|
Posted by Kentor on 12/14/06 01:21
Good stuff guys, alright so how can i use sessions to prevent the
spammers? can somebody give me a piece of code or an example so i can
see how this can be done.
Rik wrote:
> Kentor wrote:
> > I dont understand how to use sessions to prevent spam. Bots have
> > sessions too no?
>
> They have indeed.
>
> > I thought that a good way would be to simply prevent
> > a
> > user from sending too many emails in 30 seconds or something like
> > that.
> > But according to Rik spammers can play with this using ips and
> > whatever.
>
> Without a problem. The main reason NOT to use ip's is that several people
> could have the same ip. Consider company x. Someone there finds your site
> and is all excited and tells all his collegues about it. Those lazy
> bastards will, instead of working like they should, all go to your site
> through the companies internet access, which uses but a single ip. All
> those people also enjoy your site to the fullest. (Let's face it, your site
> rocks! Anyone not impressed could not be called human...). They try to tell
> people, but everyone in the company already knows. Highly frustrated they
> HAVE to share the news of such an excellent piece of work on the web with
> others. And lo, you've given them a possibily to tell their friends about
> you, bypassing that evil firewall that blocks personal emails (someone
> actually did a full days work after they installed it, the horror!). They
> try to tell their friends, all over the same ip again. Then it happens:
> This site, this wonder on the internet, this wonderfull thing that was
> almost a god to them says: "This shall not be, for it is my believe you are
> a spammer." What does one do? Suddenly this little wonder isn't so
> wonderfull anymore. At first, they doubt themselves, they must have done
> something to affront this wonderfull being. But no, others too are
> wandering the halls with glazed over eyes. Their god rejected them... It's
> like a terrible break-up. What's the first thing anyone does who had been
> so utterly rejected? They start to badmouth it. It couldn't be them, it's
> this thing, this vile trap placed especially to humiliate good people...
> They'll have to warn others not to fall into its clutches, normally they
> aren't that altruistic, but everyone should be spared this trauma. After
> some talking groups are formed and the rest of the day is spent trying to
> overcome this black, black day, they finally come home. Here there's no
> email block, let's spread the word...
>
> > I like the idea of queuing the messages but how could i
> > filter out spamming messages? I could check them myself but then this
> > will require me spending time... =/
>
> Well, queueing and checking can be automated given enough rights on the
> server offcourse. Then again, if they call up the person who they sent it
> to (*sigh*, don't you just get mad when someone calls just to say "you've
> got mail"), and it doesn't arrive for a long period of time, this also
> doesn't look good.
>
> But my major point was that it is impossible to exclude spammers a 100%,
> however if:
> - you use your own custom script for it (i.e. not a script thousands of
> people already use).
> - you build in some basic checking (header-injection is impossible, maybe
> indeed use a session to filter out the dumber bots, captchas)
> then as a spammer, I've got a choice to try to use your script for my evil
> purposes. However, in the time that would take him, he can find 10 other
> mailforms who are vulnarable to header-injection, which saves a hell of a
> lot of time. It's like parking end locking your old rusty car next to an
> unlocked brand new BMW. Given a choice, they'll offcourse steal the BMW,
> and leave your car alone. Probably, although there are always greedy
> bastards who'll still take both :-)
> --
> Rik Wasmus
[Back to original message]
|