Home |
Search |
Today's Posts |
|
UK diy (uk.d-i-y) For the discussion of all topics related to diy (do-it-yourself) in the UK. All levels of experience and proficency are welcome to join in to ask questions or offer solutions. |
Reply |
|
LinkBack | Thread Tools | Display Modes |
#1
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
HI All
Sort of DIY - as in I'm diy-ing some websites.... g Deleting the latest crop of Chinese newsgroup spam 'genuine lewis vetton handbags very cheap' - reminded me of an ongoing problem with website response forms.. Bought a copy of NetObjects Fusion last year - mainly for the built-in styles / templates - which make it easy for an artistically-challenged person (like me!) to get a neat look & feel to a website. One of the 'built-in' features is a forms handler (script). Gave it a try - and it behaved well (after some discussion with tech support). Then started getting Chinese spammers abusing the form - hping to get listings in the online directory - which was only meant for local traders at the Farmers' Market. More discussions with Tech Support - added some 'validation' to the form fields - but the spam kept coming. Eventually became clear that the spamming ratbags were calling the script directly - rather than being good chaps and going in vai the webpage, where their spamming would have been defeated by the validation.... barstewards! So - ended up taking the form off the website and deleting the script - spam stopped ! (Well - it would, wouldn't it ?) Now need to do another website - and the client wants an online form with sexy clickboxes & all. Any ideas how to defeat the dreaded spammers ?? It would seem that, once yuu've looked at the source code for an html page that calls a forms handler, you can then set up your own spambot to call that handler, and bypass any html-level validation.... there must be a way of preventing this.... isn't there ?? And no - the answer isn't a - angle grinder b - car body filler or c - combi boiler ! But good guesses g Thanks Adrian |
#2
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
Adrian says...
It would seem that, once yuu've looked at the source code for an html page that calls a forms handler, you can then set up your own spambot to call that handler, and bypass any html-level validation.... there must be a way of preventing this.... isn't there ?? Can't you incorporate one of those boxes where people have to type in the obscured letters/digits? Or behind the scenes can you have a hidden field that needs to contain certain text put there by your form or the data is discarded during reading / download? I use a similar principle with my newsgroup email address which is in plain view and fully available to spammers - but I don't receive any spam due to the filter. (See below) -- David in Normandy. To e-mail you must include the password FROG on the subject line, or it will be automatically deleted by a filter and not reach my inbox. |
#3
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
In uk.d-i-y, Adrian wrote:
It would seem that, once yuu've looked at the source code for an html page that calls a forms handler, you can then set up your own spambot to call that handler, and bypass any html-level validation.... there must be a way of preventing this.... isn't there ?? Yes. http://en.wikipedia.org/wiki/Captcha -- Mike Barnes |
#4
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
On 31 Mar, 11:16, Adrian wrote:
Now need to do another website - and the client wants an online form with sexy clickboxes & all. Any ideas how to defeat the dreaded spammers ?? It would seem that, once yuu've looked at the source code for an html page that calls a forms handler, you can then set up your own spambot to call that handler, and bypass any html-level validation.... there must be a way of preventing this.... isn't there ?? Are you suggesting that the spammers are looking at the html, recognising the form submit code and using that to submit their email directly? If so then how about not including the form submit code but inserting it onto the page after it has been loaded using Javascript? I doubt if the spammers are going to be actually loading the page an executing scripts before looking for the submit. Andrew |
#5
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
HI David
On Mon, 31 Mar 2008 12:29:17 +0200, David in Normandy wrote: Adrian says... It would seem that, once yuu've looked at the source code for an html page that calls a forms handler, you can then set up your own spambot to call that handler, and bypass any html-level validation.... there must be a way of preventing this.... isn't there ?? Can't you incorporate one of those boxes where people have to type in the obscured letters/digits? I could - but (personally) I find them to be ever-so-annoying ! You know the scenario - you're trying to buy something, or even enquire about buying something - and then the darn box pops up with the mangled figures - now is that a 1 or an l, is that a 0 or a O - after getting it wrong a couple of times I generally give up g Or behind the scenes can you have a hidden field that needs to contain certain text put there by your form or the data is discarded during reading / download? I use a similar principle with my newsgroup email address which is in plain view and fully available to spammers - but I don't receive any spam due to the filter. (See below) Maybe... Trouble with the NetObjectsFusion thing is that it makes heavy use of witchcraft (apparently !) - and doean't actually create html until long after you've designed the pages - so you're somewhat 'hands-off' as far as embedding things in the code is concerned. Maybe a glimmer of light though - looks as if NetObjectsFusion (silly name !) actually understands captcha - and can embed it in its forms - so maybe we'll give it a try on a test site & see what we see... Bl**dy spammers ! Thanks Adrian |
#6
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
HI Mike
On Mon, 31 Mar 2008 12:32:29 +0100, Mike Barnes wrote: In uk.d-i-y, Adrian wrote: It would seem that, once yuu've looked at the source code for an html page that calls a forms handler, you can then set up your own spambot to call that handler, and bypass any html-level validation.... there must be a way of preventing this.... isn't there ?? Yes. http://en.wikipedia.org/wiki/Captcha Thanks. After a bit of searching, it would appear that NetObjectsFusion actually has captcha 'bits' built-in as an option on its forms.... so we'll have a play with that & see if it works g Thanks Adrian |
#7
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
Hi Andrew
On Mon, 31 Mar 2008 07:35:26 -0700 (PDT), Andrew wrote: On 31 Mar, 11:16, Adrian wrote: Now need to do another website - and the client wants an online form with sexy clickboxes & all. Any ideas how to defeat the dreaded spammers ?? It would seem that, once yuu've looked at the source code for an html page that calls a forms handler, you can then set up your own spambot to call that handler, and bypass any html-level validation.... there must be a way of preventing this.... isn't there ?? Are you suggesting that the spammers are looking at the html, recognising the form submit code and using that to submit their email directly? Don;t know just how they're doing it - but I do know that they seemed to be able to spam using the form script even after we'd added various validation checks into the html forms page itself - which sort of suggests that they were bypassing the webpage & calling the script directly... If so then how about not including the form submit code but inserting it onto the page after it has been loaded using Javascript? I doubt if the spammers are going to be actually loading the page an executing scripts before looking for the submit. As I said to David - NOF adds a couple of layers of mystery between your page design and the actual code that's produced - so it's not easy to delve into the guts of the pages. However, it does appear to have a 'captcha' facility built in - so maybe we'll activate that and see what happens..... What a lot of faffing.... grrr ! Spammers ! Thanks Adrian Andrew |
#8
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
Following up to Adrian
Deleting the latest crop of Chinese newsgroup spam 'genuine lewis vetton handbags very cheap' I have switched to 40tude for usenet, it allows blocking of the popular source for the chinese rubbish and allows blocking of googlegroups with named exceptions for known posters, no garbage now. -- Mike remove clothing to email |
#9
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
Adrian wrote:
HI All Sort of DIY - as in I'm diy-ing some websites.... g Deleting the latest crop of Chinese newsgroup spam 'genuine lewis vetton handbags very cheap' - reminded me of an ongoing problem with website response forms.. Bought a copy of NetObjects Fusion last year - mainly for the built-in styles / templates - which make it easy for an artistically-challenged person (like me!) to get a neat look & feel to a website. One of the 'built-in' features is a forms handler (script). Gave it a try - and it behaved well (after some discussion with tech support). Then started getting Chinese spammers abusing the form - hping to get listings in the online directory - which was only meant for local traders at the Farmers' Market. More discussions with Tech Support - added some 'validation' to the form fields - but the spam kept coming. Eventually became clear that the spamming ratbags were calling the script directly - rather than being good chaps and going in vai the webpage, where their spamming would have been defeated by the validation.... barstewards! So - ended up taking the form off the website and deleting the script - spam stopped ! (Well - it would, wouldn't it ?) Now need to do another website - and the client wants an online form with sexy clickboxes & all. Any ideas how to defeat the dreaded spammers ?? Do your validation server side. php is your friend. It would seem that, once yuu've looked at the source code for an html page that calls a forms handler, you can then set up your own spambot to call that handler, and bypass any html-level validation.... there must be a way of preventing this.... isn't there ?? See above. |
#10
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
Adrian wrote:
More discussions with Tech Support - added some 'validation' to the form fields - but the spam kept coming. Eventually became clear that the spamming ratbags were calling the script directly - rather than being good chaps and going in vai the webpage, where their spamming would have been defeated by the validation.... barstewards! Um. Why would you use client-side validation for what is, essentially, a security requirement? In any case, even without deliberately subverting it, most simple ways for "robotting" a form would ignore your Javascript. Writing a robot that *does* run Javascript is the tricky part. Captcha is the only (currently) totally effective way of bot-proofing a form, though if you want to avoid it you could gain a temporary respite by doing various odd things with Javascript that a non-specially-written robot probably wouldn't handle correctly. Pete |
#11
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
Pete Verdon wrote:
snip Captcha is the only (currently) totally effective way of bot-proofing a form, though if you want to avoid it you could gain a temporary respite by doing various odd things with Javascript that a non-specially-written robot probably wouldn't handle correctly. Captcha is the best we have, but it isn't totally effective. As AI gets better, it is better able to analyse the captcha images - you are after all running a basic Turing test. http://www.websense.com/securitylabs...php?BlogID=174 If you want to be unique - how about sticking up a bunch of pictures, and saying "Click on the Red Setter" or somesuch? Any technique that others aren't using will probably work because you are a small target. Andy |
#12
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
HI Mike
On Mon, 31 Mar 2008 18:18:16 +0100, "Mike....." wrote: Following up to Adrian Deleting the latest crop of Chinese newsgroup spam 'genuine lewis vetton handbags very cheap' I have switched to 40tude for usenet, it allows blocking of the popular source for the chinese rubbish and allows blocking of googlegroups with named exceptions for known posters, no garbage now. I'm using Agent - but haven't yet discovered how to eliminate the Chinese spam..... if indeed Agent's capable of doing it. Seems to come from a different email address each time.... Adrian |
#13
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
HI
On Mon, 31 Mar 2008 18:41:26 +0100, The Natural Philosopher wrote: Adrian wrote: HI All Sort of DIY - as in I'm diy-ing some websites.... g Deleting the latest crop of Chinese newsgroup spam 'genuine lewis vetton handbags very cheap' - reminded me of an ongoing problem with website response forms.. Bought a copy of NetObjects Fusion last year - mainly for the built-in styles / templates - which make it easy for an artistically-challenged person (like me!) to get a neat look & feel to a website. One of the 'built-in' features is a forms handler (script). Gave it a try - and it behaved well (after some discussion with tech support). Then started getting Chinese spammers abusing the form - hping to get listings in the online directory - which was only meant for local traders at the Farmers' Market. More discussions with Tech Support - added some 'validation' to the form fields - but the spam kept coming. Eventually became clear that the spamming ratbags were calling the script directly - rather than being good chaps and going in vai the webpage, where their spamming would have been defeated by the validation.... barstewards! So - ended up taking the form off the website and deleting the script - spam stopped ! (Well - it would, wouldn't it ?) Now need to do another website - and the client wants an online form with sexy clickboxes & all. Any ideas how to defeat the dreaded spammers ?? Do your validation server side. php is your friend. I was looking for an easy solution g Would I be right in assuming that the captcha thingy should prevent the spambots from having their wicked way with my form handler script ? Thanks Adrian |
#14
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
http://en.wikipedia.org/wiki/Captcha
After a bit of searching, it would appear that NetObjectsFusion actually has captcha 'bits' built-in as an option on its forms.... so we'll have a play with that & see if it works g Won't be long before you get spam again - they employ people in Russia on a pittance of a wage to decipher Captcha images (mentioned on theregister.co.uk in the last couple of weeks) |
#15
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
Hi Pete
On Mon, 31 Mar 2008 19:39:39 +0100, Pete Verdon d wrote: Adrian wrote: More discussions with Tech Support - added some 'validation' to the form fields - but the spam kept coming. Eventually became clear that the spamming ratbags were calling the script directly - rather than being good chaps and going in vai the webpage, where their spamming would have been defeated by the validation.... barstewards! Um. Why would you use client-side validation for what is, essentially, a security requirement? Good point...... I did wonder at the time..... In any case, even without deliberately subverting it, most simple ways for "robotting" a form would ignore your Javascript. Writing a robot that *does* run Javascript is the tricky part. Captcha is the only (currently) totally effective way of bot-proofing a form, though if you want to avoid it you could gain a temporary respite by doing various odd things with Javascript that a non-specially-written robot probably wouldn't handle correctly. So captcha is the way to go ? The spam to the Farmers' Market sites wasn't really a major thing - but the other people I have in mind are tender souls, and won't take kindly to spam advertising some of the things the Chinese were selling g Thanks Adrian |
#16
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
Hi Andy
On Mon, 31 Mar 2008 20:36:56 +0100, Andy Champ wrote: Pete Verdon wrote: snip Captcha is the only (currently) totally effective way of bot-proofing a form, though if you want to avoid it you could gain a temporary respite by doing various odd things with Javascript that a non-specially-written robot probably wouldn't handle correctly. Captcha is the best we have, but it isn't totally effective. As AI gets better, it is better able to analyse the captcha images - you are after all running a basic Turing test. As I said before - _I_ have trouble deciphering some of the captcha images - so not sure what that proved in Turing terms g http://www.websense.com/securitylabs...php?BlogID=174 If you want to be unique - how about sticking up a bunch of pictures, and saying "Click on the Red Setter" or somesuch? Any technique that others aren't using will probably work because you are a small target. Could do..... .... but my experience of javascript & suchlike is very rusty - I think I'll try the inbuilt captcha support & see how we get on with that.... Thanks Adrian |
#17
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
HI Colin
On Mon, 31 Mar 2008 21:20:37 +0100, Colin Wilson o.uk wrote: http://en.wikipedia.org/wiki/Captcha After a bit of searching, it would appear that NetObjectsFusion actually has captcha 'bits' built-in as an option on its forms.... so we'll have a play with that & see if it works g Won't be long before you get spam again - they employ people in Russia on a pittance of a wage to decipher Captcha images (mentioned on theregister.co.uk in the last couple of weeks) Ah - that's cheerful - thanks ! g Adrian |
#18
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
Ah - that's cheerful - thanks ! g
Ho hum :-} Someone else was working on a system based on images - you had to enter which image was of a particular type, i.e. 3 cats, 1 dog, which one was the dog. Again, simple for humans, crap for computers (high level of AI / processing time reqd). As daft as it might sound, the commonality of these systems is probably the greatest weakness - crack one, and all you need to do is automate a search to blitz all the others using the same hack. If you could find your own way of adding verification that branched away from existing code you might be more successful in keeping the little b'stards at bay :-} For instance, a random string of digits could be displayed, and the user asked to enter a couple of them - or even add a couple of them up - sure, it won't be any better than Captcha, but it'd be different every time, and require manual overhead to beat. Unless everyone uses it, you won't be a target. I suppose all that depends on how they're applying the hack - they might be using SQL injection, which can be as simple as sending a URL request to a server i'm lead to believe (a recent link on StumbleUpon took me to a site on the subject) |
#19
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
On Mon, 31 Mar 2008 12:29:17 +0200, David in Normandy wrote:
Or behind the scenes can you have a hidden field that needs to contain certain text put there by your form or the data is discarded during reading / download? They might be hidden from a user with a browser but they are in the code and visible to the bots... One could possibly generate the content of a hidden field on the fly and check for that in a form submission. A bit like the graphics box with mangled letters, which I don't particulary like but don't detest as much as the seperate Visa/MC thing you sometimes have to go through. -- Cheers Dave. |
#20
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
Adrian wrote:
On Mon, 31 Mar 2008 19:39:39 +0100, Pete Verdon wrote: Captcha is the only (currently) totally effective way of bot-proofing a form, though if you want to avoid it you could gain a temporary respite by doing various odd things with Javascript that a non-specially-written robot probably wouldn't handle correctly. So captcha is the way to go ? Well, personally I don't like them that much, but I don't really have a better suggestion. Pete |
#21
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
Colin Wilson wrote:
I suppose all that depends on how they're applying the hack - they might be using SQL injection, which can be as simple as sending a URL request to a server i'm lead to believe (a recent link on StumbleUpon took me to a site on the subject) SQL injection is a way of producing a controlled mis-operation on the server. Get it right, and you have introduced your application on the server, and you have full control of it. Get the server right - and I'm no expert on how - and it can't be done. Andy |
#22
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
In message , Adrian
writes Hi Andrew On Mon, 31 Mar 2008 07:35:26 -0700 (PDT), Andrew wrote: On 31 Mar, 11:16, Adrian wrote: Now need to do another website - and the client wants an online form with sexy clickboxes & all. Any ideas how to defeat the dreaded spammers ?? It would seem that, once yuu've looked at the source code for an html page that calls a forms handler, you can then set up your own spambot to call that handler, and bypass any html-level validation.... there must be a way of preventing this.... isn't there ?? Are you suggesting that the spammers are looking at the html, recognising the form submit code and using that to submit their email directly? Don;t know just how they're doing it - but I do know that they seemed to be able to spam using the form script even after we'd added various validation checks into the html forms page itself - which sort of suggests that they were bypassing the webpage & calling the script directly... [snip] By writing valid email header and content into the contact form fields. To: " From: Bcc: Dear Sir, buy my Viagra" Probably gives you the idea... If you asked in an appropriate group there would be 100 people with an exact solution. My site has validation code in the form submit proc (asp) which rejects any form where "bcc:" "To:" "Content-Type:" etc etc are in any of the form fields. Personally, I find OT stuff like this to be almost as bad as spam, but hope the above helps anyway or atleast points you in the right direction. Someone |
#23
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
Following up to Adrian
I'm using Agent - but haven't yet discovered how to eliminate the Chinese spam..... if indeed Agent's capable of doing it. Seems to come from a different email address each time.... You cant do it with Agent, 40tude allows blocking by Xref XRef 124.15.*.* You can also block Googlegroups just allowing known posters from there. -- Mike remove clothing to email |
#24
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
HI Mike
On Tue, 1 Apr 2008 08:27:34 +0100, "Mike....." wrote: Following up to Adrian I'm using Agent - but haven't yet discovered how to eliminate the Chinese spam..... if indeed Agent's capable of doing it. Seems to come from a different email address each time.... You cant do it with Agent, 40tude allows blocking by Xref XRef 124.15.*.* You can also block Googlegroups just allowing known posters from there. Ah - I see...... Thanks Adrian |
#25
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
Following up to Adrian
You cant do it with Agent, 40tude allows blocking by Xref XRef 124.15.*.* You can also block Googlegroups just allowing known posters from there. Ah - I see...... #this is a comment line [uk.waffle.misc] +100 From "good Guy" -100 From " [uk.wreckityourself] -100 From " [*] #all groups -100 From "Steve Bonkers" +200 From "niceBabe" #a google groups poster +200 From " -100 Message-ID googlegroups #kills google -100 XRef 124.15.*.* # kills more Chinese posts -100 Xpost %3 # kills 4+ cross posts !delete score %0 #the coup de gras, or use mark unread or move to a #special folder to dredge out the innocents who use google later? #while testing comment out the delete line and see the "scores" you are #giving, in case of errors -- Mike remove clothing to email |
#26
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
On 31 Mar, 17:55, Adrian wrote:
As I said to David - NOF adds a couple of layers of mystery between your page design and the actual code that's produced - so it's not easy to delve into the guts of the pages. Ahhh. that's the bit I missed. All my pages are hand coded so I have full control over what they do and how. Andrew |
#27
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
HI Andrew
On Tue, 1 Apr 2008 03:39:50 -0700 (PDT), Andrew wrote: On 31 Mar, 17:55, Adrian wrote: As I said to David - NOF adds a couple of layers of mystery between your page design and the actual code that's produced - so it's not easy to delve into the guts of the pages. Ahhh. that's the bit I missed. All my pages are hand coded so I have full control over what they do and how. Yes - that's how I started (fourteen years ago - doesn't time fly !) - but I'm only doing a little web design nowadays, and, even though it means relinquishing a certain amount of 'control', I'm leaning towards packages like NOF on the grounds that they do give you a presentable website fairly quickly..... Trade-offs - as always..... Adrian |
#28
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
On Mar 31, 11:16 am, Adrian wrote:
HI All Sort of DIY - as in I'm diy-ing some websites.... g Deleting the latest crop of Chinese newsgroup spam 'genuine lewis vetton handbags very cheap' - reminded me of an ongoing problem with website response forms.. [snip] And no - the answer isn't a - angle grinder b - car body filler or c - combi boiler ! But good guesses g I disagree. The answer is /clearly/ "a" - angle grinder (to be applied to portions of the spammer's anatomy). .... although I can see a potential argument for "b" - car body filler (applied liberally and rectally). You'd probably want the fast setting sort for that application. |
#29
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
On Apr 1, 8:27*am, "Mike....."
wrote: You can also block Googlegroups And why would one want to do that? MBQ |
#30
Posted to uk.d-i-y
|
|||
|
|||
OT - Chinese spammers & web response forms
HI Martin
On Tue, 1 Apr 2008 06:24:10 -0700 (PDT), Martin Bonner wrote: On Mar 31, 11:16 am, Adrian wrote: HI All Sort of DIY - as in I'm diy-ing some websites.... g Deleting the latest crop of Chinese newsgroup spam 'genuine lewis vetton handbags very cheap' - reminded me of an ongoing problem with website response forms.. [snip] And no - the answer isn't a - angle grinder b - car body filler or c - combi boiler ! But good guesses g I disagree. The answer is /clearly/ "a" - angle grinder (to be applied to portions of the spammer's anatomy). g ... although I can see a potential argument for "b" - car body filler (applied liberally and rectally). You'd probably want the fast setting sort for that application. Surely expanding foam would be more effective..... g At least your post brings it back on topic ! (Some folks seem to worry themselves about such things) Adrian |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Forum | |||
a response to a sci.electronics.repair retard's response. | Electronics Repair | |||
Response 400 answer machine - no response | Electronics Repair |