|
Posted by Rik on 12/13/06 21:37
Kentor wrote:
> I dont understand how to use sessions to prevent spam. Bots have
> sessions too no?
They have indeed.
> I thought that a good way would be to simply prevent
> a
> user from sending too many emails in 30 seconds or something like
> that.
> But according to Rik spammers can play with this using ips and
> whatever.
Without a problem. The main reason NOT to use ip's is that several people
could have the same ip. Consider company x. Someone there finds your site
and is all excited and tells all his collegues about it. Those lazy
bastards will, instead of working like they should, all go to your site
through the companies internet access, which uses but a single ip. All
those people also enjoy your site to the fullest. (Let's face it, your site
rocks! Anyone not impressed could not be called human...). They try to tell
people, but everyone in the company already knows. Highly frustrated they
HAVE to share the news of such an excellent piece of work on the web with
others. And lo, you've given them a possibily to tell their friends about
you, bypassing that evil firewall that blocks personal emails (someone
actually did a full days work after they installed it, the horror!). They
try to tell their friends, all over the same ip again. Then it happens:
This site, this wonder on the internet, this wonderfull thing that was
almost a god to them says: "This shall not be, for it is my believe you are
a spammer." What does one do? Suddenly this little wonder isn't so
wonderfull anymore. At first, they doubt themselves, they must have done
something to affront this wonderfull being. But no, others too are
wandering the halls with glazed over eyes. Their god rejected them... It's
like a terrible break-up. What's the first thing anyone does who had been
so utterly rejected? They start to badmouth it. It couldn't be them, it's
this thing, this vile trap placed especially to humiliate good people...
They'll have to warn others not to fall into its clutches, normally they
aren't that altruistic, but everyone should be spared this trauma. After
some talking groups are formed and the rest of the day is spent trying to
overcome this black, black day, they finally come home. Here there's no
email block, let's spread the word...
> I like the idea of queuing the messages but how could i
> filter out spamming messages? I could check them myself but then this
> will require me spending time... =/
Well, queueing and checking can be automated given enough rights on the
server offcourse. Then again, if they call up the person who they sent it
to (*sigh*, don't you just get mad when someone calls just to say "you've
got mail"), and it doesn't arrive for a long period of time, this also
doesn't look good.
But my major point was that it is impossible to exclude spammers a 100%,
however if:
- you use your own custom script for it (i.e. not a script thousands of
people already use).
- you build in some basic checking (header-injection is impossible, maybe
indeed use a session to filter out the dumber bots, captchas)
then as a spammer, I've got a choice to try to use your script for my evil
purposes. However, in the time that would take him, he can find 10 other
mailforms who are vulnarable to header-injection, which saves a hell of a
lot of time. It's like parking end locking your old rusty car next to an
unlocked brand new BMW. Given a choice, they'll offcourse steal the BMW,
and leave your car alone. Probably, although there are always greedy
bastards who'll still take both :-)
--
Rik Wasmus
Navigation:
[Reply to this message]
|