I am using a custom captcha php script along with news letter scripts to let users subscribe using an email id. The method of registration is based on jQuery.post command.
My question is that am I really safe If I remove the captcha validation from my subscription script. The subscription is simple. For example
mydomain/subscribe.php?email=myemail#somedomian.com
The subscribe.php is called along with email as parameter using jQuery.post command. I am new to web programming stuff and don't have much idea about spammers in conjunction with above scenario. Any advise would greatly be appreciated.
Thanks
Spambots fill out every form they can get their hands on.
I receive subscriptions from bots everyday and I'm slowly adding captchas to all forms.
A bot does not know if the form he is filling out is for a subscription, a contact form or a mass mailing opportunity.
If you don't protect yourself by either using captchas or moving some of the logic into javascript functions, you will send emails to all these addresses.
This increases your traffic, decreases your control over your subscribers, makes a mess out of your stats and sometimes you might send an email to users that didn't want to subscribe because a bot has subscribed thru a trick (i.e. realuser+buy-viagra-now#gmail.com also reaches the user realuser#gmail.com).
So my advise: stay with the captcha
Or: modify your form to make more use of javascript (i.e. load the form via ajax), because bots are not normal users with a browser, they only simulate them
From the answers that I have read only the one from favo is really true. A spambot is a computer program that most likely goes one by one in google and searches your page for any input box and submit button.
I have experience with spam and my subscriptions but adding a capcha can get you less subscriptions. Take it off for now and if you can moderate the emails before adding them to to the mailing list. If you see you are getting to much spam then go ahead and put up the capcha. But really one or two spam emails a week is normal.
So, I recommend moderation until it gets ridiculous.
Depdends. You'd probably safe against general malicious subscription attempts, but not against those that are specifically targeting your signup. I personally wouldn't chance it. Did a majority of subscribers complain about a difficult signup process?
What's the motivation behind your thinking of removing the captcha?
I've never heard of spamming subscription lists.
Spammers are known for sending their own spam, not subscribing to someone's else one %)
By removing the captcha, you would basically allow bots to subscribe.
Why they would want to - depends on your content. If the news letter contains no links, or only links to other non-interactive (or captcha protected) resources, you're good.
If your news letter contains link to resources where a bot can go and spam other people, chances are that they will.
Something simple I have done in the past is add a few hidden fields. Most bots will fill these in, a normal user couldn't so you simply put in some logic that says if the hidden fields contain data simply do nothing.
It is not fail safe but it certainly has stopped large amounts of bot sign ups on sites where I have implemented it.
I am using code like this:
jQuery.post("php/varify_captcha.php", jQuery("#contact_form").serialize(),function(result, status){
if(status == "success"){
jQuery.post("php/send_mail.php", jQuery("#contact_form").serialize(),function(result, status){
alert(status);
}
}
}
First, captcha is validated then mail is sent. My question that should I move the captcha validation inside "send_mail.php"? I have no idea about spams and their ability to read and execute the code. If yes, then they can directly call the "send_mail.php". Let me if above method is safe or shall I move captcha validation inside the "send_mail.php" to make code bit more safer.
Related
I notice that this email address graceamsalu10#yahoo.com compromised my site and sent a message (not email, it used the site's message app) to every member on the site. It registered and activated it's membership through email. I ran a google search on the email and all the results on the first page was showing others websites that the same email address sent exactly the same message that it sent to members on my site.
Please has anyone encountered this attack before?
and what are the ways I could use to prevent further similar attack on my sites? Thank you.
My website was developed with PHP and MYSQL
Use google catpcha. Even human sometimes are not able to understand it ;)
http://www.google.com/recaptcha
Also it is good practice nowadays to confirm registration by sms. Some services provide this for free! (they add little ads in the text). Works perfectly.
After this step you can implement a ban system.. and it will be much harder to create fake accounts to do bad things on your website.
You can try some things ...
a. check the referrer on form posts, and deny posts from other urls ( if form posted from your website or remote script )
b. use captcha images (i really don't like it)
c. limit daily user posts per account or minute
hope this to help you
Captcha is one thing among many others, but one that added to captcha will keep them away mostly: register for each message sent in the database the unix time for that user, set a value for $timeBetweenMessages for example to 60 (seconds) and each time someone wants to send a message if $timeBetweenMessages has not passed then they need to wait. Usualy all "hackers" look for a way to do things fast and leave, no sane "hacker" will stay on your web site to send messages every $timeBetweenMessages intervals.
If you want to spare your regular users the CAPTCHA hassle, you can use a service like Mollom or Akismet to check the messages and postings for spammy content before they are sent. Both services offer PHP libraries.
Auto bot is registering dummy users to my website. Today, I have implemented Captcha with additions of two numbers and store the result in SESSION variable. Only human can understand it and proceed with registration process. But I'm really confused that same bot is parsing the SESSION variable and entering correct value of addition of two numbers and get registered in the website with dummy user.
Is there any other feasible method to stop this bot to register dummy users?
I'm using Zen cart.
Try using reCaptcha. It is most likely a more advanced solution to your CAPTCHA issue.
Use reCaptcha or other anti-bot solutions searchable by google
I once added some simple JavaScript code to add an additional parameter to the form wich is only executed when the client has JavaScript enabled. Bots often don't have JS support.
An other solution would be to add a number of seconds a user was on the page before sending the form. Bots will send it immediately after the first request without delay.
An other thing I did once was that I checked the clients IP address and if it was from an other country than my own the user has to solve the captcha.
Also changing the names of the parameter is helpful.
And sending an individual hash to each form GET request and checking it when the POST arrives.
The Project
We have a competition coded in PHP, with CodeIgniter. The form has validation on email addresses and mobile numbers. The page itself is hosted inside an iframe on a different domain (it's an agency-client relationship).
The Problem
We get users with 1000s of entries. We know they are fake because:
They use the same mobile number - assumedly they figure out a mobile number that passes the validation and then use that every time.
The email addresses are all on weird domains, with some of the domains repeated multiple times.
However, the IP addresses are unique, the entries are spread over a few days, the domains themselves have MX records, the user-agents look normal.
The client doesn't want to do anything which could result in fewer entries.
The Question
What are the pros and cons of methods like Captcha? What UI and code patterns have you used that worked?
One method I read is to allow entries that are suspicious, so that spammers entries are accepted, but their data has a 'suspicious' flag against it, which is then checked manually. What data can I check to see whether it is suspicious?
Some methods you could use:
Captcha: Stops bots submitting the form
Email Validation: Send them an email with a unique link to activate their competition entry. Stops invalid email addresses.
Mobile Number Validation: Send them a text message with an activation code. Stops invalid phone numbers.
In my opinion your approach should not be to prevent submission of entries but to require a level of validation on the details entered.
CONS of CAPTCHA:
Users hate it, and it can be frustrating when implemented poorly (failed captcha resets other form fields for instance).
Can be difficult for legit users to complete when the letters are hard to read.
Doesn't always work. Someone just scammed Ticketmaster by beating ReCAPTCHA a few months ago for instance*.
Ugly, more code to implement, and it passes the burden or responsibility from you to the users. PROVE YOU ARE HUMAN is not what I want to see when sending a form, very insulting.
#Nick's got the right idea, use text/email validation. IP checking can be OK sometimes, but as you said, you're getting unique IPs with the same mobile number, so it's not reliable.
There are lots of great posts here regarding CAPTCHA alternatives, definitely worth a read if you plan on employing it. You'll probably have to find a balance between making it easy for the user (encouraging submissions) and front end security techniques.
Why though, can't you simply disregard duplicate mobile numbers or phome number + IP combination? Just because they can can submit multiple times doesn't mean you have to accept it. If it is a human, let them think they are sending in multiple votes :)
*Ticketmaster used various means
to try to thwart Wiseguy’s operation,
at one point switching to a service
called reCaptcha, which is also used
by Facebook. It’s a third-party
Captcha that feeds a Captcha challenge
to a site’s visitors. When a customer
tries to purchase tickets,
Ticketmaster’s network sends a unique
code to reCaptcha, which then
transmits a Captcha challenge to the
customer.
But the defendants allegedly were
able to thwart this, as well. They
wrote a script that impersonated users
trying to access Facebook, and
downloaded hundreds of thousands of
possible Captcha challenges from
reCaptcha, prosecutors maintained.
They identified the file ID of each
Captcha challenge and created a
database of Captcha “answers” to
correspond to each ID. The bot would
then identify the file ID of a
challenge at Ticketmaster and feed
back the corresponding answer. The bot
also mimicked human behavior by
occasionally making mistakes in typing
the answer, authorities said.
Captcha is perfect in spam protection while confusing people very often.
But there is a workaround - You can use JavaScript to hide the captcha for real users (using browsers with JavaScript turned ON) while it will always be "visible" for spam bots (that do not have JS). It's quite simple - just by using of JS You set the div where the captcha is held to display:none, and create a hidden input with value containing that from captcha image...
Strongest approach may be the email validation - but then it means sometimes the rwritting of application. If user submit his reply You register it as not active and send him a validation email to the email address provided. If it is valid, after clicking on the link he will validate his email answer and You can turn his reply to status active...
Also a good workaround for users to prevent the re-submitting of forms on refresh is to redirect users to that same page after the form is submitted and processed... Yes, it takes a second or two longer to view the result, but it's much safer...
So I have a form that can create an account and right now the process to create the account is by calling a javascript REST API. I was thinking that it might be really easy to hack that programmatically since all they would need to do it look at the javascript to find out the url to spam and that it might be safer to do the processing in a PHP script. Then I though well, they could just look at the form to find the URL just as easy if I don't do it through javascript. The form is going to be processing only POST data but not sure if that is enough and if it matters if i process it through javascript or PHP.
What it the best way to prevent someone from spamming a form programmatically (ie prevent them from writing server, like PHP, or client, like javascript, code to spams the processing script).
One way is to use Captcha to filter the bots out reCaptcha but its not 100% protection
Using Captcha is probably the first method:
Google's Version
Secondly I would do data checking on the server side and possibly email verification, if the E-Mail is not verified I would have a cron to clean out the rows in your table which don't have e-mail verification.
With these two methods you should avoid a good majority of it.
Go for reCAPTCHA. It's pretty easy.
You can obtain a key pair there by registering your website URL. Use that key to generate the reCAPTCHA image/textbox in your form. Your form's data will be posted and added to database only if entry matches the text displayed in the image, otherwise not (that's aserverside check that you have to keep). You'll get plenty of related code in Google :)
Another technique, as most of the websites now a days follow, is to send an account activation link to the user via email. An account will get created only when that activation link is clicked upon. You can also set an expiration time (say, 24 hours) for this purpose.
Hope this helps.
I have a classifieds website, where users must fill in a form to post a classified (offcourse).
I wonder, do you think I need some form of captcha on the form?
Also, I am working on a "register" page where users may get their own username/pass and login to post classifieds more easily.
Also, I have a mail-server setup...
So now, users may click on a classified and at the bottom fill in just three fields in a form (name, email, message) and send an email to the poster of the classified. No captcha there. Is this safe?
My firewall is setup so that it is preventing any outside access to the mail-server except from the websites IP.
Can I set up the firewall to some settings so that I don't need captcha?
I have my own Virtual Private Server btw, and it is running Ubuntu.
A follow-up Q is, if a spam-bot or whatever, gets the hold of my forms and fills alot of them out, or use my mail-server to send emails, what would happen then?
Would my site and mail-server get blacklisted? Is this reverssible or do I have to create a new mail-server then?
Thanks
I go by the design principle of "least barrier to entry". You want people to use your site, so you want to make it as easy as possible for them. Anything at all -- including a captcha -- might turn them away. So my standard line would be to definitely not include a captcha anywhere until you've actually seen a problem with spam. And even then, see if the problem can be solved without a captcha first.
Regarding your question of "well what if a spam bot starts spamming". Simple solution to this is to pre-implement a rate limit. Make it so that someone at a given IP address cannot initiate the sending of an email more frequently than say once every minute. This will not actually cause a problem for real people, but will stop a spam bot in its tracks. You can even try to detect situations where you see a high rate and temporarily block that IP address for 24 hours. That will prevent even the once-a-minute spam.
I can see two situations where you might be thinking of using Captcha's.
Registration
Interaction/Contact Form
However, captcha does tend to upset and drive away users if overused.
So, in these instances:
Registration
The easiest way to stop, or at least inconvenience, anyone trying to create bulk accounts would be to use an email confirmation. So, the user fills out the form, including their email address. The form then sends them an email, which contains a link they must click to activate the account and allow them to login.
Interaction/Contact Form
There will be two kinds of people who will interact through this form. There will be registered, and logged-in users and there will be casual visitors. As Captcha is a method to test for whether a person is a person or not, any registered/logged-in users have already proven themselves, there is no need to use Captcha for them.
However, for a casual, non-logged-in users, then you can use the Captcha for them.
So, the short version, as you can tell, I hate Captcha, and only use it when absolutely necessary.
captch is mainly used for security purpose to stop automation. Like if u have a signup column, a geek can easily make a 1000 users within minutes if he automates it.. and u lose so much space.. At the same time, if u use captcha, its much more safer and you can be sure that all the users are human and none are computer generated usernames.
So if u take your website seriously, i would suggest to go for captch. But keep it simple like they have at megaupload. I dont know which service that is but still its simple.
Definitely YES.
Take a look at reCAPTCHA
You have a PHP plugin here
Can I set up the firewall to some settings so that I don't need captcha?
No. Captcha and firewall are totally different things and cannot be used as the alternative of each other.
A follow-up Q is, if a spam-bot or whatever, gets the hold of my forms
and fills alot of them out, or use my
mail-server to send emails, what would
happen then?
One can write a script which will automate the registration process on your website. It can create so many accounts on your server and/or can post some content which is not good for your website or can use your website for some other persons ads.
Beter try Sblam, its transparent for the visitors, there is no need for user input, it works good for me on numerous sites.