Blogging and spam comments

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Blogging and spam comments

Jussi Hirvi
I need spam-fighting tips... All my blogs have in recent days been bombarded
with spam comments that are hard to recognize. Like this:

    IP (changes all the time)
    Email: [hidden email]
    Www: ldmo.dmfodmk.com
    Title: dsdfmk dfmkll  dfmdkl
    Content: mdflmk  dfmkl m df mkmk mkmklkper mp mo

LassoBlogger has currently no way to recognize these as spam. As a temp
measure I have directed all comments to moderation queue.

I haven't tried the "invisible field" method (a "required" field with
display:none). Though that would probably not stop the current attacks.

Would Akismet help? I remember that Jason made a Lasso API for that.

Any ideas?

- Jussi

--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C, 00250 Helsinki * Puh. ja fax (09) 493 981
Tekstiviestit 040 771 2098 * Kotipuhelin (09) 4286 1785
[hidden email] * http://www.greenspot.fi



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

stevepiercy
http://www.nabble.com/Anti-form-spam-techniques-summary-and-examples-tp10315788p10315788.html

http://www.nabble.com/Event-Schedule-Problem-to4903902.html#a7323728

The latter can be modified to search for any specific string.

Search Nabble for "form spam" for more ideas.

--steve


On Tuesday, July 29, 2008, [hidden email] (Jussi Hirvi) pronounced:

>I need spam-fighting tips... All my blogs have in recent days been bombarded
>with spam comments that are hard to recognize. Like this:
>
>    IP (changes all the time)
>    Email: [hidden email]
>    Www: ldmo.dmfodmk.com
>    Title: dsdfmk dfmkll  dfmdkl
>    Content: mdflmk  dfmkl m df mkmk mkmklkper mp mo
>
>LassoBlogger has currently no way to recognize these as spam. As a temp
>measure I have directed all comments to moderation queue.
>
>I haven't tried the "invisible field" method (a "required" field with
>display:none). Though that would probably not stop the current attacks.
>
>Would Akismet help? I remember that Jason made a Lasso API for that.
>
>Any ideas?
>
>- Jussi
>
>--
>Jussi Hirvi * Green Spot
>Topeliuksenkatu 15 C, 00250 Helsinki * Puh. ja fax (09) 493 981
>Tekstiviestit 040 771 2098 * Kotipuhelin (09) 4286 1785
>[hidden email] * http://www.greenspot.fi
>
>
>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

Fabrizio Carioni
I had, and still have continuous attacks of that kind on forums that
I want to keep totally public.

What I did was to keep a log of the origin (ip and country) of the
incoming spam. After a short while I found that 90% of the spam was
coming from a small group of countries. Countries that almost surely
had no interest in the forum and that never sent in the past any real
messages.

Cutting those countries out solved almost completely the problem.
Never received one single email from someone from one of those
countries that was trying to send a message to the forum.

I don't feel comfortable with this and I do hate the idea that some
good guy could be banned out of a public system just because he
happens to live in the wrong country, but...

Looking at the logs, I also notice some machines with the same ip
continuously try to post messages. Month after month. Easy to cut out.

One thing I do is to never give a message when i filter out. Even if
it's bots, let them think thei message passed through.

My2Cents

Ciao






>http://www.nabble.com/Anti-form-spam-techniques-summary-and-examples-tp10315788p10315788.html
>
>http://www.nabble.com/Event-Schedule-Problem-to4903902.html#a7323728
>
>The latter can be modified to search for any specific string.
>
>Search Nabble for "form spam" for more ideas.
>
>--steve
>
>
>On Tuesday, July 29, 2008, [hidden email] (Jussi Hirvi) pronounced:
>
>>I need spam-fighting tips... All my blogs have in recent days been bombarded
>>with spam comments that are hard to recognize. Like this:
>>
>>     IP (changes all the time)
>>     Email: [hidden email]
>>     Www: ldmo.dmfodmk.com
>>     Title: dsdfmk dfmkll  dfmdkl
>>     Content: mdflmk  dfmkl m df mkmk mkmklkper mp mo
>>
>>LassoBlogger has currently no way to recognize these as spam. As a temp
>>measure I have directed all comments to moderation queue.
>>
>>I haven't tried the "invisible field" method (a "required" field with
>>display:none). Though that would probably not stop the current attacks.
>>
>>Would Akismet help? I remember that Jason made a Lasso API for that.
>>
>>Any ideas?
>>
>>- Jussi
>>
>>--
>>Jussi Hirvi * Green Spot
>>Topeliuksenkatu 15 C, 00250 Helsinki * Puh. ja fax (09) 493 981
>>Tekstiviestit 040 771 2098 * Kotipuhelin (09) 4286 1785
>>[hidden email] * http://www.greenspot.fi
>>
>>
>>
>
>-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>Steve Piercy               Web Site Builder               Soquel, CA
><[hidden email]>                  <http://www.StevePiercy.com/>
>
>--
>This list is a free service of LassoSoft: http://www.LassoSoft.com/
>Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>Manage your subscription: http://www.ListSearch.com/Lasso/


--
======================================================================
Fabrizio Carioni - Golem100
S.r.l.                                                                                
Gran Sasso (via), 50 - 20090 - Segrate (Mi) - Italy
Voice +39-02-2133402  -  Fax +39-02-93650749  - Mobile 3356463448
Email [hidden email] - URL http://www.golem100.com/
======================================================================

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

stevepiercy
On Tuesday, July 29, 2008, [hidden email] (Fabrizio Carioni) pronounced:

>One thing I do is to never give a message when i filter out. Even if
>it's bots, let them think thei message passed through.

I disagree with this tactic because spammers share links to forms that they perceive to be vulnerable.  If you check your weblogs for referring URLs, you might find that one specific hacker forum is sending a lot of traffic your way.  I think it is better to display a simple http header response "Access denied for spamming attempt".  In that case, if you do get a false positive, the user might figure out that they should contact you about the error.

--steve

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

Jussi Hirvi
In reply to this post by stevepiercy
Steve Piercy - Web Site Builder ([hidden email]) kirjoitteli (29.7.2008
12:06):
> http://www.nabble.com/Anti-form-spam-techniques-summary-and-examples-tp1031578
> 8p10315788.html
>
> http://www.nabble.com/Event-Schedule-Problem-to4903902.html#a7323728
>
> The latter can be modified to search for any specific string.

Thanks Steve. The latter one was about multipart/alternative - I have never
yet seen that type of spam in my solutions. The first one pointed to a
useful article with several ideas that I could test.

Fabrizio Carioni ([hidden email]) kirjoitteli (29.7.2008 12:38):
> One thing I do is to never give a message when i filter out. Even if
> it's bots, let them think thei message passed through.

I partly disagree with this - depending on the anti-spam technique in
question. In your case - form input is rejected because of country - I would
give the user frank feedback about what has happened. If it's a good guy, he
then has the option to contact you. If it's a bad guy, your anti-spam system
should be so foolproof that it cannot be tricked anyway.

For some techniques, of course, the user should *not* be told - for example
hidden form fields that the spammer is tricked to fill in.

- Jussi

--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
[hidden email] * http://www.greenspot.fi


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

Fabrizio Carioni
In reply to this post by stevepiercy
>On Tuesday, July 29, 2008, [hidden email] (Fabrizio Carioni)
>pronounced:
>
>>One thing I do is to never give a message when i filter out. Even if
>>it's bots, let them think thei message passed through.
>
>I disagree with this tactic because spammers share links to forms
>that they perceive to be vulnerable.  If you check your weblogs for
>referring URLs, you might find that one specific hacker forum is
>sending a lot of traffic your way.  I think it is better to display
>a simple http header response "Access denied for spamming attempt".
>In that case, if you do get a false positive, the user might figure
>out that they should contact you about the error.
>
>--steve

Thx for the point!

Ciao
--
======================================================================
Fabrizio Carioni - Golem100
S.r.l.                                                                                
Gran Sasso (via), 50 - 20090 - Segrate (Mi) - Italy
Voice +39-02-2133402  -  Fax +39-02-93650749  - Mobile 3356463448
Email [hidden email] - URL http://www.golem100.com/
======================================================================

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

Jim VH-2
In reply to this post by stevepiercy
I have implemented several of these anti-spam techniques and they have  
worked great until recently. Lately, I'm just getting junk submissions  
with no appearance of them really wanting to redirect you anywhere else.

This is what I have in place now that no longer seems to do the trick:

// ---------------------------------
// Spam Trap
// ---------------------------------
       
Var:'Spam'='N';
               
If:(Action_Param:'subject');
        // hidden field input
        Var:'Spam'='Y';
Else:(String:(Action_Params)) >> 'Content-';
        // Content input
        Var:'Spam'='Y';
Else:(String:(Action_Params)) >> '</a>';
        // URL input
        Var:'Spam'='Y';
Else:(String:(Action_Params)) >> '/url';
        // URL input
        Var:'Spam'='Y';
        // Multipart input
Else:(string:(action_params)) >> 'Content-Type: multipart/alternative';
        Var:'Spam'='Y';
/If;

Any ideas? I'm getting to the point that captcha  is starting to look  
good again.

---
Jim Van Heule
Heunox Corporation



On Jul 29, 2008, at 5:06 AM, Steve Piercy - Web Site Builder wrote:

> http://www.nabble.com/Anti-form-spam-techniques-summary-and-examples-tp10315788p10315788.html
>
> http://www.nabble.com/Event-Schedule-Problem-to4903902.html#a7323728
>
> The latter can be modified to search for any specific string.
>
> Search Nabble for "form spam" for more ideas.
>
> --steve
>
>
> On Tuesday, July 29, 2008, [hidden email] (Jussi Hirvi)  
> pronounced:
>
>> I need spam-fighting tips... All my blogs have in recent days been  
>> bombarded
>> with spam comments that are hard to recognize. Like this:
>>
>>   IP (changes all the time)
>>   Email: [hidden email]
>>   Www: ldmo.dmfodmk.com
>>   Title: dsdfmk dfmkll  dfmdkl
>>   Content: mdflmk  dfmkl m df mkmk mkmklkper mp mo
>>
>> LassoBlogger has currently no way to recognize these as spam. As a  
>> temp
>> measure I have directed all comments to moderation queue.
>>
>> I haven't tried the "invisible field" method (a "required" field with
>> display:none). Though that would probably not stop the current  
>> attacks.
>>
>> Would Akismet help? I remember that Jason made a Lasso API for that.
>>
>> Any ideas?
>>
>> - Jussi
>>
>> --
>> Jussi Hirvi * Green Spot
>> Topeliuksenkatu 15 C, 00250 Helsinki * Puh. ja fax (09) 493 981
>> Tekstiviestit 040 771 2098 * Kotipuhelin (09) 4286 1785
>> [hidden email] * http://www.greenspot.fi
>>
>>
>>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy               Web Site Builder               Soquel, CA
> <[hidden email]>                  <http://www.StevePiercy.com/>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

Clive Bruton

On 29 Jul 2008, at 14:24, Jim VH wrote:

> Any ideas? I'm getting to the point that captcha  is starting to  
> look good again.

It depends what you're doing and what your audience expects - I don't  
think this technique would work for general blog responses, but it  
might work for feedback forms.

I used to get a lot of spam on my feedback/contact forms, the way I  
stopped it was to put a filter on the form that threw an error (that  
the user saw, and could adapt to) so that the content of a field had  
to be between 20 and 200 characters. Initially this stopped 90% of  
the form spam, and now it seems to have dropped to zero.

I suppose there must also be ways of parsing the content through a  
spam filter (via a shell command) to weed out the suspicious inputs,  
and you could then give feedback to the user that it looks like spam.


-- Clive

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

Jim VH-2
This isn't for a blog, but for a very simple 3-input submission form.

Most of my issues is with a very simple form that returns just the  
name, phone and email address. These are the type of responses I get:

Name: firebird copy protection
Phone: jQzvxLjqqFJZnQZ
Email: [hidden email]

I could put in more requirements for the phone field to fit within a  
specific phone format, but think that they will adapt to that fairly  
easily like they already have done for the email and name fields.

---
Jim Van Heule
Heunox Corporation



On Jul 29, 2008, at 9:56 AM, Clive Bruton wrote:

>
> On 29 Jul 2008, at 14:24, Jim VH wrote:
>
>> Any ideas? I'm getting to the point that captcha  is starting to  
>> look good again.
>
> It depends what you're doing and what your audience expects - I  
> don't think this technique would work for general blog responses,  
> but it might work for feedback forms.
>
> I used to get a lot of spam on my feedback/contact forms, the way I  
> stopped it was to put a filter on the form that threw an error (that  
> the user saw, and could adapt to) so that the content of a field had  
> to be between 20 and 200 characters. Initially this stopped 90% of  
> the form spam, and now it seems to have dropped to zero.
>
> I suppose there must also be ways of parsing the content through a  
> spam filter (via a shell command) to weed out the suspicious inputs,  
> and you could then give feedback to the user that it looks like spam.
>
>
> -- Clive
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

Fletcher Sandbeck-3
On 7/29/08 at 10:26 AM, [hidden email] (Jim VH) wrote:

>This isn't for a blog, but for a very simple 3-input submission form.
>
>Most of my issues is with a very simple form that returns just
>the name, phone and email address. These are the type of
>responses I get:
>
>Name: firebird copy protection
>Phone: jQzvxLjqqFJZnQZ
>Email: [hidden email]
>
>I could put in more requirements for the phone field to fit
>within a specific phone format, but think that they will adapt
>to that fairly easily like they already have done for the email
>and name fields.

I think the spammers usually learn the names of the inputs on
the form and then submit a post directly to the response
address.  If you modify the names of the inputs then you might
foul up their submissions.  But, the form will work fine for
normal users who visit the form directly.

Another thing you can do is use a cookie or session.  Set a
value on the form page and then retrieve it on the response
page.  If the value hasn't been set then you know the user has
bypassed the form page.  This would help catch users who submit
directly and users who don't have cookies turned on.

[fletcher]


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

Clive Bruton

On 29 Jul 2008, at 15:40, Fletcher Sandbeck wrote:

> I think the spammers usually learn the names of the inputs on the  
> form and then submit a post directly to the response address.  If  
> you modify the names of the inputs then you might foul up their  
> submissions.  But, the form will work fine for normal users who  
> visit the form directly.

A twist on that is to encode the form input names (blowfish or  
something similar), and change the key on a regular basis - that, or  
putting in an encoded hidden value in the form will pretty much stop  
any inputs that don't use the form.

If you have the key combining the current date, then you're going to  
get a change of key every day at midnight.

I've done this a couple of times, to ensure that the input was from  
the form, seems to work pretty well and didn't get any complaints.


-- Clive

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

Trevor Jacques
In reply to this post by Fabrizio Carioni
>>Jussi Hirvi) wrote:
>>>I need spam-fighting tips...

While it's not Lasso based, and for Mac OS X, I've found IPNSX to be
very effective, if set up properly. It tends to take care of the
blacklisting of almost all crack attempts down to about 1 in 1M to 2M
connexions.

Then, for blogs (I host of couple of WP blogs), I use Spamhaus and
YAWASP (<http://www.svenkubiak.de/yawasp-en/>). The latter being very
easy to implement in Lasso, and it seems to be a very effective
technique to prevent form spam, without having to maintain lists of
IPs.

HTH.

T.

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

Bil Corry-3
In reply to this post by Clive Bruton
Clive Bruton wrote on 7/29/2008 10:01 AM:
> If you have the key combining the current date, then you're going to get
> a change of key every day at midnight.

Or just blowfish encrypt the date and time, then on the response page, compare it to the current date and time.  If the delta is less than 15 seconds or greater than four hours, reject the submission.


- Bil


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

Clive Bruton

On 29 Jul 2008, at 16:26, Bil Corry wrote:

> Or just blowfish encrypt the date and time, then on the response  
> page, compare it to the current date and time.  If the delta is  
> less than 15 seconds or greater than four hours, reject the  
> submission.

Yes, that would work just as well, probably easier to implement,  
adjust the times to suit.


-- Clive

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

stevepiercy
In reply to this post by Jim VH-2
This is redundant:
Else:(string:(action_params)) >> 'Content-Type: multipart/alternative';

to this:
Else:(String:(Action_Params)) >> 'Content-';

So remove the former.

In addition to the techniques suggested by others, the CSS-styled hidden input technique works pretty well, too.  I would be averse to cookies, but that might just be due to my recent (and current) troubles with users of IE6/7.

In case you use the form-response, two-page style of form processing, I recommend converting it into a single file or a single file that pulls in relevant content when the logic calls it, so that spammers do not bypass the logic for the form submission.

--steve


On Tuesday, July 29, 2008, [hidden email] (Jim VH) pronounced:

>I have implemented several of these anti-spam techniques and they have  
>worked great until recently. Lately, I'm just getting junk submissions  
>with no appearance of them really wanting to redirect you anywhere else.
>
>This is what I have in place now that no longer seems to do the trick:
>
>// ---------------------------------
>// Spam Trap
>// ---------------------------------
>  
>Var:'Spam'='N';
>      
>If:(Action_Param:'subject');
>   // hidden field input
>   Var:'Spam'='Y';
>Else:(String:(Action_Params)) >> 'Content-';
>   // Content input
>   Var:'Spam'='Y';
>Else:(String:(Action_Params)) >> '</a>';
>   // URL input
>   Var:'Spam'='Y';
>Else:(String:(Action_Params)) >> '/url';
>   // URL input
>   Var:'Spam'='Y';
>   // Multipart input
>Else:(string:(action_params)) >> 'Content-Type: multipart/alternative';
>   Var:'Spam'='Y';
>/If;
>
>Any ideas? I'm getting to the point that captcha  is starting to look  
>good again.
>
>---
>Jim Van Heule
>Heunox Corporation
>
>
>
>On Jul 29, 2008, at 5:06 AM, Steve Piercy - Web Site Builder wrote:
>
>>
>http://www.nabble.com/Anti-form-spam-techniques-summary-and-examples-
>tp10315788p10315788.html
>>
>> http://www.nabble.com/Event-Schedule-Problem-to4903902.html#a7323728
>>
>> The latter can be modified to search for any specific string.
>>
>> Search Nabble for "form spam" for more ideas.
>>
>> --steve
>>
>>
>> On Tuesday, July 29, 2008, [hidden email] (Jussi Hirvi)  
>> pronounced:
>>
>>> I need spam-fighting tips... All my blogs have in recent days been  
>>> bombarded
>>> with spam comments that are hard to recognize. Like this:
>>>
>>>   IP (changes all the time)
>>>   Email: [hidden email]
>>>   Www: ldmo.dmfodmk.com
>>>   Title: dsdfmk dfmkll  dfmdkl
>>>   Content: mdflmk  dfmkl m df mkmk mkmklkper mp mo
>>>
>>> LassoBlogger has currently no way to recognize these as spam. As a  
>>> temp
>>> measure I have directed all comments to moderation queue.
>>>
>>> I haven't tried the "invisible field" method (a "required" field with
>>> display:none). Though that would probably not stop the current  
>>> attacks.
>>>
>>> Would Akismet help? I remember that Jason made a Lasso API for that.
>>>
>>> Any ideas?
>>>
>>> - Jussi
>>>
>>> --
>>> Jussi Hirvi * Green Spot
>>> Topeliuksenkatu 15 C, 00250 Helsinki * Puh. ja fax (09) 493 981
>>> Tekstiviestit 040 771 2098 * Kotipuhelin (09) 4286 1785
>>> [hidden email] * http://www.greenspot.fi
>>>
>>>
>>>
>>
>> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>> Steve Piercy               Web Site Builder               Soquel, CA
>> <[hidden email]>                  <http://www.StevePiercy.com/>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>
>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

Bil Corry-3
In reply to this post by Jim VH-2
Jim VH wrote on 7/29/2008 9:26 AM:
> Email: [hidden email]

If you do a MX lookup, the domain pecvsaxi.com isn't setup for email:

        (dns_lookup: 'pecvsaxi.com',-type='MX');

Could be a quick way to throw out very fake email addresses.

In fact, in Jussi's example, the spammer had "ldmo.dmfodmk.com" as their website.  You could do a MX lookup on that and "dmfodmk.com" to see if they have MX records.  If they don't (they actually don't), you could reject it based on that too.


- Bil


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

jasonhuck
Rejecting on the basis of doing a reverse lookup and checking for MX
records is very common, I have recently discovered, as I am setting up
a new server. I was just dealing with this very issue today!

- jason



On Tue, Jul 29, 2008 at 1:36 PM, Bil Corry <[hidden email]> wrote:

> Jim VH wrote on 7/29/2008 9:26 AM:
>>
>> Email: [hidden email]
>
> If you do a MX lookup, the domain pecvsaxi.com isn't setup for email:
>
>        (dns_lookup: 'pecvsaxi.com',-type='MX');
>
> Could be a quick way to throw out very fake email addresses.
>
> In fact, in Jussi's example, the spammer had "ldmo.dmfodmk.com" as their
> website.  You could do a MX lookup on that and "dmfodmk.com" to see if they
> have MX records.  If they don't (they actually don't), you could reject it
> based on that too.
>
>
> - Bil
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>



--
tagSwap.net :: Open Source Lasso Code
<http://tagSwap.net/>

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/

Reply | Threaded
Open this post in threaded view
|

Re: Blogging and spam comments

Jim VH-2
In reply to this post by Fletcher Sandbeck-3
This is one smart bot hitting our forms. Here is what I've found.

The Client_IP is never the same. Smart.

The Referrer_URL is always the form page so it is not bypassing the  
form page.

I have sessions already in place and there is a session since it shows  
up in the referrer_url. That was my key. I have sessions setup as -
Auto so it passes the session via the url only when cookies are not  
enabled. My logs show that 99.7% of my visitors use cookies, so I can  
probably safely block a form that shows a session in the referrer_url.

Before I do that however, I changed a few other things:

1. I changed my email input field name to something odd.

2. I changed my hidden input field name to Email and increased the  
field size from 2 to 20.

Once I see how that works, I'll probably still include another  
condition into my spam trap that looks for -session= in the  
referrer_url.

---
Jim Van Heule
Heunox Corporation



On Jul 29, 2008, at 10:40 AM, Fletcher Sandbeck wrote:

> On 7/29/08 at 10:26 AM, [hidden email] (Jim VH) wrote:
>
>> This isn't for a blog, but for a very simple 3-input submission form.
>>
>> Most of my issues is with a very simple form that returns just the  
>> name, phone and email address. These are the type of responses I get:
>>
>> Name: firebird copy protection
>> Phone: jQzvxLjqqFJZnQZ
>> Email: [hidden email]
>>
>> I could put in more requirements for the phone field to fit within  
>> a specific phone format, but think that they will adapt to that  
>> fairly easily like they already have done for the email and name  
>> fields.
>
> I think the spammers usually learn the names of the inputs on the  
> form and then submit a post directly to the response address.  If  
> you modify the names of the inputs then you might foul up their  
> submissions.  But, the form will work fine for normal users who  
> visit the form directly.
>
> Another thing you can do is use a cookie or session.  Set a value on  
> the form page and then retrieve it on the response page.  If the  
> value hasn't been set then you know the user has bypassed the form  
> page.  This would help catch users who submit directly and users who  
> don't have cookies turned on.
>
> [fletcher]
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/