Posted by Schraalhans Keukenmeester on 05/31/07 08:09

At Thu, 24 May 2007 15:53:56 +0000, Allodoxaphobia let h(is|er) monkeys
type:

> On Thu, 24 May 2007 12:58:42 +0200, Schraalhans Keukenmeester wrote:
>>
>> (So I'm still interested in alternatives)
>
> Don't even let them get that far. Using .htacces in your messageboard's
> directory, block the bastards before they even get to fetch a page. I
> put my messageboard(s) one directory *lower* than their higher-level web
> pages -- just to reduce the overhead for that .htaccess DENY processing
> for all other 'normal' browsing.
>
> I also put a
> Disallow: /xxxxx/yyyyy/msgboard
> in robots.txt to keep the
> messageboard(s) directory out of the search engines. Believe me: That
> really helps. My first couple of messageboards were *not* implemented
> that-a-way, and I had Big Problems with them. After I learned this
> trick, subsequent messageboards I put up have had *NO* spammer postings.
> After all, why post spam on a messageboard that Google will never offer
> up? Too, I believe that the spammers use software _to find_ the
> messageboards _using_ the search engines.
>
> My message boards are all US-centric, so I can
> exert some heavy-handed blocking. Here's an extract from my .htacces:
> -------------------------------------------------------------------------
[snip ip list for brevity]

That's quite an extensive list indeed. I am a bit apprehensive though of
limiting acces based on geographic location. While the site in question
has 99% of its audience in the Netherlands and Belgium, occasionally
people come in from odd, unexpected locations. Maybe they're on a holiday
or business trip, or using Tor/privoxy for instance.

I will keep a copy though, might come in handy someday.

I have now added a session-transported variable to force the use of the
actual form page, and added a hidden field containing the current
timestamp. If less than a given number of seconds pass between form
display and submission it seems valid to assume it's a robo-submitted
form. The receiving script can no longer be called directly by external
hosts either.

Seems to be working ok. Still it doesn't limit the actual number of spam
posting attempts very much. I am not sure if redirecting rejected messages
to a 404 error would make them believe the game is over. No idea
whether these spamming systems check the result of their actions in any
way.

At least the visitors appear to be happy the captcha's gone. I am not the
only one who hates them, obviously.

Thanks for your contributions.

Sh.

[Back to original message]