Page 1 of 1
Major Spam Problem
Posted: Wed Jun 18, 2008 6:47 pm
by leon_nerd
I have a PHP based application running.
I have a messageboard in it. Earlier there was no security feature and I was getting lot of spams. Then I implemented the image verification to submit new threads and replies. But the spams still kept in coming. Then I changed the password of my database. But I still face the same problem.
Now, I have few questions:
1.) How come even after implementing the Image text verification, spams are able to post themselves?
2.) Why the problem exists when I have changed the password of my database?
3.) Is this SQL Injection? Should I use sprintf while writing and executing queries?
Please suggest me. Any urgent help will be highly appreciated.
Thanks,
Anurag
Re: Major Spam Problem
Posted: Wed Jun 18, 2008 7:10 pm
by VirtuosiMedia
What kind of spam are you talking about? Image verification only works if you're having trouble with bots, but humans can still easily get through. You'll probably have to at least moderate your message board no matter what you do. To prevent SQL injection, if you're using MySQL, try using mysql_escape_string() around all of your input in addition to validating it in other ways. There is also the Akismet API and similar services you could use.
Re: Major Spam Problem
Posted: Thu Jun 19, 2008 12:48 am
by Mordred
What kind of "image text verification" (aka CAPTCHA) have you implemented? There are tens, if not hundreds, broken CAPTCHA methods (i.e. bots happily and easily solve them). Most homebrew solutions fall in this category.
Re: Major Spam Problem
Posted: Thu Jun 19, 2008 9:19 am
by leon_nerd
I have a simple image verification. And I think that it surely can be broken by bots. Actually I was not aware the image verifications can be broken too. Seems like the Bots are smarter than we think.
Anyways, I will try to implement more security and see if that might help. Also, using sprintf or mysql_real_escape_string() might be useful to stop spams.
Re: Major Spam Problem
Posted: Thu Jun 19, 2008 9:41 am
by Apollo
I have some positive experience with
Securimage, which is also very easy to install and use.
(note that the site currently seems to be under construction, but it normally contains quite some helpful information).
In combination with a "are you human?"-like question in your registration form or something, this should stop quite some bots. Of course nothing is 100% safe, but you'll get rid of the majority.
Re: Major Spam Problem
Posted: Thu Jun 19, 2008 2:14 pm
by Greenconure
I have had good luck with
recaptcha - I've made my own before but I like the recaptcha because if you have a blind user or visually impaired user trying to register, they have the option of an audio file instead of an image - true, you could piece together an audio file but.. that's not on my skill level

Re: Major Spam Problem
Posted: Tue Jun 24, 2008 7:34 pm
by mpetrovich
I was having a similar problem with my contact pages on different sites being hit as well. I am interested to know if you solve this problem.
Here is what I have done.
1) Of course I check for referrer, although that is almost worthless.
2) I added a hidden form variable created using "md5(uniqid(rand(), true))" and store that in a session variable. That stopped multiple hits, since the bots are not regenerating the form, but I would still get single hits.
3) So far, what has seemed to have stopped this is in my submit button I use:
Code: Select all
onclick="this.value='Processing . . .';"
(This changes the submit value, from say, "Send Message" to "Processing . . .")
Then I check to see if
Code: Select all
$_POST['submit'] == 'Processing . . .'
before I send the message. That will work as long as the bots are not smart enough to understand or execute the Javascript. That should give me a few weeks.

Re: Major Spam Problem
Posted: Wed Jun 25, 2008 1:43 am
by Mordred
Not very friendly to people without javascript.
Try a simple "poor man's captcha": "How much is six plus nine" (check for 15)
Only a bot custom made for your site will succeed, and until you're THAT popular, you have nothing to worry about.
Re: Major Spam Problem
Posted: Wed Jun 25, 2008 5:50 am
by mpetrovich
Not very friendly to people without javascript.
Try a simple "poor man's captcha": "How much is six plus nine" (check for 15)
Mordred, I had to laugh. It is pretty sad when you can count on people having JavaScript more than you can can count on them to be able to add two numbers.
I'll be monitoring the sites and see if how things work.
Re: Major Spam Problem
Posted: Wed Jun 25, 2008 11:17 am
by Twayne
Mordred wrote:Not very friendly to people without javascript.
Try a simple "poor man's captcha": "How much is six plus nine" (check for 15)
Only a bot custom made for your site will succeed, and until you're THAT popular, you have nothing to worry about.
Welll, better to make them mt_rand(), IMO, but anyone determined enough WILL get in, so the real restrictions, IMO, need to be internal to the actual coding. Once a malcontent refreshes & sees they aren't random, he's got full access and a very simple customization to make.
I'm using the "poor mans' approach" and it actually worked out very well (so far) but I'm having trouble with my "fancier, more robust" version design<g>. First I used the captcha my server recommended but a malcontent figured out how to get by it in a hurry. I've since learned there are captcha cracker apps & advice all over the 'net now. A human goes in, but then a bot takes over the spam run and most captchas allow the Back Button to be used, defeating the captcha image protection for subsequent runs at least in that session.
So, I'm going the poor man's route to see what happens. The only exposure I see left is multiline text boxes can't be length protected without using javascript or something else similar; which no determined malcontent is going to be using. Apparently there's no way around the problem with straight PHP. So as soon's I get my latest & greatest working, I want to see if I can make VB6 (which I already know) server up my php scripts and limit them that way. But, I need the basics of PHP under my belt before I do that.
Twayne