|
|
Posted by J.O. Aho on 03/01/06 23:13
M wrote:
> OK, I've been hit by the email spammers, and now validate every field,
> chop out all the nasty commands and die if anything is suspicious.
>
> I now want to implement a 'send this idea to someone' type page where a
> user can put in their own email id, a friends email id and send a short
> message.
>
> Obviously I can trap all the usual nasties and die if I detect one, but
> there wont be anything to stop a script calling the page and specifying
> one email address at a time, and doing this hundreds of times.
>
> So, what options are available to detect a genuine person v script?
>
> 1. type what you see in the image - I really don't like these
> 2. limit number of calls per IP address in X minutes
> 3. is there any way to only present / allow the form on the result of a
> mouse click (i.e. cannot call the form directly), and can scripts
> simulate a mouse click
>
> Grateful if people could suggest potential options, would something like
> 3 above work at all?
You can use sessions, that starts when the page is loaded and then checked at
the processing page. Set the session id into a temporary deny list, this way
you will make it more difficult for people even to use the form to mass post.
You could include a browser id check, this will not prevent people from
spoofing but will at least exclude unexperienced scriptkiddies to take
advantage of the form.
Limit the size of the message (if any) that the user can send, say max 100
characters, it won't really prevent spammers from using the form, but should
make them less interested if they would notice that the message can't be
longer (can be good idea to write that on the form page).
Add 2 with one post per minute per ip, as scripts for mass posting does make
their posting as fast as possible. On MTAs it's getting more common to have a
delay from connection to the time when it's allowed to post, as many
spam-scripts don't manage to wait and will be detected at once and kicked from
the MTA. As you don't be able to do the same with PHP, you will need to use a
delay for how often you can post.
To make the 3 to work, you would need to use a java applet (no, not
javascript, thats something completly different).
//Aho
Navigation:
[Reply to this message]
|