Additionally, it protects the server from SQL-injection and other attacks.
Greets, Manuel
[1] http://www.modsecurity.org/ _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog