email spam prevention using ip number of server

steamPunk

I'm having probs with spam mail from a php contact form - I've included the code for removing line returns and other such hacking techniques

but I'm not sure what to do about preventing a bot from sending POST varaibles from a different server - I read up in the manual about HTTP_REFERER :

'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

so this doesn't seem like a usable method

is there a way of checking that the form has been received from the ip number of the server hosting the site ?

thanks

etully

is there a way of checking that the form has been received from the ip number of the server hosting the site ?

That's not how the Internet works. Let's say that Bob is an AOL customer. He visits your form page. A copy of the HTML of the form is transferred from your web server to his local computer. He fills in the form and clicks Continue. His computer (with his personal IP address) sends a copy of the contents of the form to your web server. In other words, when Bob visits your web site, he's not really visiting your web site by driving across the country to the building where your web site is hosted and sitting down at your web server, and filling in the form on your web server.

The spammer is doing the same thing. He views your web site, a copy of the HTML of the form is sent from your web server to his personal computer. Instead of filling in the form immediately, the spammer waits an hour. And instead of filling in the form manually, he writes a little computer program to send the supposed "content" of the form (it's really spam), to your web server. So for all intents and purposes, it's mostly impossible to determine the difference between a spammer and a real customer using your web form.

The HTTP_REFERER is a good start and it will stop an amateur but a good spammer probably knows how to spoof the referrer address so it's probably not going to help you.

The solutions my clients use are:

Captcha fields (Type in these letters) to prove you're a real person.
Enter your CC # and we'll bill you for contacting us. That will stop a spammer.
Sign up for an account to contact us. We'll send you an email to your machine and you have to respond before you can use our web form to contact us. You can only contact us 10 times a day.
Check the IP address of the remote server. If it's coming from Nigeria, don't accept the connection. If it's coming from an IP address that has sent more than 3 emails in the last hour, don't accept the connection.
One of my clients serves a local university. Students use the web form to contact the company. In order to use the web form, the student must have an email address that ends in ".edu" and they must sign up for an account first. This has completely stopped abuse of their web form.

steamPunk

aha!

PLENTY to think about there

thanks

MarkR

You can't use referrer for anything useful. Ignore it.

Some of these techniques work. The main one is to moderate submissions.

You could of course check $_POST for superfluous fields not present in your form, or missing ones, and refuse to send anything then - but that will only stop broken spam bots, not working ones.

rate limiting is good.

Captchas are bad because they will piss off your legitimate users - use them as a last resort only (e.g. if you are Google or Yahoo).

IP addresses of known offenders are generally useless, as blacklists
- Aren't complete
- Do contain false positives
- Contain entries added/omitted based on political motivation of their owners

Most spam comes from botnets which use compromised home machines - Nigerian spammers almost certainly won't post from Nigeria, they'll just buy some compromised botnets.

Mark

etully

You can't use referrer for anything useful.

Well, let's not throw them out just yet. They are good for some very useful things. But you're right, security is not one of them.

Nigerian spammers almost certainly won't post from Nigeria, they'll just buy some compromised botnets.

That's completely true. I really should have mentioned that.

My client who asked me to set up that filter still gets 10-20 fraudulent posts a day from Nigerian IP's. 100% of the posts from Nigeria are fraudulent... but less than 1% of all fraudulent posts are from Nigeria so as a spam blocker, this method won't help much. But it does make me feel better for some reason.

steamPunk

as i understand it, the smart spammer will look at the html of my mail form and write a thing that sends the correct $_POST vars to the handling file

which means that (apart from the first time), the spammer won't be visiting the mail form page at all

so ... if i generate a random 16-digit code on the form page and put it into a SESSION and also into a hidden field in the form

then i can compare the incoming $_POST code with the SESSION code to see if they match

that would mean that the spammer would have to visit the form every time or it wouldn't work

or is there something i haven't thought of ??

NogDog

steamPunk wrote:
as i understand it, the smart spammer will look at the html of my mail form and write a thing that sends the correct $_POST vars to the handling file

which means that (apart from the first time), the spammer won't be visiting the mail form page at all

so ... if i generate a random 16-digit code on the form page and put it into a SESSION and also into a hidden field in the form

then i can compare the incoming $_POST code with the SESSION code to see if they match

that would mean that the spammer would have to visit the form every time or it wouldn't work

or is there something i haven't thought of ??

Theoretically, a spammer could use cURL or such in a script to call your form page, grab the session cookie, and send it back with each request. Now whether or not any spammer would want to go to the trouble of doing all that is another question.

Personally, I gave up on trying to figure out a slick programmatic solution and settled on using reCAPTCHA, as I think users are generally used to CAPTHCA's at this point, and at least reCAPTCHA has a worthwhile secondary purpose. It also has a built-in audio option for vision-impaired users.

steamPunk

ok - I'll have a look at reCAPTCHA

thanks again to all

MarkR

Using a CAPTCHA should be a *LAST* resort. You should probably not do it. They're terrible for usability. Users will hate them.

If you're trying to get feedback from your users, a CAPTCHA is an almost guaranteed way to ensure that they don't bother leaving any. People will only complete a captcha if it's absolutely required to achieve something they really want.

Moreover, most spambots aren't very clever.

Make a form with whatever features you feel are still usable, but will defeat most spambots (use a hidden field with a magic cookie or something if you like)
Have an efficient way of dealing with spam if it occurs (e.g. a method which enables the admin to efficiently bulk delete comments / accounts)
Have a rate-limiter which limits how many times the spammer (or anyone) can post it.
Ensure that the spammers can gain nothing - don't post unmoderated comments.

Mark

schwim

Hi there MarkR,

Could you expound on "magic cookie"? I understand the hidden field, but don't understand what you mean by that term.

Thanks,
json

MarkR

Essentially, a hidden field containing an arbitrary value which changes quite often, and the form posting is not accepted without the right value in this field.

This technique is normally used to prevent / mitigate CSRF attacks rather than discourage bots, but can help that too.

Sadly, due to ASP.NET, which uses such a value on every form, bots are now largely capable of passing this.

If you don't mind requiring Javascript, you could put some simple client-side Javascript to populate a hidden field - bots don't normally run this.

It is VERY unlikely that a spammer is going to create a robot specifically for your site. Spammers don't actually create tools at all - they can't code. They just run other peoples' tools which are NOT created specifically for your site.

If you think a spammer is going to code a bot for your site, you are probably being somewhat big-headed about the importance of your site. Unless of course, you're the next Google or Yahoo, Flickr etc (yeah, right!).

Mark

schwim

Hi there Mark, and thanks very much for your reply.

I am of the same mindset as you, that if I can do a few general checks, then I'm going to be in pretty good shape, as spammers will hit hundreds of sites and sites that don't get spammed, if they are even noticed are dropped in search of the next batch.

I'm not going to spend my time making it bulletproof. I'm going to make it secure enough that I'm less appealing than the others 😃

Thanks very much for your explanations. I've been reading up on it and have actually begun implementing some of the features.

thanks,
json

dagon

just to add to the knowledge pot.

most spammers post lots of urls where most user don't i find checking for more than 3 url's in any post quite effective.

If your running spam assassin locally you can pass every post through it.

I find a hidden filed called zip works great, most of the bots fill it in.

schwim

zip is good, I was just going to try another name for URL, like website or something like that.

thanks,
json

dagon

ph, phone, state, country...

anything that could be on a ligit form but you don't use