robots hacking and posting form data resulting in spam

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
deeppak
Forum Commoner
Posts: 27
Joined: Thu Apr 06, 2006 6:31 am

robots hacking and posting form data resulting in spam

Post by deeppak »

hi alll i came across a very unusual problem which is really disturbing me day and night some michiever is using some robots or i dont know what is posting spam on my forms i tried to detect it through some server environment vaiables but i could not able to detect his ip trough code so that i can block his id at server.

Can any body help me in coming out of this odd situation i need the solution urgently as my database is storing all the junks posted by him on a regular basis

Thanx,
in advence
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Have a look at $_SERVER['REMOTE_ADDR'].
User avatar
deeppak
Forum Commoner
Posts: 27
Joined: Thu Apr 06, 2006 6:31 am

this is not a piece of cake

Post by deeppak »

Is this a piece of cake i have already mentioned that all the options of PHP code i have used but could not detect any i am using all the below stated attribute available for $SERVER


['HTTP_REFERER']['SERVER_NAME']['SERVER_PROTOCOL']['HTTP_HOST']['REMOTE_ADDR']['REMOTE_HOST']['REMOTE_ADDR1']['REMOTE_PORT']['HTTP_USER_AGENT']
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

What is $_SERVER['REMOTE_ADDR'] giving you? In your list, you list ['REMOTE_ADDR1'] - which doesn't exist.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

What's the frequency of the posting? e.g. how many per second when the bot strikes? A time delay between allowed posting might work to limit the count of such submissions. The rest may need a filter assuming the usage is the same - similar text and other details.
wyred
Forum Commoner
Posts: 86
Joined: Mon Dec 20, 2004 1:59 am
Location: Singapore

Post by wyred »

I have a custom blog and I got attacked a few times. I store the IPs of visitors when they access my blog and I also store them again when they make a comment at an entry.

At first I changed my form names, but that didn't work as the attacks came back a few days later. It seems that this person is so dedicated to spam my blog that he came back to find out the new form names. Checking my logs, I notice that the spamming is done directly to my comments form. The time delay the spammer specified was every 60 minutes.

Anyways, since I had his IP, I wrote up a few lines of code to block that IP from accessing any part of my blog.
User avatar
deeppak
Forum Commoner
Posts: 27
Joined: Thu Apr 06, 2006 6:31 am

the probelm is still pertainiing

Post by deeppak »

the problem is still there i cannot detect his ip since the $_SERVER[] is not returning any thing if i check the logs also how will i come to know that from which IP he is spammming i will try for the change of form names since i have not tried this lest see what is the result is there not a single solution to stop him since i could not coucght him since his ip is not detectable is there any appication code in php which can help me in this respect

plz answer it this is really nail biting
User avatar
deeppak
Forum Commoner
Posts: 27
Joined: Thu Apr 06, 2006 6:31 am

one more thing

Post by deeppak »

one more thing i forgot to mention the words which are used in spamming is also not same they are changed on each submission
wyred
Forum Commoner
Posts: 86
Joined: Mon Dec 20, 2004 1:59 am
Location: Singapore

Post by wyred »

Perhaps post your code that tries to get the IP address? I don't think it's possible that $_SERVER returns nothing.
User avatar
deeppak
Forum Commoner
Posts: 27
Joined: Thu Apr 06, 2006 6:31 am

believe me trust me

Post by deeppak »

hi sire believe me i could not detect his ip by$_SERVER[]

the code is as follows

$HTTP_REFERER=$_SERVER['HTTP_REFERER'];
$SERVER_NAME=$_SERVER['SERVER_NAME'];
$SERVER_PROTOCOL=$_SERVER['SERVER_PROTOCOL'];
$HTTP_HOST=$_SERVER['HTTP_HOST'];
$REMOTE_ADDR=gethostbyaddr( $_SERVER['REMOTE_ADDR'] );
$REMOTE_HOST=$_SERVER['REMOTE_HOST'];
$REMOTE_ADDR1=$_SERVER['REMOTE_ADDR'];
$REMOTE_PORT=$_SERVER['REMOTE_PORT'];
$HTTP_USER_AGENT=$_SERVER['HTTP_USER_AGENT'];

if u want u can check it on my site i have generated the report to check who is submitting the information on my site

if u want i will further provide u with the exact url to get u confirmed

Thanx
User avatar
AKA Panama Jack
Forum Regular
Posts: 878
Joined: Mon Nov 14, 2005 4:21 pm

Post by AKA Panama Jack »

If it is a forum your best bet is to turn off ALL Guest posting privs. Bots and spammers look for forums and blogs that allow anonymous or guest posting.

You can hunt for their server or IP all day long but it will not work. Most of the spammers use mutiple DNS names, multiple IPs, spoofing and proxy servers. Once you block one they will try another and another and another.

They will be able to swap how they are spamming faster than you can ever keep up with the blocking.

The only real way to halfway block them is to require logging in with an account. And make sure your forum has a graphic authentication of some sort for new accounts. The forum builds a graphic image with letters and numbers mixed together. Then the person registering has to type in those letters and numbers to confirm. That foils most bots.

Most of the spam bots have built in routines for the major forum and blog software that will automatically create a new account so it can post but the graphic authentication usually stops them.

The days of allowing people to anonymously post on forums and blogs are basically gone because these bots are looking for places to flood with links so the sites they represent get higher search engine hits.
User avatar
deeppak
Forum Commoner
Posts: 27
Joined: Thu Apr 06, 2006 6:31 am

KittenAuth,CAPTCHA are not the solution for me

Post by deeppak »

KittenAuth,CAPTCHA are not the solution for me
coz i want to stop him through some php code i dont want to use some third party tool if i could not get suceed in this i will definately look out for this i got the above stated solution of putting the images and input match on the forms but that too is not impressive in my case since my site is not famous and i want more and more people to visit my site that is why i have kept the form short adding one more field cheking input will confuse the user and will leave the form i want him to fill mininal information so that i get more and more queries but this spamming is really confusing me

reply soon this is urgent plz be more explanatory since i am a newbie

Thanx
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Is $_SERVER populated at all?
What's that URL?

The simplest solution if IP detection doesn't work (and it might not because the spammer bot could come from many different IPs) would be to do a challenge/response. Just throw a human readable question in the form as a required form (questions everyone knows like - "What is the first weekday of the week?"). If you make that a random question - that should cut down on the spam. Captcha works too, for now, but I've heard it's effectiveness is starting to lessen.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

I've found that an ip blacklist is sufficient *for me*.


I don't display comments untill they're approved.. And when i tag one as spam, the author's ip end up in the blacklist (Yes, there's a good chance innocent people are a 'victim' of this blacklist. In that case they should consider a better ISP that doesn't provide services to spammers.)
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Maybe filter the comments through a blacklist engine like Blogg.de?

Generally, from filtering spam on my own blog without resorting to desperate measures like CAPTCHAs (unless post is a certain age) a few filters watching URL counts (how many URLs per comment), author and body terms, etc. works well. So to does having some form of mechanism for forcing a delay between individual comments - spambot generally try posting dozens of comments per second if not more. It can also help to set up form tokens - depending on whether the spambot uses your forms, or uses some inbuilt request this can screen out a fair few weeds...

Relying on IPs is not going to be very reliable - a spammer can switch proxies as often as you ban IPs. Many will never even post from the same IP to the same site if they can help it.
Post Reply