HI All
Sort of DIY - as in I'm diy-ing some websites.... g

Deleting the latest crop of Chinese newsgroup spam 'genuine lewis
vetton handbags very cheap' - reminded me of an ongoing problem with
website response forms..

Bought a copy of NetObjects Fusion last year - mainly for the built-in
styles / templates - which make it easy for an artistically-challenged
person (like me!) to get a neat look & feel to a website.

One of the 'built-in' features is a forms handler (script).
Gave it a try - and it behaved well (after some discussion with tech
support). Then started getting Chinese spammers abusing the form -
hping to get listings in the online directory - which was only meant
for local traders at the Farmers' Market.

More discussions with Tech Support - added some 'validation' to the
form fields - but the spam kept coming.
Eventually became clear that the spamming ratbags were calling the
script directly - rather than being good chaps and going in vai the
webpage, where their spamming would have been defeated by the
validation.... barstewards!

So - ended up taking the form off the website and deleting the script
- spam stopped ! (Well - it would, wouldn't it ?)

Now need to do another website - and the client wants an online form
with sexy clickboxes & all. Any ideas how to defeat the dreaded
spammers ??

It would seem that, once yuu've looked at the source code for an html
page that calls a forms handler, you can then set up your own spambot
to call that handler, and bypass any html-level validation.... there
must be a way of preventing this.... isn't there ??

And no - the answer isn't

a - angle grinder
b - car body filler
or
c - combi boiler !

But good guesses g

Thanks
Adrian

Adrian says...
It would seem that, once yuu've looked at the source code for an html
page that calls a forms handler, you can then set up your own spambot
to call that handler, and bypass any html-level validation.... there
must be a way of preventing this.... isn't there ??


Can't you incorporate one of those boxes where people have
to type in the obscured letters/digits?

Or behind the scenes can you have a hidden field that needs
to contain certain text put there by your form or the data
is discarded during reading / download? I use a similar
principle with my newsgroup email address which is in plain
view and fully available to spammers - but I don't receive
any spam due to the filter. (See below)
--
David in Normandy.
To e-mail you must include the password FROG on the
subject line, or it will be automatically deleted
by a filter and not reach my inbox.

In uk.d-i-y, Adrian wrote:
It would seem that, once yuu've looked at the source code for an html
page that calls a forms handler, you can then set up your own spambot
to call that handler, and bypass any html-level validation.... there
must be a way of preventing this.... isn't there ??

Yes.

http://en.wikipedia.org/wiki/Captcha

--
Mike Barnes

On 31 Mar, 11:16, Adrian wrote:

Now need to do another website - and the client wants an online form
with sexy clickboxes & all. Any ideas how to defeat the dreaded
spammers ??

It would seem that, once yuu've looked at the source code for an html
page that calls a forms handler, you can then set up your own spambot
to call that handler, and bypass any html-level validation.... there
must be a way of preventing this.... isn't there ??


Are you suggesting that the spammers are looking at the html,
recognising the form submit code and using that to submit their email
directly? If so then how about not including the form submit code but
inserting it onto the page after it has been loaded using Javascript?
I doubt if the spammers are going to be actually loading the page an
executing scripts before looking for the submit.

Andrew

HI David

On Mon, 31 Mar 2008 12:29:17 +0200, David in Normandy
wrote:

Adrian says...
It would seem that, once yuu've looked at the source code for an html
page that calls a forms handler, you can then set up your own spambot
to call that handler, and bypass any html-level validation.... there
must be a way of preventing this.... isn't there ??


Can't you incorporate one of those boxes where people have
to type in the obscured letters/digits?

I could - but (personally) I find them to be ever-so-annoying !
You know the scenario - you're trying to buy something, or even
enquire about buying something - and then the darn box pops up with
the mangled figures - now is that a 1 or an l, is that a 0 or a O -
after getting it wrong a couple of times I generally give up g


Or behind the scenes can you have a hidden field that needs
to contain certain text put there by your form or the data
is discarded during reading / download? I use a similar
principle with my newsgroup email address which is in plain
view and fully available to spammers - but I don't receive
any spam due to the filter. (See below)

Maybe...
Trouble with the NetObjectsFusion thing is that it makes heavy use of
witchcraft (apparently !) - and doean't actually create html until
long after you've designed the pages - so you're somewhat 'hands-off'
as far as embedding things in the code is concerned.

Maybe a glimmer of light though - looks as if NetObjectsFusion (silly
name !) actually understands captcha - and can embed it in its forms -
so maybe we'll give it a try on a test site & see what we see...

Bl**dy spammers !

Thanks
Adrian

HI Mike

On Mon, 31 Mar 2008 12:32:29 +0100, Mike Barnes
wrote:

In uk.d-i-y, Adrian wrote:
It would seem that, once yuu've looked at the source code for an html
page that calls a forms handler, you can then set up your own spambot
to call that handler, and bypass any html-level validation.... there
must be a way of preventing this.... isn't there ??

Yes.

http://en.wikipedia.org/wiki/Captcha

Thanks.
After a bit of searching, it would appear that NetObjectsFusion
actually has captcha 'bits' built-in as an option on its forms....
so we'll have a play with that & see if it works g

Thanks
Adrian

Hi Andrew

On Mon, 31 Mar 2008 07:35:26 -0700 (PDT), Andrew
wrote:

On 31 Mar, 11:16, Adrian wrote:

Now need to do another website - and the client wants an online form
with sexy clickboxes & all. Any ideas how to defeat the dreaded
spammers ??

It would seem that, once yuu've looked at the source code for an html
page that calls a forms handler, you can then set up your own spambot
to call that handler, and bypass any html-level validation.... there
must be a way of preventing this.... isn't there ??


Are you suggesting that the spammers are looking at the html,
recognising the form submit code and using that to submit their email
directly?

Don;t know just how they're doing it - but I do know that they seemed
to be able to spam using the form script even after we'd added various
validation checks into the html forms page itself - which sort of
suggests that they were bypassing the webpage & calling the script
directly...

If so then how about not including the form submit code but
inserting it onto the page after it has been loaded using Javascript?
I doubt if the spammers are going to be actually loading the page an
executing scripts before looking for the submit.

As I said to David - NOF adds a couple of layers of mystery between
your page design and the actual code that's produced - so it's not
easy to delve into the guts of the pages.

However, it does appear to have a 'captcha' facility built in - so
maybe we'll activate that and see what happens.....

What a lot of faffing.... grrr ! Spammers !

Thanks
Adrian

Andrew

Following up to Adrian

Deleting the latest crop of Chinese newsgroup spam 'genuine lewis
vetton handbags very cheap'

I have switched to 40tude for usenet, it allows blocking of the popular
source for the chinese rubbish and allows blocking of googlegroups with
named exceptions for known posters, no garbage now.
--
Mike
remove clothing to email

Adrian wrote:
HI All
Sort of DIY - as in I'm diy-ing some websites.... g

Deleting the latest crop of Chinese newsgroup spam 'genuine lewis
vetton handbags very cheap' - reminded me of an ongoing problem with
website response forms..

Bought a copy of NetObjects Fusion last year - mainly for the built-in
styles / templates - which make it easy for an artistically-challenged
person (like me!) to get a neat look & feel to a website.

One of the 'built-in' features is a forms handler (script).
Gave it a try - and it behaved well (after some discussion with tech
support). Then started getting Chinese spammers abusing the form -
hping to get listings in the online directory - which was only meant
for local traders at the Farmers' Market.

More discussions with Tech Support - added some 'validation' to the
form fields - but the spam kept coming.
Eventually became clear that the spamming ratbags were calling the
script directly - rather than being good chaps and going in vai the
webpage, where their spamming would have been defeated by the
validation.... barstewards!

So - ended up taking the form off the website and deleting the script
- spam stopped ! (Well - it would, wouldn't it ?)

Now need to do another website - and the client wants an online form
with sexy clickboxes & all. Any ideas how to defeat the dreaded
spammers ??

Do your validation server side.

php is your friend.


It would seem that, once yuu've looked at the source code for an html
page that calls a forms handler, you can then set up your own spambot
to call that handler, and bypass any html-level validation.... there
must be a way of preventing this.... isn't there ??


See above.

Adrian wrote:

More discussions with Tech Support - added some 'validation' to the
form fields - but the spam kept coming.
Eventually became clear that the spamming ratbags were calling the
script directly - rather than being good chaps and going in vai the
webpage, where their spamming would have been defeated by the
validation.... barstewards!

Um. Why would you use client-side validation for what is, essentially, a
security requirement? In any case, even without deliberately subverting
it, most simple ways for "robotting" a form would ignore your
Javascript. Writing a robot that *does* run Javascript is the tricky part.

Captcha is the only (currently) totally effective way of bot-proofing a
form, though if you want to avoid it you could gain a temporary respite
by doing various odd things with Javascript that a non-specially-written
robot probably wouldn't handle correctly.

Pete

Pete Verdon wrote:

snip
Captcha is the only (currently) totally effective way of bot-proofing a
form, though if you want to avoid it you could gain a temporary respite
by doing various odd things with Javascript that a non-specially-written
robot probably wouldn't handle correctly.


Captcha is the best we have, but it isn't totally effective. As AI gets
better, it is better able to analyse the captcha images - you are after
all running a basic Turing test.

http://www.websense.com/securitylabs...php?BlogID=174

If you want to be unique - how about sticking up a bunch of pictures,
and saying "Click on the Red Setter" or somesuch? Any technique that
others aren't using will probably work because you are a small target.

Andy

HI Mike

On Mon, 31 Mar 2008 18:18:16 +0100, "Mike....."
wrote:

Following up to Adrian

Deleting the latest crop of Chinese newsgroup spam 'genuine lewis
vetton handbags very cheap'

I have switched to 40tude for usenet, it allows blocking of the popular
source for the chinese rubbish and allows blocking of googlegroups with
named exceptions for known posters, no garbage now.

I'm using Agent - but haven't yet discovered how to eliminate the
Chinese spam..... if indeed Agent's capable of doing it.

Seems to come from a different email address each time....

Adrian

HI

On Mon, 31 Mar 2008 18:41:26 +0100, The Natural Philosopher
wrote:

Adrian wrote:
HI All
Sort of DIY - as in I'm diy-ing some websites.... g

Deleting the latest crop of Chinese newsgroup spam 'genuine lewis
vetton handbags very cheap' - reminded me of an ongoing problem with
website response forms..

Bought a copy of NetObjects Fusion last year - mainly for the built-in
styles / templates - which make it easy for an artistically-challenged
person (like me!) to get a neat look & feel to a website.

One of the 'built-in' features is a forms handler (script).
Gave it a try - and it behaved well (after some discussion with tech
support). Then started getting Chinese spammers abusing the form -
hping to get listings in the online directory - which was only meant
for local traders at the Farmers' Market.

More discussions with Tech Support - added some 'validation' to the
form fields - but the spam kept coming.
Eventually became clear that the spamming ratbags were calling the
script directly - rather than being good chaps and going in vai the
webpage, where their spamming would have been defeated by the
validation.... barstewards!

So - ended up taking the form off the website and deleting the script
- spam stopped ! (Well - it would, wouldn't it ?)

Now need to do another website - and the client wants an online form
with sexy clickboxes & all. Any ideas how to defeat the dreaded
spammers ??

Do your validation server side.

php is your friend.

I was looking for an easy solution g
Would I be right in assuming that the captcha thingy
should prevent the spambots from having their wicked way with my form
handler script ?


Thanks
Adrian

http://en.wikipedia.org/wiki/Captcha
After a bit of searching, it would appear that NetObjectsFusion
actually has captcha 'bits' built-in as an option on its forms....
so we'll have a play with that & see if it works g

Won't be long before you get spam again - they employ people in Russia
on a pittance of a wage to decipher Captcha images (mentioned on
theregister.co.uk in the last couple of weeks)

Hi Pete

On Mon, 31 Mar 2008 19:39:39 +0100, Pete Verdon
d wrote:

Adrian wrote:

More discussions with Tech Support - added some 'validation' to the
form fields - but the spam kept coming.
Eventually became clear that the spamming ratbags were calling the
script directly - rather than being good chaps and going in vai the
webpage, where their spamming would have been defeated by the
validation.... barstewards!

Um. Why would you use client-side validation for what is, essentially, a
security requirement?

Good point...... I did wonder at the time.....

In any case, even without deliberately subverting
it, most simple ways for "robotting" a form would ignore your
Javascript. Writing a robot that *does* run Javascript is the tricky part.

Captcha is the only (currently) totally effective way of bot-proofing a
form, though if you want to avoid it you could gain a temporary respite
by doing various odd things with Javascript that a non-specially-written
robot probably wouldn't handle correctly.

So captcha is the way to go ?

The spam to the Farmers' Market sites wasn't really a major thing -
but the other people I have in mind are tender souls, and won't take
kindly to spam advertising some of the things the Chinese were selling
g

Thanks
Adrian

Hi Andy

On Mon, 31 Mar 2008 20:36:56 +0100, Andy Champ
wrote:

Pete Verdon wrote:

snip
Captcha is the only (currently) totally effective way of bot-proofing a
form, though if you want to avoid it you could gain a temporary respite
by doing various odd things with Javascript that a non-specially-written
robot probably wouldn't handle correctly.


Captcha is the best we have, but it isn't totally effective. As AI gets
better, it is better able to analyse the captcha images - you are after
all running a basic Turing test.

As I said before - _I_ have trouble deciphering some of the captcha
images - so not sure what that proved in Turing terms g


http://www.websense.com/securitylabs...php?BlogID=174

If you want to be unique - how about sticking up a bunch of pictures,
and saying "Click on the Red Setter" or somesuch? Any technique that
others aren't using will probably work because you are a small target.

Could do.....
.... but my experience of javascript & suchlike is very rusty -
I think I'll try the inbuilt captcha support & see how we get on with
that....

Thanks
Adrian

HI Colin

On Mon, 31 Mar 2008 21:20:37 +0100, Colin Wilson
o.uk wrote:

http://en.wikipedia.org/wiki/Captcha
After a bit of searching, it would appear that NetObjectsFusion
actually has captcha 'bits' built-in as an option on its forms....
so we'll have a play with that & see if it works g

Won't be long before you get spam again - they employ people in Russia
on a pittance of a wage to decipher Captcha images (mentioned on
theregister.co.uk in the last couple of weeks)

Ah - that's cheerful - thanks ! g

Adrian

Ah - that's cheerful - thanks ! g

Ho hum :-}

Someone else was working on a system based on images - you had to
enter which image was of a particular type, i.e. 3 cats, 1 dog, which
one was the dog.

Again, simple for humans, crap for computers (high level of AI /
processing time reqd).

As daft as it might sound, the commonality of these systems is
probably the greatest weakness - crack one, and all you need to do is
automate a search to blitz all the others using the same hack.

If you could find your own way of adding verification that branched
away from existing code you might be more successful in keeping the
little b'stards at bay :-}

For instance, a random string of digits could be displayed, and the
user asked to enter a couple of them - or even add a couple of them up
- sure, it won't be any better than Captcha, but it'd be different
every time, and require manual overhead to beat. Unless everyone uses
it, you won't be a target.

I suppose all that depends on how they're applying the hack - they
might be using SQL injection, which can be as simple as sending a URL
request to a server i'm lead to believe (a recent link on StumbleUpon
took me to a site on the subject)

On Mon, 31 Mar 2008 12:29:17 +0200, David in Normandy wrote:

Or behind the scenes can you have a hidden field that needs to contain
certain text put there by your form or the data is discarded during
reading / download?

They might be hidden from a user with a browser but they are in the code
and visible to the bots...

One could possibly generate the content of a hidden field on the fly and
check for that in a form submission. A bit like the graphics box with
mangled letters, which I don't particulary like but don't detest as much
as the seperate Visa/MC thing you sometimes have to go through.

--
Cheers
Dave.

Adrian wrote:
On Mon, 31 Mar 2008 19:39:39 +0100, Pete Verdon wrote:

Captcha is the only (currently) totally effective way of bot-proofing a
form, though if you want to avoid it you could gain a temporary respite
by doing various odd things with Javascript that a non-specially-written
robot probably wouldn't handle correctly.

So captcha is the way to go ?

Well, personally I don't like them that much, but I don't really have a
better suggestion.

Pete

Colin Wilson wrote:
I suppose all that depends on how they're applying the hack - they
might be using SQL injection, which can be as simple as sending a URL
request to a server i'm lead to believe (a recent link on StumbleUpon
took me to a site on the subject)

SQL injection is a way of producing a controlled mis-operation on the
server. Get it right, and you have introduced your application on the
server, and you have full control of it.

Get the server right - and I'm no expert on how - and it can't be done.

Andy

In message , Adrian
writes
Hi Andrew

On Mon, 31 Mar 2008 07:35:26 -0700 (PDT), Andrew
wrote:

On 31 Mar, 11:16, Adrian wrote:

Now need to do another website - and the client wants an online form
with sexy clickboxes & all. Any ideas how to defeat the dreaded
spammers ??

It would seem that, once yuu've looked at the source code for an html
page that calls a forms handler, you can then set up your own spambot
to call that handler, and bypass any html-level validation.... there
must be a way of preventing this.... isn't there ??


Are you suggesting that the spammers are looking at the html,
recognising the form submit code and using that to submit their email
directly?

Don;t know just how they're doing it - but I do know that they seemed
to be able to spam using the form script even after we'd added various
validation checks into the html forms page itself - which sort of
suggests that they were bypassing the webpage & calling the script
directly...

[snip]

By writing valid email header and content into the contact form fields.

To: "
From: Bcc: Dear Sir, buy my Viagra"

Probably gives you the idea...

If you asked in an appropriate group there would be 100 people with an
exact solution.

My site has validation code in the form submit proc (asp) which rejects
any form where "bcc:" "To:" "Content-Type:" etc etc are in any of the
form fields.

Personally, I find OT stuff like this to be almost as bad as spam, but
hope the above helps anyway or atleast points you in the right
direction.
Someone

Following up to Adrian

I'm using Agent - but haven't yet discovered how to eliminate the
Chinese spam..... if indeed Agent's capable of doing it.

Seems to come from a different email address each time....

You cant do it with Agent, 40tude allows blocking by Xref
XRef 124.15.*.*
You can also block Googlegroups just allowing known posters from there.
--
Mike
remove clothing to email

HI Mike

On Tue, 1 Apr 2008 08:27:34 +0100, "Mike....."
wrote:

Following up to Adrian

I'm using Agent - but haven't yet discovered how to eliminate the
Chinese spam..... if indeed Agent's capable of doing it.

Seems to come from a different email address each time....

You cant do it with Agent, 40tude allows blocking by Xref
XRef 124.15.*.*
You can also block Googlegroups just allowing known posters from there.

Ah - I see......

Thanks
Adrian

Following up to Adrian

You cant do it with Agent, 40tude allows blocking by Xref
XRef 124.15.*.*
You can also block Googlegroups just allowing known posters from there.

Ah - I see......

#this is a comment line

[uk.waffle.misc]
+100 From "good Guy"
-100 From "

[uk.wreckityourself]
-100 From "
[*] #all groups
-100 From "Steve Bonkers"

+200 From "niceBabe" #a google groups poster
+200 From "

-100 Message-ID googlegroups #kills google
-100 XRef 124.15.*.* # kills more Chinese posts
-100 Xpost %3 # kills 4+ cross posts
!delete score %0 #the coup de gras, or use mark unread or move to a
#special folder to dredge out the innocents who use google later?
#while testing comment out the delete line and see the "scores" you are
#giving, in case of errors


--
Mike
remove clothing to email

On 31 Mar, 17:55, Adrian wrote:

As I said to David - NOF adds a couple of layers of mystery between
your page design and the actual code that's produced - so it's not
easy to delve into the guts of the pages.


Ahhh. that's the bit I missed. All my pages are hand coded so I have
full control over what they do and how.

Andrew

HI Andrew

On Tue, 1 Apr 2008 03:39:50 -0700 (PDT), Andrew
wrote:

On 31 Mar, 17:55, Adrian wrote:

As I said to David - NOF adds a couple of layers of mystery between
your page design and the actual code that's produced - so it's not
easy to delve into the guts of the pages.


Ahhh. that's the bit I missed. All my pages are hand coded so I have
full control over what they do and how.


Yes - that's how I started (fourteen years ago - doesn't time fly !) -
but I'm only doing a little web design nowadays, and, even though it
means relinquishing a certain amount of 'control', I'm leaning towards
packages like NOF on the grounds that they do give you a presentable
website fairly quickly.....

Trade-offs - as always.....

Adrian

On Mar 31, 11:16 am, Adrian wrote:
HI All
Sort of DIY - as in I'm diy-ing some websites.... g

Deleting the latest crop of Chinese newsgroup spam 'genuine lewis
vetton handbags very cheap' - reminded me of an ongoing problem with
website response forms..

[snip]
And no - the answer isn't

a - angle grinder
b - car body filler
or
c - combi boiler !

But good guesses g


I disagree. The answer is /clearly/ "a" - angle grinder (to be
applied to portions of the spammer's anatomy).

.... although I can see a potential argument for "b" - car body filler
(applied liberally and rectally). You'd probably want the fast
setting sort for that application.

On Apr 1, 8:27*am, "Mike....."
wrote:
You can also block Googlegroups

And why would one want to do that?

MBQ

HI Martin

On Tue, 1 Apr 2008 06:24:10 -0700 (PDT), Martin Bonner
wrote:

On Mar 31, 11:16 am, Adrian wrote:
HI All
Sort of DIY - as in I'm diy-ing some websites.... g

Deleting the latest crop of Chinese newsgroup spam 'genuine lewis
vetton handbags very cheap' - reminded me of an ongoing problem with
website response forms..

[snip]
And no - the answer isn't

a - angle grinder
b - car body filler
or
c - combi boiler !

But good guesses g


I disagree. The answer is /clearly/ "a" - angle grinder (to be
applied to portions of the spammer's anatomy).

g


... although I can see a potential argument for "b" - car body filler
(applied liberally and rectally). You'd probably want the fast
setting sort for that application.

Surely expanding foam would be more effective..... g

At least your post brings it back on topic ! (Some folks seem to
worry themselves about such things)

Adrian