Page 1 of 1

Trying to secure a contact.php page

Posted: Tue Apr 27, 2010 2:42 am
by wolfdogg
Hi all. I use a content management system that the spammer bots seems to like. They visit me almost hourly and geotracking always indicates locations in India. So.. since they always spend they're time on my contact.php page and create lots of headaches in my CMS, I'm trying to secure this.

Here's the current form I use:

Code: Select all

<div class="normal_p">
<div id="contact-form">
<strong><span class="required_star">NOTE: *</span> <span class="text">Required Fields</span></strong><br /><br />
<?php echo $form->getFormOpenHTML(); ?>
<fieldset class="hidden">
<ul>
<li><?php echo $form->getFieldLabel('name'); ?><?php echo $form->getFieldHTML('name'); ?></li>
<li><?php echo $form->getFieldLabel('email'); ?><?php echo $form->getFieldHTML('email'); ?></li>
<li><?php echo $form->getFieldLabel('confirm_email'); ?><?php echo $form->getFieldHTML('confirm_email'); ?></li>
<li><?php echo $form->getFieldLabel('comments'); ?><?php echo $form->getFieldHTML('comments'); ?></li>
<?php foreach($custom_fields as $field) { ?> 
<li><?php echo $form->getFieldLabel('custom_'.$field['id']); ?><?php echo $form->getFieldHTML('custom_'.$field['id']); ?></li>
<?php if($form->hasFieldNote('custom_'.$field['id'])) { ?>
<p class="note"><?php echo $form->getFieldNote('custom_'.$field['id']); ?></p>
<?php } ?>
<?php } ?>
<li><?php echo $form->getFieldLabel('security_code'); ?><?php echo $form->getFieldHTML('security_code'); ?></li> 
<li>What is the fourth letter of the the word "five"? <input type="text" name="hii" /></li>
<li><label>&nbsp;</label><?php echo $form->getFieldHTML('submit'); ?></li>
</ul>
</fieldset>
<?php echo $form->getFormCloseHTML(); ?>
</div>
</div>
and.. my idea is to block specific words.. and email registrations such as gmail, yahoo, hotmail, etc.. So, I found a great php script that someone said they used on they're contact form on another site. My contact form is coded completely different, but I'm curious if anyone could help to make this below code work for my above form? I'd like to just stick the code below above the code above in the page (as it's currently used on this other site). Any help would be greatly appreciated. I'm getting slaughtered with spam!
Thanks.

Code: Select all

$blockwords="casino,badword";

if(!empty($blockwords)&&!empty($_POST)){$useBlocks=explode(",",$blockwords);foreach($useBlocks as $blockWord){foreach($_POST as $Name=>$Value){$Value=trim($Value);$Value=strtolower($Value);if(!empty($Value)&&strpos($Value,$blockWord)!==false){exit();}}}}?>

Re: Trying to secure a contact.php page

Posted: Tue Apr 27, 2010 3:30 am
by social_experiment
From experience, spammers dont use specific words, your contact form just gets filled with garbage text. You should add a checkbox that has to be checked before the mail is sent or something like CAPTCHA.

Re: Trying to secure a contact.php page

Posted: Tue Apr 27, 2010 7:40 am
by wolfdogg
social_experiment wrote:From experience, spammers dont use specific words, your contact form just gets filled with garbage text. You should add a checkbox that has to be checked before the mail is sent or something like CAPTCHA.
I use captcha now but it's worthless. Once a bot figures out how to beat that, they can reproduce it every time... and they have figured this one out. Even Google's captcha was hacked and fed to bots a couple years ago (http://securitylabs.websense.com/conten ... /2919.aspx). And checkmarks? That would accomplish nothing. Human Intelligence Identification is a much better method and known to beat bots everytime. But.. since I don't know PHP, that's a tougher job than this.

Blocking "specific words" would also work well for what I need. This would allow me to keep adding email domain names (gmail,yahoo,hotmail,mailinator,etc...) and force registration by business emails only. Modifying the small "blockedwords" code above seems like it would be the easiest solution for my needs.

Re: Trying to secure a contact.php page

Posted: Tue Apr 27, 2010 8:10 am
by Apollo
Unless a bot is exclusively programmed to beat *your* specific website, you may save yourself quite some spam by including a hidden field in your form, in which you put a random checksum in javascript (e.g. onload or onsubmit). When processing a submitted form, check if the required checksum is there, otherwise refuse the form - that is, show confirmation as usual but just don't actually send the email.

Re: Trying to secure a contact.php page

Posted: Tue Apr 27, 2010 8:41 am
by social_experiment
wolfdogg wrote:And checkmarks? That would accomplish nothing. Human Intelligence Identification is a much better method and known to beat bots everytime. But.. since I don't know PHP, that's a tougher job than this.
Human Intelligence Identification sounds rather fancy, and that's actually what the checkbox does. If the checkbox is ticked (and the $_POST value from it can be validated) then the mail is sent, if not : Sorry mail not sent. How would you go about bypassing a checkbox, im curious. In fact, it's a variation of what you are using at the moment, and if checkboxes can be beat, surely your method is just as vulnerable seeing as they both $_POST.
wolfdogg wrote:Blocking "specific words" would also work well for what I need. This would allow me to keep adding email domain names (gmail,yahoo,hotmail,mailinator,etc...) and force registration by business emails only. Modifying the small "blockedwords" code above seems like it would be the easiest solution for my needs.
Do you really think that it is a viable option? The only thing you will accomplish is a long list of domains (existant && non-existant) in your database.

Re: Trying to secure a contact.php page

Posted: Tue Apr 27, 2010 10:25 am
by wolfdogg
social_experiment wrote:Human Intelligence Identification sounds rather fancy, and that's actually what the checkbox does. If the checkbox is ticked (and the $_POST value from it can be validated) then the mail is sent, if not : Sorry mail not sent. How would you go about bypassing a checkbox, im curious. In fact, it's a variation of what you are using at the moment, and if checkboxes can be beat, surely your method is just as vulnerable seeing as they both $_POST.
A fair question.. and the answer is that you could easily write a simple script to check for the existence of a checkbox and if you see it, check it. I do know enough about bots to understand that they try multiple formulas when they're trying to hijack a form. Checking for the existence of a checkbox would have to be about the simplest workaround they could come up with. HII on the other hand, requires a human response.. so a multitude of formulas wouldn't crack it. From softswot.com: "One of the strengths of Human Intelligence Identification is that the Question can be freely set by the form developer. This makes it very difficult for bot developers to identify a question pattern and related answer that can be programmed into the bot." Captcha, as they pointed out, can be (and has been proven to over and over) hacked by ocr software.
social_experiment wrote:Do you really think that it is a viable option? The only thing you will accomplish is a long list of domains (existant && non-existant) in your database.
It's absolutely a viable option. If my site is getting spammed by bots.. not humans logging in every hour throughout the day. And.. my logs show that they're all coming from the same location.. so probably one guy with one nice little bot program he wrote himself. How many spam email domains will he register with? 10,20.. 30? After you ban all the one word domains (gmail,yahoo,hotmail,etc) that most spammers use to register email with, there comes a point where you've effectively eliminated the bot from being able to use your post form. I seriously doubt that some hacker in a 3rd world country is going to sit through his list of thousands of sites, find out who's beating his system and individually go try to get around that. They're interested in numbers. If they're still posting successfully to thousands of other sites, they're done with my site.

As much as I enjoy our spam discussion, I am hoping someone here might be able to help me out with some php code... as I am not a coder. Anyone know if the small snippet of code above can be modified to work with the form I have?
Thanks.

Re: Trying to secure a contact.php page

Posted: Tue Apr 27, 2010 5:01 pm
by social_experiment
Again, i would like to actually SEE code to workaround a checkbox, but lets leave it at that.
wolfdogg wrote:"One of the strengths of Human Intelligence Identification is that the Question can be freely set by the form developer. This makes it very difficult for bot developers to identify a question pattern and related answer that can be programmed into the bot."
So the developer creates the questions. Here are a few points to consider :
1. Will there be a totally new question for each of visitor?
2. If not, how long will it be before the bot has figured out the pattern and you have the same problem.

If they are all coming from the same location (im assuming you are infering IP address) why not ban the IP? Write a script for that instead. I also doubt a person will go through all the trouble. But then again, they 'cracked' CAPTCHA didn't they? It's like the saying goes "If you make it idiot-proof, they will build a better idiot". Good luck with the script and let me know if it works.

Re: Trying to secure a contact.php page

Posted: Tue Apr 27, 2010 5:54 pm
by wolfdogg
First off.. if a check mark was enough to do the trick, why was captcha ever invented? ;)
social_experiment wrote:So the developer creates the questions. Here are a few points to consider :
1. Will there be a totally new question for each of visitor?
2. If not, how long will it be before the bot has figured out the pattern and you have the same problem.

If they are all coming from the same location (im assuming you are infering IP address) why not ban the IP? Write a script for that instead. I also doubt a person will go through all the trouble. But then again, they 'cracked' CAPTCHA didn't they? It's like the saying goes "If you make it idiot-proof, they will build a better idiot". Good luck with the script and let me know if it works.
1) Negative. No need. I honestly don't understand why you're having so much trouble understanding how this all works. I'll break it down for you. There are bots that scan thousands of sites a day, looking to exploit specific php functions. It finds a contact.php form and you get added to the list. Now... you're on bot2's list and this bot runs different code.. all day long to make use of the exploit on those computers known to have the vulnerability. It runs code to break all the typical spam protection. It sees capthca, it runs ocr code to try and break it. If it's smart enough.. it cracks it and uses your form for fun. Now.. with HII, you can ask a question such as 'what's the 2nd letter of the word cereal?'. Is a bot going to be smart enough to figure out random questions you're asking and supply the right answer? No. It won't. Hence, the name. The programmers wouldn't even attempt it because they know there's an infinite amount of questions they can't program in. Captcha code just looks at the main captcha programs on the internet and figures those out.

So now.. bot 2 runs it's code on your page that you now have HII on. It fails to 'post' a url. I'm the guy in India running bot 2 and my logs show that this week, I successfully posted to 3400 websites with the known exploit. I see 384 that it didn't work on. Meanwhile.. bot 1 finds another 15 sites today that get added to the list. Now do you really think India guy is going to say "let's go see why this failed on these 384 sites and fix it?" A week later.. you change your question.. "let's go look at these new 50 sites it failed on". Not gonna happen! Again.. these guys are interested in numbers. Bot runners don't go back to your site. They never went there in the first place. Therefore...

2) It ain't gonna' happen. Or maybe it will down the road? For now though, bot can't crack HII and guarding my site in the here and now is what I'm trying to do.

I also meant they're coming from the same location.. as in India. GeoTracking shows me that. Sometimes they're identical but they change every few days. I actually have a 'Ban IP' script working.. but it does little good in this case.

I am 100% sure this works. Back about 10 years ago, I was running the now archaic FrontPage forum and the bots started hitting that.. spamming the hell out of it almost hourly. I created the same page name and put authentication on it.. giving the username and password to enter right on the page. I never received another piece of spam for the next couple years.

And as for this.. I just found a php script that will allow me to do this same. I now have a piece of php code at the top and bottom of my current page. I have put the password right on the page and only by entering that can you access it. I would bet you a hundred dollar bill that I'll not see any more spam from those bots. Maybe the occasional human? Sure.. but no more bots. Even if India guy comes to visit my page, and see what I'm doing.. unless what I'm doing becomes immensely popular, they'll shrug and move on. Numbers.. it's all numbers to them.

If you want to understand more of how this works, I just found an excellent article at the same place I found the script. He reinforces everything I've said here... so since you seem to have a problem believing me, you can read it for yourself.

Re: Trying to secure a contact.php page

Posted: Thu Apr 29, 2010 12:38 pm
by social_experiment
Sweet. I went and checked out the articles you recommended and now i actually understand it better. It made sense once i read (and tested) the HII script.

Re: Trying to secure a contact.php page

Posted: Mon May 03, 2010 11:25 am
by wolfdogg
social_experiment wrote:Sweet. I went and checked out the articles you recommended and now i actually understand it better. It made sense once i read (and tested) the HII script.
Yeah.. google xrumer as well. That's the main spamming tool used. It's incredibly powerful. youtube even has a video showing it in action.. just spamming thousands of sites in minutes. It's amazing. But.. that script you mentioned has solved my problem. 0 spam now! Hooray!

Have a great week.