Re: Spam resistent guestbook ?

To: debian-isp@lists.debian.org
Subject: Re: Spam resistent guestbook ?
From: Craig Sanders <cas@taz.net.au>
Date: Tue, 26 Sep 2006 16:51:15 +1000
Message-id: <[🔎] 20060926065114.GL7118@taz.net.au>
In-reply-to: <[🔎] 200609260032.k8Q0Waa16074@mail.cinternet.net>
References: <[🔎] 200609260032.k8Q0Waa16074@mail.cinternet.net>

On Mon, Sep 25, 2006 at 08:37:55PM -0400, Chris Wagner wrote:
> At 09:54 AM 9/26/2006 +1000, Craig Sanders wrote:
> >3. randomise the name of the main input field, and have it change
> >every day (or every few hours). e.g. instead of hard-coding the field
> >name, have the CGI script fetch the current name of the field from
> >a text file. the script can then generate the form with the random
> >field name AND know which field name to get the user-submitted post
> >from.
>
> I've been thinking about a rotating field name strategy.  It's still
> subject to the in-the-end-it's-impossible dictum but it would make it
> a great deal harder for the spammer.  Because in the end, that's all
> we can do is make it harder.

true.

> The way I would do it would be to have random field names
> autogenerated on a per connection basis.  So the guestbook script
> would generate a set of field names, and associate that with the
> requesting IP address or a cookie.

that's a really good idea, and avoids the race condition i mentioned.
maybe use the md5sum of the client IP address as the field name (with a
letter or word prefixed just to make sure it starts with a letter which,
IIRC, is a requirement of HTML form field names)

> The field names could then only be used once in a say 1 hour time
> span.

maybe the field name could be based on an md5sum of the client IP
address and the current YYYYMMDDHH (although using the time and/or date
reintroduces the race condition. actually, even the IP address could be
problematic with some transparent proxying setups where the connection
is proxied to one of several load-balanced proxy servers...and the
LB isn't configured to do persistent connections. very rare, but not
unknown).

> It can also be made more complex with cookie exchanges.  This would
> stop the bots that autoscan the net for forms to submit to and there's
> no race condition to worry about.  But anybody who knows how to use
> WWW::Mechanize would eventually come up with a way through this as
> well.

yep, it's easy to do cookie stuff with scripts. i've written several
LWP scripts which fetch stuff for me from sites that require cookies
(e.g. from a trading post site with good data but a really crappy web
interface - my script fetches all entries matching my search string and
presents it as one big page rather than making me click next on dozens
of pages)

craig

-- 
craig sanders <cas@taz.net.au>           (part time cyborg)

Reply to:

References:
- Re: Spam resistent guestbook ?
  - From: wagnerc@plebeian.com (Chris Wagner)

Prev by Date: RE: Spam resistent guestbook ?
Next by Date: Re: qla2300 enabled debian install images
Previous by thread: Re: Spam resistent guestbook ?
Next by thread: RE: Spam resistent guestbook ?
Index(es):
- Date
- Thread