Guestbook spam protection

Hello everyone,

I have created a simple guestbook for my bandsite (http://www.thefirm-
online.be). As you might expect, some spambots have jumped on it as
soon as it went online. At the moment, I've put the following measures
in place:
- Protection against XSS attacks, SQL injections, etc...
- Check the IP address - if the origin is abroad, the post is inactive
and needs approval by a moderator (me).

Currently I have to delete 25 spam posts /day which is getting a
little ridiculous. I'm looking for a much better solution.

Already found solutions (which I won't use)
- CAPTCHA - I don't want to punish every visitor for having those
spambots. it's not that safe either. I prefer not using this kind of
solution.
- Make a dynamic image (php-file outputting the image) store a
variable in the session. Problem is that images are cached by the
browser, making it usable only the first time the user visits the
website.
- Have a javascript function alter some hidden value in the form.
Haven't tried this yet...
- Found several "commercial" solutions where the form is being
encrypted. Haven't tried this yes either...

Thanks for your help
Mathew

Message-ID:
<4bbf3fa7-a8bd-4884-bc7e-f080dafcdc8c@t54g2000hsg.googlegroups.comfrom
Mathieu Maes contained the following:

Quote:

>Currently I have to delete 25 spam posts /day which is getting a
>little ridiculous. I'm looking for a much better solution.

I don't allow links or URLs. I have a banned word list and so far I
haven't has to add more than three words 'http://' ' www.' and '<'. Any
one who legitimately needs to post a link can always write
www[dot]example[dot]com, but that's no advantage to spammers who simply
want to get links published.

I've also been experimenting with an enquiry form that used to get
spammed. I've added a secret field, hidden by CSS.

<label for='secret_field' style='display:none'>Please leave blank <input
name='secret_field'id='secret_field'></label>

Bots will usually either leave it out or fill it with garbage and so I
check for this like so:-

if(!isset($_POST[$secret_field])||$_POST[$secret_field]!=""){
//at the moment I'm prepending the resultant email's subject
// with [SPAM] but eventually may just silently drop it.
}

--
Regards,

Geoff Berrow

On Thu, 03 Jul 2008 10:19:43 +0100
Geoff Berrow <blthecat@ckdog.co.ukwrote:

Quote:

I've also been experimenting with an enquiry form that used to get
spammed. I've added a secret field, hidden by CSS.
>
<label for='secret_field' style='display:none'>Please leave blank <input
name='secret_field'id='secret_field'></label>
>
Bots will usually either leave it out or fill it with garbage and so I
check for this like so:-
>
if(!isset($_POST[$secret_field])||$_POST[$secret_field]!=""){
//at the moment I'm prepending the resultant email's subject
// with [SPAM] but eventually may just silently drop it.
}

In our organization, we have a number of different "contact us" forms.
Our ASP.NET developer tends to use the hidden field method you
described with success. On my PHP pages, I sometimes use the same
method, but in some cases I've added a little arithmetic captcha
something like the following. Get two random integers less than 10,
and ask the user to sum them.

<?php
// Create the session variables for the math problem
session_start();
$_SESSION['n1'] = rand(1,9);
$_SESSION['n2'] = rand(1,9);
?>
<label for='math'>
What is <?php echo $_SESSION['n1'] . " + " .$_SESSION['n2']; ?>
</label<input id='math' type='text' name='math' />

I know CAPTCHAs were to be avoided in the original post, but this one
is so trivial. (Though it might keep out first graders). I've never
had spam on one of these forms except for the occasional manually
entered list of links once or twice a year.
--
Michael Berkowski <berk0081@NOSPAM.umn.edu>

On 3 jul, 15:01, Michael Berkowski <berk0...@NOSPAMumn.eduwrote:

Quote:

On Thu, 03 Jul 2008 10:19:43 +0100
>
Geoff Berrow <blthe...@ckdog.co.ukwrote:

Quote:

I've also been experimenting with an enquiry form that used to get
spammed. *I've added a secret field, hidden by CSS.

>

Quote:

<label for='secret_field' style='display:none'>Please leave blank <input
name='secret_field'id='secret_field'></label>

>

Quote:

Bots will usually either leave it out or fill it with garbage and so I
check for this like so:-

>

Quote:

if(!isset($_POST[$secret_field])||$_POST[$secret_field]!=""){
//at the moment I'm prepending the resultant email's subject
// with [SPAM] *but eventually may just silently drop it.
}

>
In our organization, we have a number of different "contact us" forms.
Our ASP.NET developer tends to use the hidden field method you
described with success. *On my PHP pages, I sometimes use the same
method, but in some cases I've added a little arithmetic captcha
something like the following. *Get two random integers less than 10,
and ask the user to sum them.
>
<?php
// Create the session variables for the math problem
session_start();
$_SESSION['n1'] = rand(1,9);
$_SESSION['n2'] = rand(1,9);
?>
<label for='math'>
* * * * What is *<?php echo $_SESSION['n1'] . " + " .$_SESSION['n2']; ?>
</label<input id='math' type='text' name='math' />
>
I know CAPTCHAs were to be avoided in the original post, but this one
is so trivial. (Though it might keep out first graders). *I've never
had spam on one of these forms except for the occasional manually
entered list of links once or twice a year.
--
Michael Berkowski <berk0...@NOSPAM.umn.edu>

Thanks for all replies so far! I like the banned words list and hidden
input fields, I'll give that a try for sure!

The main goal for me personally is to avoid spam, but I don't want to
annoy the "normal" visitors with security features. I know my visitors
are very simple people, to say the least. If I show the guestbook to
my mom, she will just mock me because she needs to answer a simple sum
to sign a guestbook :-)

On that topic, I've seen more creative captcha's using images. I could
show 9 pictures from our band and ask the user to click 3 pictures
from the drummer for example. (Idea came from KittenAuth -
http://www.thepcspy.com/contact)

Requiring users to confirm their post by email would scare some people
because they don't want to give their email.

On 3 jul, 15:01, Michael Berkowski <berk0...@NOSPAMumn.eduwrote:

Quote:

>On Thu, 03 Jul 2008 10:19:43 +0100
>>
>Geoff Berrow <blthe...@ckdog.co.ukwrote:

Quote:

>>I've also been experimenting with an enquiry form that used to get
>>spammed. I've added a secret field, hidden by CSS.

>>

Quote:

>><label for='secret_field' style='display:none'>Please leave blank
>><input name='secret_field'id='secret_field'></label>

>>

Quote:

>>Bots will usually either leave it out or fill it with garbage and
>>so I check for this like so:-

>>

Quote:

>>if(!isset($_POST[$secret_field])||$_POST[$secret_field]!=""){
>>//at the moment I'm prepending the resultant email's subject
>>// with [SPAM] but eventually may just silently drop it.
>>}

>>
>In our organization, we have a number of different "contact us"
>forms. Our ASP.NET developer tends to use the hidden field method you
>described with success. On my PHP pages, I sometimes use the same
>method, but in some cases I've added a little arithmetic captcha
>something like the following. Get two random integers less than 10,
>and ask the user to sum them.
>>
><?php
>// Create the session variables for the math problem
>session_start();
>$_SESSION['n1'] = rand(1,9);
>$_SESSION['n2'] = rand(1,9);

Quote:

>>>

><label for='math'>
>What is <?php echo $_SESSION['n1'] . " + " .$_SESSION['n2']; ?>
></label<input id='math' type='text' name='math' />
>>
>I know CAPTCHAs were to be avoided in the original post, but this one
>is so trivial. (Though it might keep out first graders). I've never
>had spam on one of these forms except for the occasional manually
>entered list of links once or twice a year.
>--
>Michael Berkowski <berk0...@NOSPAM.umn.edu>

>
>
Thanks for all replies so far! I like the banned words list and hidden
input fields, I'll give that a try for sure!
>
The main goal for me personally is to avoid spam, but I don't want to
annoy the "normal" visitors with security features. I know my visitors
are very simple people, to say the least. If I show the guestbook to
my mom, she will just mock me because she needs to answer a simple sum
to sign a guestbook :-)
>
On that topic, I've seen more creative captcha's using images. I could
show 9 pictures from our band and ask the user to click 3 pictures
from the drummer for example. (Idea came from KittenAuth -
http://www.thepcspy.com/contact)
>
Requiring users to confirm their post by email would scare some people
because they don't want to give their email.

IME the captcha scares people off too, especially neophytes or those in
a hurry if they have to squint etc. to figure out the
distorted/over-lined/hidden in colors etc. characters, especially the
visually challenged and color blind. For things like guest books you
want to make it as easy as you can bit still keep some security too.
IMO a simple expansion on your original idea might be a better
solution, only use a random-length, random number and allow the digits
to go negative (e.g. mt_rand(-99, 00)). Print them in the clear and use
those plus a related question; maybe the number of digits in the code or
something, to add a further layer to it. Or just ask for the middle 3
numbers, etc. of the code instead of the whole thing; lots of things one
could do.

HTH, just my thoughts for the moment.

illona wrote:

Quote:

On Fri, 04 Jul 2008 15:02:37 GMT, "Twayne" <nobody@devnull.spamcop.netwrote:
>
>
There is a professional solution if captchas are bad (I agree with that too by
the way)
>
Take a look at www.streamforensics.com
Their solution isnt cheap but I can attest that once you have it you'll want to
use it everywhere (and you only buy it once to use everywhere)
Its a bit hard to get your head round at first but when the penny drops its
easy. You can protect existing or new forms in seconds. (really)
We have it on every form and forum post now. We dont have a guest book
but it should work just fine as those are just forms anyway.
>
>

There is no need for your expensive package. There are much better ways
to handle CAPTCHA than an image.

For instance, I often use simple arithmetic in words, i.e. "How much is
five minus four?" or "What is the sum of three and six"? These are easy
for a person to solve, can be used with a screen reader by the visually
impaired, yet harder to parse by 'bots, especially if you vary the
wording (I typically have multiple sentences).

And BTW - CAPTCHA is not the image. CAPTCHA is a process. A CAPTCHA
image is one way to handle the process.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

illona wrote:

Quote:

>On Fri, 04 Jul 2008 15:02:37 GMT, "Twayne"
><nobody@devnull.spamcop.netwrote: There is a professional solution
>if captchas are bad (I agree with
>that too by the way)
>>
>Take a look at www.streamforensics.com
>Their solution isnt cheap but I can attest that once you have it
>you'll want to use it everywhere (and you only buy it once to use
>everywhere) Its a bit hard to get your head round at first but when
>the penny
>drops its easy. You can protect existing or new forms in seconds.
>(really) We have it on every form and forum post now. We dont have a
>guest
>book but it should work just fine as those are just forms anyway.
>>
>>

>
There is no need for your expensive package. There are much better
ways to handle CAPTCHA than an image.
>
For instance, I often use simple arithmetic in words, i.e. "How much
is five minus four?" or "What is the sum of three and six"? These
are easy for a person to solve, can be used with a screen reader by
the visually impaired, yet harder to parse by 'bots, especially if
you vary the wording (I typically have multiple sentences).

Ah, I'm not the only one doing that; great. I even still generate a
random number to type in but it's fully readable and not in an image.
I've also spread the bot-test Qs into two forms, the second very easy
but hopefully unexpected by the bots and not even noticed. Counting
page views and errors seems like it'd help too, and of course force only
one email address, etc. etc..
If what I read about India's captcha business is anywhere near
accurate it just proves what I've always though about those stupid hard
to read captcha images anyway. You just have to enforce the right house
rules and get as close as you can to making it too hard to bother to use
your stuff; there's always someone easier right down the pipe if you're
lucky. I suspect making the questions random too helps a lot if someone
does sit down and manually figure out the processes; but you need a
database so it's not going to repeat too quickly. Random seems to be
the magic touch for now. And natch, keep it all working fast so there
arean't any noticeable delays over the norm or where they wouldn't be
expected.

Cheers,

Twayne

Quote:

>
And BTW - CAPTCHA is not the image. CAPTCHA is a process. A CAPTCHA
image is one way to handle the process.

Guestbook spam protection

re: Guestbook spam protection

re: Guestbook spam protection

re: Guestbook spam protection

re: Guestbook spam protection

re: Guestbook spam protection

re: Guestbook spam protection

Similar PHP bytes

/bytes/development

/bytes/it

/bytes/about