Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Senior Coder Spudhead's Avatar
    Join Date
    Jun 2002
    Location
    London, UK
    Posts
    1,856
    Thanks
    8
    Thanked 110 Times in 109 Posts

    Stopping the spammers?

    We run a couple of competition entry pages for various clients - recently we've had issues with some **** spamming the entry pages.

    At the moment it's nothing more than an annoyance - the competitions will usually get no more than 1000 or so entries, so when the spammers turn up and autometically drop 10,000 entries in the database, it's pretty noticeable. In addition, there are fairly obvious patterns to the entries:

    * They come from about 1500 IP addresses, but all of those are in the same range (someone is running a botnet based on an ISP's subscribers?)*
    * They use email addresses at about 15 or different domains - and it follows a pattern of letters and numbers that would be pretty easy to spot with a regex.


    However, I'm stumped as to how I can stop this... nice person... spamming us in future.

    * I really don't want to put a captcha on there - it would discourage too many genuine entrants
    * I can't rely on genuine information in the referer, or the user agent.
    * I could put a timer on there and only let entries from particular IP ranges through every 3 minutes or so. That seems about the best bet at the moment, but it's gonna involve a processing overhead.
    * I can ban whole IP ranges - it's a bit overzealous but it'd put a spanner in the works.
    * I can - and am - blocking the email domains they're using, but there's nothing stopping them coming back with the same mechanism and a whole bunch of different email addresses.


    *Botnets - I don't know much about how these operate and would like to. Anyone? I'm seeing about 1500 distinct IP addresses associated with these spam entries, and they all come from a range controlled by the ISP Deutsche Telecom AG. How is someone doing that? Should I alert Deutsche Telecom? Are they likely to care? Is this just a botnet of compromised machines that share the same ISP?

    Any and all advice / knowledge would be gratefully received.

  • #2
    Regular Coder BabyJack's Avatar
    Join Date
    Apr 2008
    Location
    Somewhere.
    Posts
    602
    Thanks
    43
    Thanked 6 Times in 6 Posts
    Lemme guess... PHPBB2?
    Enlightenment in Coding
    Validate before Posting | Google is your friend for PC Problems | Make sure you have a doctype

  • #3
    Yay
    Yay is offline
    Regular Coder Yay's Avatar
    Join Date
    Oct 2008
    Location
    54° North, 1° West
    Posts
    102
    Thanks
    9
    Thanked 1 Time in 1 Post
    Yea, there is a mod to prevent the spammers on PHPBB 2.
    Ill find it.

  • #4
    Senior Coder Spudhead's Avatar
    Join Date
    Jun 2002
    Location
    London, UK
    Posts
    1,856
    Thanks
    8
    Thanked 110 Times in 109 Posts
    Umm... no, it's not PHPBB2. The competition submission pages I mentioned are custom-written in ASP, but I didn't really see this as a question specific to any technology: any of the possible "solutions" I posted could be implemented in a variety of ways. I was after some more general ideas as to what might work: captchas seem to be increasingly breakable, and blocking IP addresses or particular input patterns are tied to particular attacks - they only stop attacks from those IP ranges or with those inputs. A spammer could simply change their input, not their mechanism, and resume spamming.

  • #5
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,067
    Thanks
    2
    Thanked 319 Times in 311 Posts
    Should I alert Deutsche Telecom?
    Yes. Provide them with each specific IP address/datetime information and the type of abuse.

    Stopping spam involves two things - preventing/restricting the form submission and preventing the content that is providing them with some benefit.

    It sounds like you have an email opt-in registration system, where they must have access to a valid working email account? That would be your first step.

    Does each competition only accept one submission per account/email address? If so, simply discard any submissions after the first one for any account.

    You need to do everything possible to insure that your form is submitting to your form processing code. The most effective way (that will eliminate the simple bot scripts) is to start a session on your form page, set a specific session variable to a random/unique id (you can also place this unique id into a hidden form field for some additional checks.) Then on your form processing page, check if this session variable exists. If it does not, then the visitor/bot did not visit your form page to establish the session and/or they don't support passing the session id. If the session variable does exist, then check that the hidden form field contains the correct unique id value. If it does not, then either the bot script does not submit all the field values (the hidden field will be empty) or it blindly places its' own content into fields (overwriting your unique id.) Unset the session variable in the form processing code to prevent one visit to your form page from resulting in multiple submissions to your form processing code.

    Lastly, you need to remove the benefit someone is receiving. Is the submitted data being emailed and email header injection is allowing spam to be sent through your mail server? Is it being inserted into a database and someone is probing your script or attempting SQL injection in an effort to break in to your script as an administrator? Is it being displayed on a site and it contains links or XSS attempts?

    Are you validating ALL external data received? If a normal submission only consists of alphabetic characters, numbers, white-space, and some punctuation marks, only allow that content.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • The Following 2 Users Say Thank You to CFMaBiSmAd For This Useful Post:

    bazz (10-14-2008), Spudhead (10-14-2008)

  • #6
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    If the submitted contents is being emailed make sure you are protecting against email injection.

    While more complicated to implement, I like the time limit by IP idea, however that only works if they seem to submit large chunks from a single IP. You could also consider limiting the number of submissions total even with the time limit.
    OracleGuy

  • #7
    Yay
    Yay is offline
    Regular Coder Yay's Avatar
    Join Date
    Oct 2008
    Location
    54° North, 1° West
    Posts
    102
    Thanks
    9
    Thanked 1 Time in 1 Post
    Use a Captcha then. And limit the number of entries to 1 per IP. Which you could do, somehow.

  • #8
    Senior Coder Spudhead's Avatar
    Join Date
    Jun 2002
    Location
    London, UK
    Posts
    1,856
    Thanks
    8
    Thanked 110 Times in 109 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    It sounds like you have an email opt-in registration system, where they must have access to a valid working email account? That would be your first step.
    Not sure if I've misunderstood you, but I want to keep the competition entry as easy a possible for genuine entrants - I don't want to put captchas on it, and I don't want to insist on user registration. Otherwise, yes I'd definitely stick registration on there.

    Quote Originally Posted by CFMaBiSmAd View Post
    You need to do everything possible to insure that your form is submitting to your form processing code. The most effective way (that will eliminate the simple bot scripts) is to start a session on your form page, set a specific session variable to a random/unique id (you can also place this unique id into a hidden form field for some additional checks.) Then on your form processing page, check if this session variable exists. If it does not, then the visitor/bot did not visit your form page to establish the session and/or they don't support passing the session id. If the session variable does exist, then check that the hidden form field contains the correct unique id value. If it does not, then either the bot script does not submit all the field values (the hidden field will be empty) or it blindly places its' own content into fields (overwriting your unique id.) Unset the session variable in the form processing code to prevent one visit to your form page from resulting in multiple submissions to your form processing code.
    An extremely useful suggestion (and glaringly obvious, now I think about it ) Thank you!

    Quote Originally Posted by CFMaBiSmAd View Post
    Lastly, you need to remove the benefit someone is receiving. Is the submitted data being emailed and email header injection is allowing spam to be sent through your mail server? Is it being inserted into a database and someone is probing your script or attempting SQL injection in an effort to break in to your script as an administrator? Is it being displayed on a site and it contains links or XSS attempts?
    The entries are dropped into a database. There's plenty of validation against SQL injection, but nothing I've seen in the data suggests that they're trying any exploit - they're simply making thousands of entries.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •