Help!! PHP security issues

Anon

Okay I have a huge problem... I need some help.

I have a free lotto site (www.iwinweekly.com). I could go on to explain how
the site works but the best way to see is just to go there and play a ticket
or two (just enter any email address)

Here is my problem. Some person from China has wrote a program to play our
tickets automatically. His program creates free email address from yahoo and
other free email sites. the the program uses these email addresses to play
our game. The each email goes on and play all the tickets and starts over.
The program does multiple threads at once. We have tried everything to stop
him.... he is using open relays from all over the world so we can't ban his
IP.... We can't even trace his IP. We have tried all kinds of PHP security
steps but every time we put one in place he finds away around it.

He is entering over 10,000 tickets per day and is screwing up stats. Does
anyone have any suggestions from a mysql standpoint or any on how to stop
him?

Thanks
Chris

inspire

Yea,

Dont allow Hotbot or Yahoo email addresses.

Put in a filter to verify that the email address is neither of those 2, I am sure there are more free emails out there.. find the ones he is using in particular and shut them all down.

Really stinks but hey, most people have "real" email addresses, and I assume those are the people you would like to target in the first place.

My 1/2 cent

John

matto

just some ideas:

on first page load, you could set a cookie and check for it when the form is submitted.
that will force him to simulate a web client (eg using snoopy) with his bot. things get more complicated for him.

in addition to that, you could randomly change variable/parm names; choose from a variety of senseless form element names that appear only once.

furthermore, if you're using a cookie in order to verify that the page was entered once before submitting (as above), you could change this cookie name and content, too.

if you see that someone's passing an already used random value, ban the ip instantly; so his camouflage 😉 tricks are less efficient.

it still isn't 100% proof ... but perhaps worth trying out.

amcgrath

Yea, what i would do if it were me, and this is temporary at best, but use logic to name the input field a random name each time that either follows logic you define, or can be retireved (a la in a table). Also, you might wanna watch how you format the page (if you follow my advice above, then if it were me and I lived in China and I wanted to win, I would look for
To Play - Click Here!</a></font><br>
and grab the very next input field, so putting non printing characters,etc might be a little helpful.

My suggestion isn't foolproof. Sooner or later he'll figure it out. Good Luck.

amcgrath

One other thing too, in the receiving script check for the referrer.... umm, what else would I do? (And again, most of these are not foolproof, but you might discourage him by making it difficult...) you could have a verification page, or send an email back to whoever posted requiring them to confirm....

All just a couplea little things, but it might be enough

Anon

that's a good one (china, you say? how so?). a) seemingly random var names would really help a lot - at least much more than numbering the boxes from 0 to 63. b) banning people with freemail accounts would certainly not help your business the least. c) i got the referrer idea, too, but if IPs change often, and are not good for nailing the source, what's the point knowing them (hmm)? d) i guess you cannot stop the person form doing the roundtrips since you're encouraging people to do exactly that. to make things harder for scripts that just simulate the trips, i think the cookie idea might help, but what if i don't let you set them on my machine and consequently you couldn't verify they? would i be a 'suspect'? maybe this could help: let the scripts (not just php) require at least some kind of GUI client. some event capturing on mouse clicks could do. perhaps better: on the client you could, for instance, check the presence of frames or sth else relevant to your pages. good luck, too ...

Anon

HTTP clients can easily be imitated, so cookies, forms and so on would probably not help you much, maybe a day or two. If you add some of the tips, like random values at the signup page, the guy can just make a client that fetches the page and get all the variables he needs to send. Thats simple.

To completely be secure from this kind of attack, you must make a feature that simply cannot be duplicated easily in a bot. Altavista solved this by displaying graphical letters which the user needs to input before they can submit a page. A simple bot cannot detect that.

Combined with sessions that track the time difference the client uses between pages, you can easily detect bots. A normal client uses several seconds normally, especially to fill out a form. Check for the time the client use, and you'll get rid of the problem.

just my 2 cents,
morty

phpwebhosting

I would use gd to create a image of a random number. Have the user type in the number they see and then check there submission to see if it matched.

Not perfect (nothing is 100%) but I've seen other sites do things similiar to this and it should stop all but the most determined.

Greg

phpwebhosting.com

Anon

Thank you all for your posts.... we have stopped them temporarily by suspending all the free email domains he was using. In the meantime we are going to create something simular to altavista and yahoo verification check. Basically an image with different letters and they have to put the correct letters in. They only have to do this once and then the account is activated and can submit tickets.

If any one know where I can get info on creating this process or one simular with PHP that would be great.

Thanks you all for your responses.

Chris
http://www.iwinweekly.com