KBD

Keith Devens .com

 Saturday, May 17, 2008 Flag waving
Communicating badly and then acting smug when misunderstood is not cleverness. – Randall Munroe (xkcd)
Home » Archive » 2006 » March » 10 » Protect against automated form postings
← Some useful-looking utilitiesongoing · A Phrase I Hate →

Daily link icon Friday, March 10, 2006

Protect against automated form postings

What's a good way to protect against automated form postings? I figure I'll change my Formation library (public version terribly out of date) to automatically (if the form is a POST) add a timestamp field, an IP address field, and a hash of the two with a secret seed to the form, and then automatically reject the form if the submission isn't from the same IP address and if the IP+timestamp hash in the form isn't correct. And because the code to do this is in the library, clients of the library don't have to know anything about it.

This scheme would require a spammer to write software to spider my form pages each time before posting a comment, unlike the situation now where they can just spit 'name', 'e-mail', and 'text' at an entry page. That's still possible, of course, but it's unlikely anyone would go through the trouble. An even more protective system would use Javascript to do something fancy, but that's not a route I want to go down.

Anything better I'm missing? What does WordPress do? Matt, what was your idea again?

Chain link icon Permalink | 9 Comments | Tags: Programming, Security | id 8007
15:26 (utc-6)
edited: 15:27 (utc-6)
 
← Some useful-looking utilitiesongoing · A Phrase I Hate →

Comments XML gif

Joseph Scott (http://joseph.randomnetworks.com/) wrote:

"... it's unlikely anyone would go through the trouble."

They already have gone through the trouble.

∴ Joseph Scott | 10-Mar-2006 3:38pm est | http://joseph.randomnetworks.com/ | #9271

Dennis Pallett (http://www.phpit.net) wrote:

This is quite a difficult problem, and although your solution counters it somewhat, it's far from foolproof. I can't think of any other good way though.

∴ Dennis Pallett | 10-Mar-2006 3:43pm est | http://www.phpit.net | #9272

Keith (http://keithdevens.com/) wrote:

They already have gone through the trouble.

Well, I figured someone probably has... I just meant that someone would be less likely to go through the trouble for my site (whereas if I was trying to implement something to, say, protect all WordPress blogs, all bets might be off).

Hmm... what about "randomized" field names? Where each field name is a hash of the real field name + the timestamp or something. Would that do anything at all? It's more trouble than it's worth (though actually not that hard with my library); I'm just trying to think outside the box.

Keith | 10-Mar-2006 3:51pm est | http://keithdevens.com/ | #9273

mike macgirvin (http://baddcafe.com/mike) wrote:

I thought long and hard about this problem recently, and my own conclusion was to just require moderation on all comments. That's the best thing in the arsenal for small sites.

I was going to generate a GUID on the form which would only allow one post per form view. But then I'd have to store the GUID and deal with time-to-live issues. Not too hard, but moderation seemed to accomplish the result on my small site without any extra code. Your idea seems to be a cut above the GUID solution by adding the IP check, but along the same principles.

But it's relying a bit on obscurity, which I don't like to rely on. Once somebody knows the method, they can work around it. Hit the site a thousand times quickly to grab a collection of hidden variables and then post them back again just as quick. This would also get around your randomized field names. You can rate limit, but then spammer adds a sleep() call. It's an escalating war...

∴ mike macgirvin | 10-Mar-2006 7:23pm est | http://baddcafe.com/mike | #9274

Keith (http://keithdevens.com/) wrote:

I won't do full moderation because it's giving up too much, particularly for the tiny amount of comment spam I actually get. I'd much rather have comment spam show up for a little while than make people wait to comment and kill any chance for spontaneous conversation.

It'd also be weird if, say, four people responded saying the same thing, but didn't know that they said the same thing because all the comments were moderated. Then when I unmoderated them, the latter 3 would look strange.

Once somebody knows the method, they can work around it.

Yeah, but it takes them work and that's the point. The harder you make it, the more people you'll weed out. You'll never weed out the most dedicated, or people who comment-spam by hand, but by raising the bar you'll lead people to go elsewhere. No one's going to waste time writing a form processor just for my site, for instance... their time is better spent hitting all the WordPress installs with default templates Smiley

Keith | 10-Mar-2006 8:19pm est | http://keithdevens.com/ | #9275

mike macgirvin (http://baddcafe.com/mike) wrote:

I understand your parameters... and given that environment, the hash should work fine. I was also recently contemplating a two-stage submit. I know several sites that have email verification for submissions (i.e. craigslist - which also uses captcha), but if you don't need that level of protection a two-click submit might do the trick. Hand back a hash when you get the form input, but wait until you get the hash back in a second POST to process it. This one has a much shorter lifespan than one where you have to wait for typing. Give them a minute or two to verify or toss it.

Just another outside-the-box approach.

∴ mike macgirvin | 10-Mar-2006 8:49pm est | http://baddcafe.com/mike | #9276

mike macgirvin (http://baddcafe.com/mike) wrote:

Here's the word from WordPress

http://codex.wordpress.org/Combat_Comment_Spam
http://codex.wordpress.org/Plugins/Spam_Tools

I found particularly interesting the 'hashcash' tool - which creates a randomized form element and then uses client-side javascript to compute the md5 of that element and send it back. That's pretty darn effective and relatively hassle free, unlike captcha and email verify.

∴ mike macgirvin | 10-Mar-2006 10:45pm est | http://baddcafe.com/mike | #9279

Keith (http://keithdevens.com/) wrote:

This has been implemented. It only took a few lines of code, and it's now (automatically) on every form on my site Smiley View source if you'd like.

Keith | 14-Mar-2006 9:26pm est | http://keithdevens.com/ | #9302

Keith (http://keithdevens.com/) wrote:

Just figured I'd update this... this technique has blocked hundreds of comment spams. Success! Smiley

Oh, but it also blocked one guy whose ISP uses NetCache NetApp... software that breaks the web.

Keith | 25-Mar-2006 2:02pm est | http://keithdevens.com/ | #9352

Feel free to post a comment below. Please see my comment policy.

Formatting Rules (No HTML):

  • **bold**, *italic*, _underlined_, --strikeout--
  • "text"="url" creates a link, and URLs are auto-highlighted
  • Blockquote: Like e-mail, begin paragraph with > (greater-than sign)
  • Lists: begin paragraph with *,-, or + (unordered), or # (ordered)
  • Code block: ?!code:language=perl|php|sql|javascript|etc.{\n}...{\n}?!/code
:
(will be your IP address if blank)
 : (optional)
(Will not be shown on site)
: (optional)
:

May 2008
SunMonTueWedThuFriSat
 123
45678910
11121314151617
18192021222324
25262728293031



RSS feed RSS feed for Keith's Weblog
Atom feed Atom feed for Keith's Weblog
Weblog archive
Recent comments
  on 2 posts

Recent comments XML

new⇒Maps of Iraq

my husband is in Scania too..he​says it's not too bad..he's been at​worse...

Cristy: May 16, 3:54pm

"IMDB for music"

IMDB for Music? It looks to be a​couple of years old...​http://MusicTell.co...

Ken Empie: May 14, 9:57pm

Generated in about 0.29s.

(Used 8 db queries)