There is some spammer on the bugs page who updates all bugs and adds a new
comment to every bug with a URL to a porn page. What can we do? My mailbox
gets fuller and fuller...
Uwe Schindler
thetaphi@php.net - http://www.php.net
NSAPI SAPI developer
Erlangen, Germany
Hello,
Perhaps we should implement one of the "read this obscure image and
type the number into this text box" scheme into all the bug post and
update forms?
--
Best regards,
Jason mailto:jason@ionzoft.com
Tuesday, July 20, 2004, 11:57:25 AM, you wrote:
US> There is some spammer on the bugs page who updates all bugs and adds a new
US> comment to every bug with a URL to a porn page. What can we do? My mailbox
US> gets fuller and fuller...
US> -----
US> Uwe Schindler
US> thetaphi@php.net - http://www.php.net
US> NSAPI SAPI developer
US> Erlangen, Germany
Perhaps we should implement one of the "read this obscure image and
type the number into this text box" scheme into all the bug post and
update forms?
I'm in the middle of making a quick and dirty CAPTCHA routine for the bug
form on pear.php.net. I'll post the diff when it's ready.
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
Perhaps we should implement one of the "read this obscure image and
type the number into this text box" scheme into all the bug post and
update forms?I'm in the middle of making a quick and dirty CAPTCHA routine for the bug
form on pear.php.net. I'll post the diff when it's ready.
We'll also need something like that for cvs accounts/pear/pecl account
requests I guess?
regards,
Derick
I'm in the middle of making a quick and dirty CAPTCHA routine for the bug
form on pear.php.net. I'll post the diff when it's ready.We'll also need something like that for cvs accounts/pear/pecl account
requests I guess?
I put them in place for the PEAR bug and account request forms.
It's pretty crude. All it does is set a session var with a segment of the
microtime then asks the user to confirm that number. So, if a bot tries
to submit directly via POST, the value won't be set, so they get rejected.
Here's the file overviews:
http://cvs.php.net/pearweb/public_html/bugs/bug.php
http://cvs.php.net/pearweb/public_html/account-request.php
and the particular diffs:
http://cvs.php.net/diff.php/pearweb/public_html/bugs/bug.php?r1=1.56&r2=1.57&ty=u
http://cvs.php.net/diff.php/pearweb/public_html/account-request.php?r1=1.39&r2=1.40&ty=u
Feel free to port them to the PECL and PHP sites.
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
I know this is just a quick measure, but isn't the whole idea to not
emit the code in plain text on the form? It's really very easy to
scrape it out.
--Wez.
On Tue, 20 Jul 2004 14:32:44 -0400, Daniel Convissor
danielc@analysisandsolutions.com wrote:
It's pretty crude. All it does is set a session var with a segment of the
microtime then asks the user to confirm that number. So, if a bot tries
to submit directly via POST, the value won't be set, so they get rejected.
Hi Wez:
I know this is just a quick measure, but isn't the whole idea to not
emit the code in plain text on the form? It's really very easy to
scrape it out.
Yes, it is simple to scrape. But, I suspect that the problem is coming
from bots making direct POST's rather than doing a page view and then
submitting therefrom. Of course, I could be wrong. Even if I'm right
now, nothing is preventing someone from making a smarter bot.
Hmm... guess it would be a good idea to delete the CAPTCHA value from the
session data after the form is submitted to avoid multiple submissions
using the same value.
Thanks,
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
Hmm... guess it would be a good idea to delete the CAPTCHA value from the
session data after the form is submitted to avoid multiple submissions
using the same value.
Done. Here are the complete diffs...
http://cvs.php.net/diff.php/pearweb/public_html/bugs/bug.php?r1=1.56&r2=1.58&ty=u
http://cvs.php.net/diff.php/pearweb/public_html/account-request.php?r1=1.39&r2=1.41&ty=u
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
Hi Wez:
I know this is just a quick measure, but isn't the whole idea to not
emit the code in plain text on the form? It's really very easy to
scrape it out.Yes, it is simple to scrape. But, I suspect that the problem is coming
from bots making direct POST's rather than doing a page view and then
submitting therefrom. Of course, I could be wrong. Even if I'm right
now, nothing is preventing someone from making a smarter bot.
You're wrong, for each comment there were four requests done with
curl...
I doubt that this is going to work at all.
regards,
Derick
You're wrong, for each comment there were four requests done with
curl...
Crap. Thanks for the heads up. Back to the drawing board...
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
Hi Daniel,
Take a look over @ Colin Viebrock's Blog and see how his turing test
works (http://www.viebrock.ca/code/11/email-protection) and I posted
to you earlier how to do sound turing links.
Hope this enspires you.
Regards
--jm
On Tue, 20 Jul 2004 16:28:06 -0400, Daniel Convissor
danielc@analysisandsolutions.com wrote:
You're wrong, for each comment there were four requests done with
curl...Crap. Thanks for the heads up. Back to the drawing board...
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409--
--
Jacques Marneweck
http://www.powertrip.co.za/blog/
Hi Daniel,
Take a look over @ Colin Viebrock's Blog and see how his turing test
works (http://www.viebrock.ca/code/11/email-protection) and I posted
to you earlier how to do sound turing links.
I was gonna hack a quick image generation script together, but the URL you
gave seems to work fine already. The links directly to the relevant code are:
http://www.viebrock.ca/downloads/turing-image.phps
http://www.viebrock.ca/downloads/turing.phps
The description can be found here:
http://www.viebrock.ca/code/10/turing-protection
And the example demo can be found here:
http://www.viebrock.ca/downloads/turing-test.php
-Jeremy
Jeremy Johnstone wrote:
I was gonna hack a quick image generation script together, but the URL you
gave seems to work fine already. The links directly to the relevant code are:
And if you follow the link at the end of the page, you should read some
reasons why Turing protection is not a good thing.
Perhaps limiting the number of bug report by IP per day and/or limiting
the number of bugs with the same words should be implemented.
My 2 CAD cents,
Olivier
GB/E/IT d+ s+:+ a-- C++$ UL++++$ P++++ L+++$ E- W++$ N- ?o ?K w--(---)
!O M+$ V- PS+ PE- Y PGP t++ 5-- X+@ R- tv++ b++(+++) DI++++ D+ G++ e+>++
h(*) r y+(?)