|
Posted by Kentor on 12/13/06 20:29
I dont understand how to use sessions to prevent spam. Bots have
sessions too no? I thought that a good way would be to simply prevent a
user from sending too many emails in 30 seconds or something like that.
But according to Rik spammers can play with this using ips and
whatever. I like the idea of queuing the messages but how could i
filter out spamming messages? I could check them myself but then this
will require me spending time... =/
On Dec 13, 2:36 pm, "J.O. Aho" <u...@example.net> wrote:
> Rik wrote:
> > J.O. Aho wrote:
> >> Kentor wrote:
> >>> Hello, how could I limit the number of times a user uses my "tell a
> >>> friend" form each minute? Or if anybody has a nice looking
> >>> tell-a-friend script which prevents spam already coded, that would
> >>> save up a little time. Thanks
>
> >> Take a look at the "mail forms being abused" thread thats in this
> >> newsgroup, you should be able to find it with google groups.
>
> > A 'tell-a-friend' form is a different beast all together.
> > ASIDE from the header-injection prevention, you're sending mail to an
> > unknown, user-defined, adress, not a semi-hardcoded emailadress (i.e. the
> > site-owner). Nothing prevents me from writing a bot which will hit your
> > form hundreds of times using different ip's, cookies, etc. They might all
> > be valid visitors, or not. No real way to tell.No of course you can write a bot and thats what is used, but even spammers
> like to send as many users as possible at one try, which you should prevent.
>
> You can throw in a short lived session if the session isn't there, then don't
> mail, this would cause more work for the spammers to be able to spam.
>
> Another thing is to cue the mail and use a cron script that runs the mail
> through spamassassin before sending it, if caught as spam, don't mail.
>
> --
>
> //Aho
[Back to original message]
|