Major Spam Problem

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
leon_nerd
Forum Commoner
Posts: 25
Joined: Tue Aug 21, 2007 1:20 pm

Major Spam Problem

Post by leon_nerd »

I have a PHP based application running.

I have a messageboard in it. Earlier there was no security feature and I was getting lot of spams. Then I implemented the image verification to submit new threads and replies. But the spams still kept in coming. Then I changed the password of my database. But I still face the same problem. :(

Now, I have few questions:

1.) How come even after implementing the Image text verification, spams are able to post themselves? :banghead:

2.) Why the problem exists when I have changed the password of my database? :banghead:

3.) Is this SQL Injection? Should I use sprintf while writing and executing queries? :roll:

Please suggest me. Any urgent help will be highly appreciated.

Thanks,
Anurag
User avatar
VirtuosiMedia
Forum Contributor
Posts: 133
Joined: Thu Jun 12, 2008 6:16 pm

Re: Major Spam Problem

Post by VirtuosiMedia »

What kind of spam are you talking about? Image verification only works if you're having trouble with bots, but humans can still easily get through. You'll probably have to at least moderate your message board no matter what you do. To prevent SQL injection, if you're using MySQL, try using mysql_escape_string() around all of your input in addition to validating it in other ways. There is also the Akismet API and similar services you could use.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Major Spam Problem

Post by Mordred »

What kind of "image text verification" (aka CAPTCHA) have you implemented? There are tens, if not hundreds, broken CAPTCHA methods (i.e. bots happily and easily solve them). Most homebrew solutions fall in this category.
leon_nerd
Forum Commoner
Posts: 25
Joined: Tue Aug 21, 2007 1:20 pm

Re: Major Spam Problem

Post by leon_nerd »

I have a simple image verification. And I think that it surely can be broken by bots. Actually I was not aware the image verifications can be broken too. Seems like the Bots are smarter than we think.

Anyways, I will try to implement more security and see if that might help. Also, using sprintf or mysql_real_escape_string() might be useful to stop spams.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Major Spam Problem

Post by Apollo »

I have some positive experience with Securimage, which is also very easy to install and use.
(note that the site currently seems to be under construction, but it normally contains quite some helpful information).

In combination with a "are you human?"-like question in your registration form or something, this should stop quite some bots. Of course nothing is 100% safe, but you'll get rid of the majority.
User avatar
Greenconure
Forum Commoner
Posts: 30
Joined: Mon Jun 16, 2008 8:19 am

Re: Major Spam Problem

Post by Greenconure »

I have had good luck with recaptcha - I've made my own before but I like the recaptcha because if you have a blind user or visually impaired user trying to register, they have the option of an audio file instead of an image - true, you could piece together an audio file but.. that's not on my skill level :|
mpetrovich
Forum Commoner
Posts: 55
Joined: Fri Oct 19, 2007 2:02 am
Location: Vancouver, WA, USA

Re: Major Spam Problem

Post by mpetrovich »

I was having a similar problem with my contact pages on different sites being hit as well. I am interested to know if you solve this problem.

Here is what I have done.
1) Of course I check for referrer, although that is almost worthless.
2) I added a hidden form variable created using "md5(uniqid(rand(), true))" and store that in a session variable. That stopped multiple hits, since the bots are not regenerating the form, but I would still get single hits.
3) So far, what has seemed to have stopped this is in my submit button I use:

Code: Select all

onclick="this.value='Processing . . .';"
(This changes the submit value, from say, "Send Message" to "Processing . . .")
Then I check to see if

Code: Select all

$_POST['submit'] == 'Processing . . .'
before I send the message. That will work as long as the bots are not smart enough to understand or execute the Javascript. That should give me a few weeks. :D
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Major Spam Problem

Post by Mordred »

Not very friendly to people without javascript.
Try a simple "poor man's captcha": "How much is six plus nine" (check for 15)
Only a bot custom made for your site will succeed, and until you're THAT popular, you have nothing to worry about.
mpetrovich
Forum Commoner
Posts: 55
Joined: Fri Oct 19, 2007 2:02 am
Location: Vancouver, WA, USA

Re: Major Spam Problem

Post by mpetrovich »

Not very friendly to people without javascript.
Try a simple "poor man's captcha": "How much is six plus nine" (check for 15)
Mordred, I had to laugh. It is pretty sad when you can count on people having JavaScript more than you can can count on them to be able to add two numbers.

I'll be monitoring the sites and see if how things work.
Twayne
Forum Newbie
Posts: 14
Joined: Fri Jun 20, 2008 11:47 am

Re: Major Spam Problem

Post by Twayne »

Mordred wrote:Not very friendly to people without javascript.
Try a simple "poor man's captcha": "How much is six plus nine" (check for 15)
Only a bot custom made for your site will succeed, and until you're THAT popular, you have nothing to worry about.
Welll, better to make them mt_rand(), IMO, but anyone determined enough WILL get in, so the real restrictions, IMO, need to be internal to the actual coding. Once a malcontent refreshes & sees they aren't random, he's got full access and a very simple customization to make.

I'm using the "poor mans' approach" and it actually worked out very well (so far) but I'm having trouble with my "fancier, more robust" version design<g>. First I used the captcha my server recommended but a malcontent figured out how to get by it in a hurry. I've since learned there are captcha cracker apps & advice all over the 'net now. A human goes in, but then a bot takes over the spam run and most captchas allow the Back Button to be used, defeating the captcha image protection for subsequent runs at least in that session.
So, I'm going the poor man's route to see what happens. The only exposure I see left is multiline text boxes can't be length protected without using javascript or something else similar; which no determined malcontent is going to be using. Apparently there's no way around the problem with straight PHP. So as soon's I get my latest & greatest working, I want to see if I can make VB6 (which I already know) server up my php scripts and limit them that way. But, I need the basics of PHP under my belt before I do that.

Twayne
Post Reply