Contact Us filtering

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Contact Us filtering

Greg Hemphill
Hi everyone,

We have a strange issue at one of our client's websites, and I thought
I'd see what the Lasso community thought of this.

We have a Lasso driven Contact Us form on a web page, which writes to a
database and sends an email based on values placed into the form page.  
A political group has created a feature in which you can visit their
website, fill out a form, and their CGI submits their information (plus
a canned subject and message) to our webserver (and several other
websites at the same time) as if the person actually went to our
website and filled out our form...

As a result our client has gotten bombarded with email from this
political group.  To prevent this we created a little if test that
doesn't send an email from our site if it contains the canned subject
line.  However I'm thinking there ought to be a slick way to prevent
this sort of thing in the future.

The best idea I've had so far, is to have a hidden field with a string
of seemingly random characters.  The field would have date and time
encrypted in it, and I would give an error if the value of the
date/time was too far in the past.

Any other ideas?  I'm looking for something that is easy on consumers,
but effective against this type of attack.

Thanks!
Greg
---------------------------------
    Greg Hemphill
    VP of Development
    Webstop.com, Inc.
---------------------------------
    Company: http://www.Webstop.com
    Personal: http://www.MrGHemp.com
    Email: [hidden email]
    AIM: MrGHemp
    Office: 727.942.2797
    Fax: 727.938.2347
    Mobile: 727.692.6886
---------------------------------


--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Bil Corry
> The best idea I've had so far, is to have a hidden field with a string
> of seemingly random characters.

They could have their site grab your hidden field upon demand, similar to
include_url in Lasso.  The best solution is to validate that the person is human
using CAPTCHA:

http://www.captcha.net


A lasso implementation:

http://www.lassoforge.com/projects.lasso?PR=44


Just make sure you allow a way to accommodate those using voice-reader browsers
(sight-impaired).


- Bil

------

Bil Corry
[hidden email]

Enterprise internet application development and security consulting
  http://www.fivegeeks.com/

Tools for Rapid Lasso Development
  http://www.lassoware.com/
 
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of
Greg Hemphill
Sent: Tuesday, May 24, 2005 11:54 AM
To: [hidden email]
Subject: Contact Us filtering

Hi everyone,

We have a strange issue at one of our client's websites, and I thought
I'd see what the Lasso community thought of this.

We have a Lasso driven Contact Us form on a web page, which writes to a
database and sends an email based on values placed into the form page.  
A political group has created a feature in which you can visit their
website, fill out a form, and their CGI submits their information (plus
a canned subject and message) to our webserver (and several other
websites at the same time) as if the person actually went to our
website and filled out our form...

As a result our client has gotten bombarded with email from this
political group.  To prevent this we created a little if test that
doesn't send an email from our site if it contains the canned subject
line.  However I'm thinking there ought to be a slick way to prevent
this sort of thing in the future.

The best idea I've had so far, is to have a hidden field with a string
of seemingly random characters.  The field would have date and time
encrypted in it, and I would give an error if the value of the
date/time was too far in the past.

Any other ideas?  I'm looking for something that is easy on consumers,
but effective against this type of attack.

Thanks!
Greg
---------------------------------
    Greg Hemphill
    VP of Development
    Webstop.com, Inc.
---------------------------------
    Company: http://www.Webstop.com
    Personal: http://www.MrGHemp.com
    Email: [hidden email]
    AIM: MrGHemp
    Office: 727.942.2797
    Fax: 727.938.2347
    Mobile: 727.692.6886
---------------------------------


--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage



--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

m i l e s
In reply to this post by Greg Hemphill
Greg,

Do what GoDaddy does on this very same topic.

To prevent a potential intrusion into the WHOIS database, they place  
a random
graphic on the page where the enduser has to type into the msg the  
characters
contained in the graphic into a text field, failure to do so, and  
nothing is
authorized, and you don't get to see the whois data.  In your case  
this should
be easy enough to do with the imagemagik tags and a random 6  
character password
to send the msg.

M i l e s.

--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Doug Gentry
In reply to this post by Greg Hemphill
Greg -

I would use the hidden input approach but go one step better... Use
LassoWare's autoValidate (www.lassoware.com), which is a good, cheap
investment in any case.  When you set up your form use autoValidate
there is a setting to -encrypthidden  so that in the source code the
hidden input value is encrypted. Then on your response page, again
using autoValidate, you will see the unencrypted version of the hidden
field and can test for its presence before actually sending the email
to your client.

If you have more questions about using autoValidate I'm happy to help,
though Bil and Greg have been super with support.

...Doug Gentry

On May 24, 2005, at 11:53 AM, Greg Hemphill wrote:

>
>
> The best idea I've had so far, is to have a hidden field with a string
> of seemingly random characters.  The field would have date and time
> encrypted in it, and I would give an error if the value of the
> date/time was too far in the past.
>
> Any other ideas?  I'm looking for something that is easy on consumers,
> but effective against this type of attack.
>
> Thanks!
> Greg

---
Doug Gentry
Dynapolis & Southern Oregon University
p:  541-261-8501 / Toll Free: 888-490-0644
[hidden email]


--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Mark Palmer
In reply to this post by Greg Hemphill
Hi Greg,

You could just block the IP of their server. Isn't what they are doing
illegal on your side of the pond?

on 24/5/05 19:53, Greg Hemphill at [hidden email] wrote:

> Hi everyone,
>
> We have a strange issue at one of our client's websites, and I thought
> I'd see what the Lasso community thought of this.
>
> We have a Lasso driven Contact Us form on a web page, which writes to a
> database and sends an email based on values placed into the form page.
> A political group has created a feature in which you can visit their
> website, fill out a form, and their CGI submits their information (plus
> a canned subject and message) to our webserver (and several other
> websites at the same time) as if the person actually went to our
> website and filled out our form...
>
> As a result our client has gotten bombarded with email from this
> political group.  To prevent this we created a little if test that
> doesn't send an email from our site if it contains the canned subject
> line.  However I'm thinking there ought to be a slick way to prevent
> this sort of thing in the future.
>
> The best idea I've had so far, is to have a hidden field with a string
> of seemingly random characters.  The field would have date and time
> encrypted in it, and I would give an error if the value of the
> date/time was too far in the past.
>
> Any other ideas?  I'm looking for something that is easy on consumers,
> but effective against this type of attack.
>
> Thanks!
> Greg
> ---------------------------------
>     Greg Hemphill
>     VP of Development
>     Webstop.com, Inc.
> ---------------------------------
>     Company: http://www.Webstop.com
>     Personal: http://www.MrGHemp.com
>     Email: [hidden email]
>     AIM: MrGHemp
>     Office: 727.942.2797
>     Fax: 727.938.2347
>     Mobile: 727.692.6886
> ---------------------------------
>


Regards


Mark Palmer, Pageworks

T: 01902 620500            F: 01902 620440
E: [hidden email]    W: www.pageworks.co.uk



--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

stevepiercy
In reply to this post by Greg Hemphill
I'm not clear.  Does the CGI submit data through the form, or does it bypass the form and call the URL referred in the <form action>?  If the latter, can you put some check, like referrer_url, in the form processor?

<http://ldml.omnipilot.com/LDMLReference.0.LassoApp?tag=204>

--steve


On Tuesday, May 24, 2005, [hidden email] (Greg Hemphill) pronounced:

>Hi everyone,
>
>We have a strange issue at one of our client's websites, and I thought
>I'd see what the Lasso community thought of this.
>
>We have a Lasso driven Contact Us form on a web page, which writes to a
>database and sends an email based on values placed into the form page.  
>A political group has created a feature in which you can visit their
>website, fill out a form, and their CGI submits their information (plus
>a canned subject and message) to our webserver (and several other
>websites at the same time) as if the person actually went to our
>website and filled out our form...
>
>As a result our client has gotten bombarded with email from this
>political group.  To prevent this we created a little if test that
>doesn't send an email from our site if it contains the canned subject
>line.  However I'm thinking there ought to be a slick way to prevent
>this sort of thing in the future.
>
>The best idea I've had so far, is to have a hidden field with a string
>of seemingly random characters.  The field would have date and time
>encrypted in it, and I would give an error if the value of the
>date/time was too far in the past.
>
>Any other ideas?  I'm looking for something that is easy on consumers,
>but effective against this type of attack.
>
>Thanks!
>Greg
>---------------------------------
>    Greg Hemphill
>    VP of Development
>    Webstop.com, Inc.
>---------------------------------
>    Company: http://www.Webstop.com
>    Personal: http://www.MrGHemp.com
>    Email: [hidden email]
>    AIM: MrGHemp
>    Office: 727.942.2797
>    Fax: 727.938.2347
>    Mobile: 727.692.6886
>---------------------------------
>
>
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                   <http://www.StevePiercy.com>

--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Bil Corry
In reply to this post by Greg Hemphill
> can you put some check, like referrer_url, in the form processor?

referrer_url is unreliable as some browsers allow you to not send it for
security reasons.  


- Bil

------

Bil Corry
[hidden email]

Enterprise internet application development and security consulting
  http://www.fivegeeks.com/

Tools for Rapid Lasso Development
  http://www.lassoware.com/
 
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of
Steve Piercy - Web Site Builder
Sent: Tuesday, May 24, 2005 12:10 PM
To: [hidden email]
Subject: Re: Contact Us filtering

I'm not clear.  Does the CGI submit data through the form, or does it bypass the
form and call the URL referred in the <form action>?  If the latter, can you put
some check, like referrer_url, in the form processor?

<http://ldml.omnipilot.com/LDMLReference.0.LassoApp?tag=204>

--steve


On Tuesday, May 24, 2005, [hidden email] (Greg Hemphill) pronounced:

>Hi everyone,
>
>We have a strange issue at one of our client's websites, and I thought
>I'd see what the Lasso community thought of this.
>
>We have a Lasso driven Contact Us form on a web page, which writes to a
>database and sends an email based on values placed into the form page.  
>A political group has created a feature in which you can visit their
>website, fill out a form, and their CGI submits their information (plus
>a canned subject and message) to our webserver (and several other
>websites at the same time) as if the person actually went to our
>website and filled out our form...
>
>As a result our client has gotten bombarded with email from this
>political group.  To prevent this we created a little if test that
>doesn't send an email from our site if it contains the canned subject
>line.  However I'm thinking there ought to be a slick way to prevent
>this sort of thing in the future.
>
>The best idea I've had so far, is to have a hidden field with a string
>of seemingly random characters.  The field would have date and time
>encrypted in it, and I would give an error if the value of the
>date/time was too far in the past.
>
>Any other ideas?  I'm looking for something that is easy on consumers,
>but effective against this type of attack.
>
>Thanks!
>Greg
>---------------------------------
>    Greg Hemphill
>    VP of Development
>    Webstop.com, Inc.
>---------------------------------
>    Company: http://www.Webstop.com
>    Personal: http://www.MrGHemp.com
>    Email: [hidden email]
>    AIM: MrGHemp
>    Office: 727.942.2797
>    Fax: 727.938.2347
>    Mobile: 727.692.6886
>---------------------------------
>
>
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                   <http://www.StevePiercy.com>

--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage



--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Viaduct Productions
In reply to this post by Greg Hemphill
Check the referrer url.  Proceed only if this is valid from the site, or
page that contains this form.

Cheers

Greg Hemphill:


> As a result our client has gotten bombarded with email from this
> political group.  To prevent this we created a little if test that
> doesn't send an email from our site if it contains the canned subject
> line.  However I'm thinking there ought to be a slick way to prevent
> this sort of thing in the future.
>
> The best idea I've had so far, is to have a hidden field with a string
> of seemingly random characters.  The field would have date and time
> encrypted in it, and I would give an error if the value of the
> date/time was too far in the past.
>
> Any other ideas?  I'm looking for something that is easy on consumers,
> but effective against this type of attack.



--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

stevepiercy
In reply to this post by Greg Hemphill
On Tuesday, May 24, 2005, [hidden email] (Bil Corry) pronounced:

>> can you put some check, like referrer_url, in the form processor?
>
>referrer_url is unreliable as some browsers allow you to not send it for
>security reasons.  

That's disheartening.  :/

How about starting a session on the form page, then checking for the existence of a session variable in the form processor?  It wouldn't take care of whether the submitter is human or machine, but would this not stop sending data to the <form action>?

Although CAPTCHA has some advantages, it does cause some problems, including accessibilty.  It has also been cracked with up to a 93% success rate:
<http://www.cs.berkeley.edu/~mori/gimpy/gimpy.html>

Also human attacker could simply solve a single CAPTCHA, create a knockoff of your form using the same key and known CAPTCHA text, and submit that form repeatedly. To avoid this, modify your random key selection so that the same key is never used twice and so that used keys are recorded and subsequent attempts to register with the same key are rejected.

I think the suggestion of banning the IP address in the firewall is a good idea, too.  I would go after the group's ISP and inform them that they might be violating their Terms of Service.

--steve
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                   <http://www.StevePiercy.com>

--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Viaduct Productions
In reply to this post by Greg Hemphill
Sorry, I missed this.  It's what I recommended.

You mean to say that some web stats might not be valid because browsers
don't pass this on?

You might want to go to a bounce page to add some more information inbetween
the form and the REAL response page.  But then again, that could be forged
as well...hmmm...


Bil Corry:

> referrer_url is unreliable as some browsers allow you to not send it for
> security reasons.  



--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Bil Corry
In reply to this post by Greg Hemphill
> You mean to say that some web stats might not be valid because browsers
> don't pass this on?

If the web stats rely on it, then yes.  Not to mention it can be forged as well.

- Bil

------

Bil Corry
[hidden email]

Enterprise internet application development and security consulting
  http://www.fivegeeks.com/

Tools for Rapid Lasso Development
  http://www.lassoware.com/
 
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of
Rich
Sent: Tuesday, May 24, 2005 1:06 PM
To: [hidden email]
Subject: Re: Contact Us filtering

Sorry, I missed this.  It's what I recommended.

You mean to say that some web stats might not be valid because browsers
don't pass this on?

You might want to go to a bounce page to add some more information inbetween
the form and the REAL response page.  But then again, that could be forged
as well...hmmm...


Bil Corry:

> referrer_url is unreliable as some browsers allow you to not send it for
> security reasons.  




--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Clive Bruton
In reply to this post by Greg Hemphill

On 24 May, 2005, at 21:03, Steve Piercy - Web Site Builder wrote:

> How about starting a session on the form page, then checking for the
> existence of a session variable in the form processor?  It wouldn't
> take care of whether the submitter is human or machine, but would this
> not stop sending data to the <form action>?

I think this is a reasonably good solution, if the process sending is
not picking up the cookies - I haven't noticed any spiders doing this,
and I have some setups like this just o keep the spiders out (ie they
just get an error page which says "turn your cookies on").

But you'd have to allow for a certain "loss" where real users just
won't take cookies from strangers.

I also like Greg's original idea of encrypting a date/time in a
required field, and filtering input based on a test of that date.


-- Clive


--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Greg Hemphill
In reply to this post by Greg Hemphill
I've thought about using captcha, but I feel like it's kinda much for a
customer to have to do for a simple Contact Us page.


On May 24, 2005, at 3:01 PM, Bil Corry wrote:

>> The best idea I've had so far, is to have a hidden field with a string
>> of seemingly random characters.
>
> They could have their site grab your hidden field upon demand, similar
> to
> include_url in Lasso.  The best solution is to validate that the
> person is human
> using CAPTCHA:
>
> http://www.captcha.net
>
>
> A lasso implementation:
>
> http://www.lassoforge.com/projects.lasso?PR=44
>
>
> Just make sure you allow a way to accommodate those using voice-reader
> browsers
> (sight-impaired).
>
>
> - Bil
>
> ------
>
> Bil Corry
> [hidden email]
>
> Enterprise internet application development and security consulting
>   http://www.fivegeeks.com/
>
> Tools for Rapid Lasso Development
>   http://www.lassoware.com/
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On
> Behalf Of
> Greg Hemphill
> Sent: Tuesday, May 24, 2005 11:54 AM
> To: [hidden email]
> Subject: Contact Us filtering
>
> Hi everyone,
>
> We have a strange issue at one of our client's websites, and I thought
> I'd see what the Lasso community thought of this.
>
> We have a Lasso driven Contact Us form on a web page, which writes to a
> database and sends an email based on values placed into the form page.
> A political group has created a feature in which you can visit their
> website, fill out a form, and their CGI submits their information (plus
> a canned subject and message) to our webserver (and several other
> websites at the same time) as if the person actually went to our
> website and filled out our form...
>
> As a result our client has gotten bombarded with email from this
> political group.  To prevent this we created a little if test that
> doesn't send an email from our site if it contains the canned subject
> line.  However I'm thinking there ought to be a slick way to prevent
> this sort of thing in the future.
>
> The best idea I've had so far, is to have a hidden field with a string
> of seemingly random characters.  The field would have date and time
> encrypted in it, and I would give an error if the value of the
> date/time was too far in the past.
>
> Any other ideas?  I'm looking for something that is easy on consumers,
> but effective against this type of attack.
>
> Thanks!
> Greg
> ---------------------------------
>     Greg Hemphill
>     VP of Development
>     Webstop.com, Inc.
> ---------------------------------
>     Company: http://www.Webstop.com
>     Personal: http://www.MrGHemp.com
>     Email: [hidden email]
>     AIM: MrGHemp
>     Office: 727.942.2797
>     Fax: 727.938.2347
>     Mobile: 727.692.6886
> ---------------------------------
>
>
> --
> ------------------------------
> Lasso Support: http://support.omnipilot.com/
> Search the list archives: http://www.listsearch.com/lassotalk.lasso
> Manage your list subscription:
> http://www.listsearch.com/lassotalk.lasso?manage
>
>
>
> --
> ------------------------------
> Lasso Support: http://support.omnipilot.com/
> Search the list archives: http://www.listsearch.com/lassotalk.lasso
> Manage your list subscription:
> http://www.listsearch.com/lassotalk.lasso?manage
>
>
---------------------------------
    Greg Hemphill
    VP of Development
    Webstop.com, Inc.
---------------------------------
    Company: http://www.Webstop.com
    Personal: http://www.MrGHemp.com
    Email: [hidden email]
    AIM: MrGHemp
    Office: 727.942.2797
    Fax: 727.938.2347
    Mobile: 727.692.6886
---------------------------------


--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Greg Hemphill
In reply to this post by Greg Hemphill
I have blocked it based on the value they input as the subject field in
my form, but I was wondering about something would prevent this type of
thing from anyone.

I don't think it's illegal, it's kinda the opposite of spam, lots of
from address to one email address... but they are hijacking my web form
to do it.

I think if I put a form of security in there, and they found a way
around it might be a DMCA thing.  In this case it is being done by VERY
big non-profit group (the kind everyone has heard of), so it's not one
of those situations where they can hide.

On May 24, 2005, at 3:07 PM, Mark Palmer wrote:

> Hi Greg,
>
> You could just block the IP of their server. Isn't what they are doing
> illegal on your side of the pond?
>
> on 24/5/05 19:53, Greg Hemphill at [hidden email] wrote:
>
>> Hi everyone,
>>
>> We have a strange issue at one of our client's websites, and I thought
>> I'd see what the Lasso community thought of this.
>>
>> We have a Lasso driven Contact Us form on a web page, which writes to
>> a
>> database and sends an email based on values placed into the form page.
>> A political group has created a feature in which you can visit their
>> website, fill out a form, and their CGI submits their information
>> (plus
>> a canned subject and message) to our webserver (and several other
>> websites at the same time) as if the person actually went to our
>> website and filled out our form...
>>
>> As a result our client has gotten bombarded with email from this
>> political group.  To prevent this we created a little if test that
>> doesn't send an email from our site if it contains the canned subject
>> line.  However I'm thinking there ought to be a slick way to prevent
>> this sort of thing in the future.
>>
>> The best idea I've had so far, is to have a hidden field with a string
>> of seemingly random characters.  The field would have date and time
>> encrypted in it, and I would give an error if the value of the
>> date/time was too far in the past.
>>
>> Any other ideas?  I'm looking for something that is easy on consumers,
>> but effective against this type of attack.
>>
>> Thanks!
>> Greg
>> ---------------------------------
>>     Greg Hemphill
>>     VP of Development
>>     Webstop.com, Inc.
>> ---------------------------------
>>     Company: http://www.Webstop.com
>>     Personal: http://www.MrGHemp.com
>>     Email: [hidden email]
>>     AIM: MrGHemp
>>     Office: 727.942.2797
>>     Fax: 727.938.2347
>>     Mobile: 727.692.6886
>> ---------------------------------
>>
>
>
> Regards
>
>
> Mark Palmer, Pageworks
>
> T: 01902 620500            F: 01902 620440
> E: [hidden email]    W: www.pageworks.co.uk
>
>
>
> --
> ------------------------------
> Lasso Support: http://support.omnipilot.com/
> Search the list archives: http://www.listsearch.com/lassotalk.lasso
> Manage your list subscription:
> http://www.listsearch.com/lassotalk.lasso?manage
>
>
---------------------------------
    Greg Hemphill
    VP of Development
    Webstop.com, Inc.
---------------------------------
    Company: http://www.Webstop.com
    Personal: http://www.MrGHemp.com
    Email: [hidden email]
    AIM: MrGHemp
    Office: 727.942.2797
    Fax: 727.938.2347
    Mobile: 727.692.6886
---------------------------------


--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Bil Corry
In reply to this post by Greg Hemphill
> How about starting a session on the form page, then checking for the
> existence of a session variable in the form processor?

You can build a bot that can pass along the needed session ID.  This wouldn't
stop me.


> It has also been cracked with up to a 93% success rate

You can use human mules to solve them too:

http://www.boingboing.net/2004/01/27/solving_and_creating.html


Another choice might be figlets instead of gimpy:

http://www.figlet.org/


It is true though, even if you force them to validate as a human, there's
nothing stopping them from presenting the test on their page and have the user
submit it along with the email.  Don't offer a publicly accessible feedback page
unless you want public feedback :)

- Bil

------

Bil Corry
[hidden email]

Enterprise internet application development and security consulting
  http://www.fivegeeks.com/

Tools for Rapid Lasso Development
  http://www.lassoware.com/
 
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of
Steve Piercy - Web Site Builder
Sent: Tuesday, May 24, 2005 1:04 PM
To: [hidden email]
Subject: Re: Contact Us filtering

On Tuesday, May 24, 2005, [hidden email] (Bil Corry) pronounced:

>> can you put some check, like referrer_url, in the form processor?
>
>referrer_url is unreliable as some browsers allow you to not send it for
>security reasons.  

That's disheartening.  :/

How about starting a session on the form page, then checking for the existence
of a session variable in the form processor?  It wouldn't take care of whether
the submitter is human or machine, but would this not stop sending data to the
<form action>?

Although CAPTCHA has some advantages, it does cause some problems, including
accessibilty.  It has also been cracked with up to a 93% success rate:
<http://www.cs.berkeley.edu/~mori/gimpy/gimpy.html>

Also human attacker could simply solve a single CAPTCHA, create a knockoff of
your form using the same key and known CAPTCHA text, and submit that form
repeatedly. To avoid this, modify your random key selection so that the same key
is never used twice and so that used keys are recorded and subsequent attempts
to register with the same key are rejected.

I think the suggestion of banning the IP address in the firewall is a good idea,
too.  I would go after the group's ISP and inform them that they might be
violating their Terms of Service.

--steve
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                   <http://www.StevePiercy.com>

--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage



--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Bil Corry
In reply to this post by Greg Hemphill
> In this case it is being done by VERY
> big non-profit group (the kind everyone has heard of), so it's not one
> of those situations where they can hide.

Well, if they are sending you feedback via the method you provide via your
website, you can hardly complain.  At least they are not using the email address
in your domain name registration, which is what I use when I can't find an email
address or contact form on a website :)


- Bil

------

Bil Corry
[hidden email]

Enterprise internet application development and security consulting
  http://www.fivegeeks.com/

Tools for Rapid Lasso Development
  http://www.lassoware.com/
 
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of
Greg Hemphill
Sent: Tuesday, May 24, 2005 3:56 PM
To: [hidden email]
Subject: Re: Contact Us filtering

I have blocked it based on the value they input as the subject field in
my form, but I was wondering about something would prevent this type of
thing from anyone.

I don't think it's illegal, it's kinda the opposite of spam, lots of
from address to one email address... but they are hijacking my web form
to do it.

I think if I put a form of security in there, and they found a way
around it might be a DMCA thing.  In this case it is being done by VERY
big non-profit group (the kind everyone has heard of), so it's not one
of those situations where they can hide.

On May 24, 2005, at 3:07 PM, Mark Palmer wrote:

> Hi Greg,
>
> You could just block the IP of their server. Isn't what they are doing
> illegal on your side of the pond?
>
> on 24/5/05 19:53, Greg Hemphill at [hidden email] wrote:
>
>> Hi everyone,
>>
>> We have a strange issue at one of our client's websites, and I thought
>> I'd see what the Lasso community thought of this.
>>
>> We have a Lasso driven Contact Us form on a web page, which writes to
>> a
>> database and sends an email based on values placed into the form page.
>> A political group has created a feature in which you can visit their
>> website, fill out a form, and their CGI submits their information
>> (plus
>> a canned subject and message) to our webserver (and several other
>> websites at the same time) as if the person actually went to our
>> website and filled out our form...
>>
>> As a result our client has gotten bombarded with email from this
>> political group.  To prevent this we created a little if test that
>> doesn't send an email from our site if it contains the canned subject
>> line.  However I'm thinking there ought to be a slick way to prevent
>> this sort of thing in the future.
>>
>> The best idea I've had so far, is to have a hidden field with a string
>> of seemingly random characters.  The field would have date and time
>> encrypted in it, and I would give an error if the value of the
>> date/time was too far in the past.
>>
>> Any other ideas?  I'm looking for something that is easy on consumers,
>> but effective against this type of attack.
>>
>> Thanks!
>> Greg
>> ---------------------------------
>>     Greg Hemphill
>>     VP of Development
>>     Webstop.com, Inc.
>> ---------------------------------
>>     Company: http://www.Webstop.com
>>     Personal: http://www.MrGHemp.com
>>     Email: [hidden email]
>>     AIM: MrGHemp
>>     Office: 727.942.2797
>>     Fax: 727.938.2347
>>     Mobile: 727.692.6886
>> ---------------------------------
>>
>
>
> Regards
>
>
> Mark Palmer, Pageworks
>
> T: 01902 620500            F: 01902 620440
> E: [hidden email]    W: www.pageworks.co.uk
>
>
>
> --
> ------------------------------
> Lasso Support: http://support.omnipilot.com/
> Search the list archives: http://www.listsearch.com/lassotalk.lasso
> Manage your list subscription:
> http://www.listsearch.com/lassotalk.lasso?manage
>
>
---------------------------------
    Greg Hemphill
    VP of Development
    Webstop.com, Inc.
---------------------------------
    Company: http://www.Webstop.com
    Personal: http://www.MrGHemp.com
    Email: [hidden email]
    AIM: MrGHemp
    Office: 727.942.2797
    Fax: 727.938.2347
    Mobile: 727.692.6886
---------------------------------


--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage



--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Greg Hemphill
In reply to this post by Greg Hemphill
I believe it is bypassing the form and calling the URL listed it the
<form action>... which I find sneaky and underhanded.

They claim to submit a message to several other sites when the form is
filled out, on our end we get the actual email address of the person
filling out the form.

I'm very tempted to write a script that sends a message to all the
email addresses of the people who submitted this message each time we
get a new one... maybe with a message like "someone else agrees with
you"... they might think twice about filling these things out if they
got 2000 or so of those messages in their email box... but alas, it's
not MY website.


On May 24, 2005, at 3:09 PM, Steve Piercy - Web Site Builder wrote:

> I'm not clear.  Does the CGI submit data through the form, or does it
> bypass the form and call the URL referred in the <form action>?  If
> the latter, can you put some check, like referrer_url, in the form
> processor?
>
> <http://ldml.omnipilot.com/LDMLReference.0.LassoApp?tag=204>
>
> --steve
>
>
> On Tuesday, May 24, 2005, [hidden email] (Greg Hemphill)
> pronounced:
>
>> Hi everyone,
>>
>> We have a strange issue at one of our client's websites, and I thought
>> I'd see what the Lasso community thought of this.
>>
>> We have a Lasso driven Contact Us form on a web page, which writes to
>> a
>> database and sends an email based on values placed into the form page.
>> A political group has created a feature in which you can visit their
>> website, fill out a form, and their CGI submits their information
>> (plus
>> a canned subject and message) to our webserver (and several other
>> websites at the same time) as if the person actually went to our
>> website and filled out our form...
>>
>> As a result our client has gotten bombarded with email from this
>> political group.  To prevent this we created a little if test that
>> doesn't send an email from our site if it contains the canned subject
>> line.  However I'm thinking there ought to be a slick way to prevent
>> this sort of thing in the future.
>>
>> The best idea I've had so far, is to have a hidden field with a string
>> of seemingly random characters.  The field would have date and time
>> encrypted in it, and I would give an error if the value of the
>> date/time was too far in the past.
>>
>> Any other ideas?  I'm looking for something that is easy on consumers,
>> but effective against this type of attack.
>>
>> Thanks!
>> Greg
>> ---------------------------------
>>    Greg Hemphill
>>    VP of Development
>>    Webstop.com, Inc.
>> ---------------------------------
>>    Company: http://www.Webstop.com
>>    Personal: http://www.MrGHemp.com
>>    Email: [hidden email]
>>    AIM: MrGHemp
>>    Office: 727.942.2797
>>    Fax: 727.938.2347
>>    Mobile: 727.692.6886
>> ---------------------------------
>>
>>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy               Web Site Builder               Soquel, CA
> <[hidden email]>                   <http://www.StevePiercy.com>
>
> --
> ------------------------------
> Lasso Support: http://support.omnipilot.com/
> Search the list archives: http://www.listsearch.com/lassotalk.lasso
> Manage your list subscription:
> http://www.listsearch.com/lassotalk.lasso?manage
>
>
---------------------------------
    Greg Hemphill
    VP of Development
    Webstop.com, Inc.
---------------------------------
    Company: http://www.Webstop.com
    Personal: http://www.MrGHemp.com
    Email: [hidden email]
    AIM: MrGHemp
    Office: 727.942.2797
    Fax: 727.938.2347
    Mobile: 727.692.6886
---------------------------------


--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

stevepiercy
In reply to this post by Greg Hemphill
On Tuesday, May 24, 2005, [hidden email] (Clive Bruton) pronounced:

>
>On 24 May, 2005, at 21:03, Steve Piercy - Web Site Builder wrote:
>
>> How about starting a session on the form page, then checking for the
>> existence of a session variable in the form processor?  It wouldn't
>> take care of whether the submitter is human or machine, but would this
>> not stop sending data to the <form action>?
>
>I think this is a reasonably good solution, if the process sending is
>not picking up the cookies - I haven't noticed any spiders doing this,
>and I have some setups like this just o keep the spiders out (ie they
>just get an error page which says "turn your cookies on").
>
>But you'd have to allow for a certain "loss" where real users just
>won't take cookies from strangers.

FYI, In LP8, sessions are now "automagic", where if the user does not accept cookies, the uselink method is used instead.  The same method can be used for earlier versions as well.  Try to set a cookie, check for its existence.  If exists, then create session using cookies, else uselink.

--steve
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                   <http://www.StevePiercy.com>

--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Mark Palmer
In reply to this post by Greg Hemphill
on 25/5/05 00:02, Greg Hemphill at [hidden email] wrote:

> I believe it is bypassing the form and calling the URL listed it the
> <form action>... which I find sneaky and underhanded.

This was why I imagined you could block their IP. If they have a script
passing params to your page that is run as their own form is completed on
their page then wouldn't everything be coming from one address - the address
of their server. Or do I misunderstand.


Regards


Mark Palmer, Pageworks

T: 01902 620500            F: 01902 620440
E: [hidden email]    W: www.pageworks.co.uk



--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: Contact Us filtering

Greg Hemphill
In reply to this post by Greg Hemphill
I've considered the IP thing, but what I'm trying to dream up is
something that will still work if someone else does it, or they use a
different server, or etc.

On May 25, 2005, at 3:50 AM, Mark Palmer wrote:

> on 25/5/05 00:02, Greg Hemphill at [hidden email] wrote:
>
>> I believe it is bypassing the form and calling the URL listed it the
>> <form action>... which I find sneaky and underhanded.
>
> This was why I imagined you could block their IP. If they have a script
> passing params to your page that is run as their own form is completed
> on
> their page then wouldn't everything be coming from one address - the
> address
> of their server. Or do I misunderstand.
>
>
> Regards
>
>
> Mark Palmer, Pageworks
>
> T: 01902 620500            F: 01902 620440
> E: [hidden email]    W: www.pageworks.co.uk
>
>
>
> --
> ------------------------------
> Lasso Support: http://support.omnipilot.com/
> Search the list archives: http://www.listsearch.com/lassotalk.lasso
> Manage your list subscription:
> http://www.listsearch.com/lassotalk.lasso?manage
>
>
---------------------------------
    Greg Hemphill
    VP of Development
    Webstop.com, Inc.
---------------------------------
    Company: http://www.Webstop.com
    Personal: http://www.MrGHemp.com
    Email: [hidden email]
    AIM: MrGHemp
    Office: 727.942.2797
    Fax: 727.938.2347
    Mobile: 727.692.6886
---------------------------------


--
------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
12