Forum Moderators: phranque
I have an informational database site. I have a "Submit Corrections" form on my website, because more info or corrections is always better. And, of course, spammers take this route to try and spam me. I cut a LOT of it out when I added a Captcha... but recently one or two a day started sneaking through. I have tried the "hidden field" and if it is filled out, drop it thing, too.
So I decided to look further into a way to stop this.
Like most DB sites, each entry has a unique ID field. I also happen to track the number of hits to an individual page. So I decided to make a hidden field that is a combination of the ID and the Hits- obviously, it is slightly more than just adding them... but a simple, reproducible mathematical function. As my pages are dynamically created, this function is performed live when someone creates submits the form... Basically, I did a "set $check = 2($ID) + 3 ($Hits)" in the template, which sets a variable w/o showing how it is set to a "View Source".
The mathematics are "hidden" in my template, and all that shows to a view source is the final product... returned to the script with a <input name="check" type="hidden" value="$check" />. The numbers used to create this check number are also NOT passed in the form (that is important)... but all the variables are available to the page for figuring it out.
Then my cgi script first checks that "$check" exists- if not, I ban the IP. Then it pulls the relevant fields from the database (NOT from the form!), and performs the function. If it does NOT exactly match "$check", ban the IP.
I like this because the "$check" number changes every time it is run. Probably not perfect, but so far (24 hours!)- 4 bans and none got through!
If you have a way to make this even better, let me know. If you can use this idea, I hope you will. Spammers suck!
Dave
When the original (not reporting) page is called, FIRST it increments the "Hits" field, and checks against an IP/ID/Date hash- you can only incriment the Hits counter once every 7 days. I guess there is an outside chance someone else could look at the page, too, and incriment it... maybe I should work out a +/- 2 to it?
Mainly, I just wanted to spark people to think about passing a unique number made from page components as a check... if not "Hits", it could be ID and date or something else... Maybe have a site-wide constant that is changed daily at midnight...
Your idea is good, but it's one of those things that might work well due to its uniqueness. If spammers have to figure out a different system for every website they try to spam it will seriously slow them down. So don't be too specific about the way you're doing this, even if you think it will help others. It's enough that you prompt other webmasters to think of this kind of thing, and ideally people will put a range of techniques into practice.
When I ban IP's, it is usually only a day or two- it is a "polite" ban. You can't access anything on the site, but there is a contact e-mail to e-mail if a "real" person gets to it. I use it for a variety of things- like you said, just best off not mentioning exactly what my security is. I have that all tuned pretty good- I think it has been 2-3 YEARS since a I have had a human e-mail me about an improper ban.
I have a more serious ban, using ipfw- you get on that, and it is forever! But that one I have to actively add someone to... so no automation in that. This other, more polite ban is only for a few days.
