|
|
Posted by adwatson on 01/25/08 16:25
I kind of like the new test you've been seeing here and there where it
says something like "2+2 = " and you enter the answer, seems like it
strikes more a balance between protection from bots and making the
form accessible to screen readers, etc.
---
www.NEXCESS.NET - Shared/Reseller Hosting
www.EliteRax.com - Dedicated Servers, Server Clusters
www.MaxVPS.com - Virtual Private Servers
- Great prices, Great service - check us out!
On Jan 24, 3:00 pm, Michael Vilain <vil...@NOspamcop.net> wrote:
> In article <fn9548$uq...@aioe.org>, Manuel Lemos <mle...@acm.org>
> wrote:
>
>
>
> > Hello,
>
> > on 01/24/2008 02:40 AM Shelly said the following:
> > >>> The email is only sent to the site owner, so the spammer has no way of
> > >>> knowing what the email should look like. That tells me that they have
> > >>> to be going through the form. Yet the proper email has an echo of
> > >>> generated security code. The spam email has that field empty. So,
> > >>> that says he can't be going through the form.
> > >>> It seems to me that they must:
> > >>> 1 - Somehow diverting a legitimate email so that copy is sent to
> > >>> them.
> > >>> 2 - Using that email copy to create a template and modify the output
> > >>> so that junk is sent.
> > >>> I really don't know how they are doing it.
> > >> If you are not using a good CAPTCHA, I am not sure what you mean by
> > >> security codes.
>
> > >> Anyway, I suspect that your code has a common vulnerability of contact
> > >> forms which is to not properly encode information that goes to message
> > >> headers. This means that if the abuser inserts a well throught character
> > >> sequences, he may make your script compose a message that uses your mail
> > >> server to send spam to anybody in the world.
>
> > >> It is hard to advise without seeing your script. Anyway, I recommend
> > >> using a component that knows how to properly encode or escape malicious
> > >> character sequences to avoid abuses like your suffering.
>
> > >> I use this MIME message composing and sending class that is well aware
> > >> of all the e-mail standards that are necessary to compose messages
> > >> properly. You may want to use it to avoid the abuses.
>
> > >>http://www.phpclasses.org/mimemessage
>
> > > I use the class htmlMimeMail fromhttp://www.phpguru.org/by Richard
>
> > I have not studied that class. I don't know if it properly encodes
> > message headers.
>
> > > Heyes. The security code is just a randomly generated string of 6
> > > characters. I am not using a CAPTCHA. I guess I will have to.
>
> > That may explain it. Even some CAPTCHAs can be bypassed with good OCR
> > scripts. But even a basic CAPTCHA can raise the bar hard enough to make
> > your abuser give up.
>
> I use a very simple trick. Put a HIDDEN field with an obvious name like
> "COUNTRY" or "POSTAL CODE" or whatever giving it an initially blank
> value. Check in the post processing for the form to see that it's
> blank, meaning the form was filled out by a browser with a human sitting
> in front of it. If a bot filled out the form, chances are it put in a
> value. Throw those submissions away and do nothing. Mail the others.
>
> --
> DeeDee, don't press that button! DeeDee! NO! Dee...
[Back to original message]
|