|
Posted by Kentor on 12/14/06 01:23
Also, could someone point me to a font that would not be easily
decodable by a bot for captcha purposes.
Kentor wrote:
> Good stuff guys, alright so how can i use sessions to prevent the
> spammers? can somebody give me a piece of code or an example so i can
> see how this can be done.
> Rik wrote:
> > Kentor wrote:
> > > I dont understand how to use sessions to prevent spam. Bots have
> > > sessions too no?
> >
> > They have indeed.
> >
> > > I thought that a good way would be to simply prevent
> > > a
> > > user from sending too many emails in 30 seconds or something like
> > > that.
> > > But according to Rik spammers can play with this using ips and
> > > whatever.
> >
> > Without a problem. The main reason NOT to use ip's is that several people
> > could have the same ip. Consider company x. Someone there finds your site
> > and is all excited and tells all his collegues about it. Those lazy
> > bastards will, instead of working like they should, all go to your site
> > through the companies internet access, which uses but a single ip. All
> > those people also enjoy your site to the fullest. (Let's face it, your site
> > rocks! Anyone not impressed could not be called human...). They try to tell
> > people, but everyone in the company already knows. Highly frustrated they
> > HAVE to share the news of such an excellent piece of work on the web with
> > others. And lo, you've given them a possibily to tell their friends about
> > you, bypassing that evil firewall that blocks personal emails (someone
> > actually did a full days work after they installed it, the horror!). They
> > try to tell their friends, all over the same ip again. Then it happens:
> > This site, this wonder on the internet, this wonderfull thing that was
> > almost a god to them says: "This shall not be, for it is my believe you are
> > a spammer." What does one do? Suddenly this little wonder isn't so
> > wonderfull anymore. At first, they doubt themselves, they must have done
> > something to affront this wonderfull being. But no, others too are
> > wandering the halls with glazed over eyes. Their god rejected them... It's
> > like a terrible break-up. What's the first thing anyone does who had been
> > so utterly rejected? They start to badmouth it. It couldn't be them, it's
> > this thing, this vile trap placed especially to humiliate good people...
> > They'll have to warn others not to fall into its clutches, normally they
> > aren't that altruistic, but everyone should be spared this trauma. After
> > some talking groups are formed and the rest of the day is spent trying to
> > overcome this black, black day, they finally come home. Here there's no
> > email block, let's spread the word...
> >
> > > I like the idea of queuing the messages but how could i
> > > filter out spamming messages? I could check them myself but then this
> > > will require me spending time... =/
> >
> > Well, queueing and checking can be automated given enough rights on the
> > server offcourse. Then again, if they call up the person who they sent it
> > to (*sigh*, don't you just get mad when someone calls just to say "you've
> > got mail"), and it doesn't arrive for a long period of time, this also
> > doesn't look good.
> >
> > But my major point was that it is impossible to exclude spammers a 100%,
> > however if:
> > - you use your own custom script for it (i.e. not a script thousands of
> > people already use).
> > - you build in some basic checking (header-injection is impossible, maybe
> > indeed use a session to filter out the dumber bots, captchas)
> > then as a spammer, I've got a choice to try to use your script for my evil
> > purposes. However, in the time that would take him, he can find 10 other
> > mailforms who are vulnarable to header-injection, which saves a hell of a
> > lot of time. It's like parking end locking your old rusty car next to an
> > unlocked brand new BMW. Given a choice, they'll offcourse steal the BMW,
> > and leave your car alone. Probably, although there are always greedy
> > bastards who'll still take both :-)
> > --
> > Rik Wasmus
[Back to original message]
|