|
Posted by J.O. Aho on 12/13/06 21:33
Kentor wrote:
> I dont understand how to use sessions to prevent spam. Bots have
> sessions too no?
Many times spam-bots goes directly to the script that process the in-data
without filling a form, bots may have static cookies stored, if cookies are
used to control sender is a valid one or bot.
Sessions can be used as a none-cookie, and if the session only can be used to
mail once, the spam-bot has to have more AI to fetch a new session and then
post a new spam. A funny thing to do is to alter cookie-session/url-session,
which would cause a bit more difficulties for the bot.
> I thought that a good way would be to simply prevent a
> user from sending too many emails in 30 seconds or something like that.
> But according to Rik spammers can play with this using ips and
> whatever.
Spammers usually uses proxies that for mircorosoft of some strange reason are
open for all to use by default, this way it's the person running the proxy
whom ip-address you will see in your logs and the spammer can use quite many
proxies. Bounding sessions to a specific ip-address can make harm for the
sapmmer, if they switch proxy too often.
> I like the idea of queuing the messages but how could i
> filter out spamming messages? I could check them myself but then this
> will require me spending time... =/
If you queue, then you can compare how many similar posts there are or if one
and the same e-mail address is overused (as sender or receiver), then you can
just delete those entries. For the queue I would use a database, as it has the
ability to sort things in a good way. So you don't have to check the posts
yourself but let the database delete duplicate senders (you could limit to say
max two mails from the same e-mail), multiple posts to the same e-mail (it's
enough with one post to each e-mail, if more I would delete them all), message
content that is heavily HTML based should be deleted automatically. At the
same time check for header injections, that is a sure sign of spamming. Of
course limit the message length to a short one, this makes it difficult for
spammers to send a "good" spam and less spammers may be interested of your form.
I would suggest if you has the access to a spamassassin daemon, to send the
message (with full headers, as you intend to send it) to it and let it spam
check the mail, as soon as it thinks something is spam, then just discard it.
Of course all this together won't be a 100% protection, but you cause more
work for the spammers and they won't get everything out.
--
//Aho
Navigation:
[Reply to this message]
|