Home > Archive > PERL Miscellaneous > January 2006 > protect perl script from spammers
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
protect perl script from spammers
|
|
| mehere 2006-01-09, 8:59 pm |
| Hi guys
I have a basic perl script for form processing for various purposes, e.g.
adding results to a text file. What I want to know is how best to protect
the perl script from hijackers spamming the form and thus having my
results.txt file filled with crap.
I could obviously get a different form etc but I'd like to know still how to
protect a form without needing to password protect it. Form is open to
general access like a guestbook. I have been looking at Captcha but I am
not sure if that is the best or easiest way to stop hijackers hijacking my
forms.
Anyway if anyone can provide me with some pointers or betters ways to
protect my forms from being hijacked please let me know and point me to some
code for me to have a look at, or if CAPTCHA is the best way does anyone
have some simple code etc I can use to add to my existing forms.
Cheers
Greg
| |
| Gunnar Hjalmarsson 2006-01-09, 8:59 pm |
| mehere wrote:
> I have a basic perl script for form processing for various purposes, e.g.
> adding results to a text file. What I want to know is how best to protect
> the perl script from hijackers spamming the form and thus having my
> results.txt file filled with crap.
>
> I could obviously get a different form etc but I'd like to know still how to
> protect a form without needing to password protect it. Form is open to
> general access like a guestbook. I have been looking at Captcha but I am
> not sure if that is the best or easiest way to stop hijackers hijacking my
> forms.
Neither am I. IMO this is about a trade-off between the (in-)convenience
for the users and your own convenience.
Even if the referer header can be faked, a referer check makes it more
difficult to accomplish automated bogus submissions.
But please note that your question is off topic here. I'd recommend that
you s advice in comp.infosystems.www.authoring.cgi instead. If you
haven't posted there before, read
http://www.thinkspot.net/ciwac/howtopost.html first.
> ... does anyone have some simple code etc ...
http://search.cpan.org/search?query=captcha
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
| |
| Daniel Kaplan 2006-01-09, 8:59 pm |
| "Gunnar Hjalmarsson" <noreply@gunnar.cc> wrote in message
news:412f07F1cec8uU1@individual.net...
> mehere wrote:
> Even if the referer header can be faked, a referer check makes it more
> difficult to accomplish automated bogus submissions.
>
> But please note that your question is off topic here. I'd recommend that
> you s advice in comp.infosystems.www.authoring.cgi instead. If you
> haven't posted there before, read
> http://www.thinkspot.net/ciwac/howtopost.html first.
>
I don't want to prolong the thread here since as above you should put it in
the other forum/newsgroup. But what is wrong with Captcha? I am too green
to say that it is definitly the wright or wrong way to go, but if all the
biggie sites use it, how wrong can they all be? If there were a better way,
wouldn't at least "some" of them be using this other method?
Just seems they "all" use Captcha...
Daniel
| |
| Jürgen Exner 2006-01-09, 8:59 pm |
| mehere wrote:
> I have a basic perl script for form processing for various purposes,
> e.g. adding results to a text file. What I want to know is how best
> to protect the perl script from hijackers spamming the form and thus
> having my results.txt file filled with crap.
Trivial. Two steps:
- Grant execute permissions only to those whom you trust
- enforce authentication and log all activities such that any spammer will
leave a trail. Then HR can take care of them
> I could obviously get a different form etc but I'd like to know still
> how to protect a form without needing to password protect it. Form
> is open to general access like a guestbook.
Oh, you are talking about a web service? Why didn't you say so in the
beginning.
comp.web.authoring.cgi or whatever that NG is called is on the other side of
the hallway
jue
| |
| Gunnar Hjalmarsson 2006-01-09, 8:59 pm |
| Daniel Kaplan wrote:
> Gunnar Hjalmarsson wrote:
>
> I don't want to prolong the thread ... But what is wrong with Captcha?
After having stripped the sentence where I explained why I don't
consider captcha to be _the_ solution in all cases, you make it sound as
if I had claimed that captcha is "wrong". By doing so, you indeed
prolonged the thread unnecessarily. ;-)
For the record, I said: "IMO this is about a trade-off between the
(in-)convenience for the users and your own convenience."
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
| |
| Daniel Kaplan 2006-01-09, 8:59 pm |
| "Gunnar Hjalmarsson" <noreply@gunnar.cc> wrote in message
news:412h9gF1d264lU1@individual.net...
> After having stripped the sentence where I explained why I don't consider
> captcha to be _the_ solution in all cases, you make it sound as if I had
> claimed that captcha is "wrong". By doing so, you indeed prolonged the
> thread unnecessarily. ;-)
>
> For the record, I said: "IMO this is about a trade-off between the
> (in-)convenience for the users and your own convenience."
Yeah, I saw that, must have mis-cut...my intention was to address the
original poster
>
> --
> Gunnar Hjalmarsson
> Email: http://www.gunnar.cc/cgi-bin/contact.pl
| |
| Matt Garrish 2006-01-09, 8:59 pm |
|
"Daniel Kaplan" <NoSPam@NoSpam.com> wrote in message
news:1135348774.798765@nntp.acecape.com...
> "Gunnar Hjalmarsson" <noreply@gunnar.cc> wrote in message
> news:412f07F1cec8uU1@individual.net...
>
>
>
> I don't want to prolong the thread here since as above you should put it
> in the other forum/newsgroup. But what is wrong with Captcha? I am too
> green to say that it is definitly the wright or wrong way to go, but if
> all the biggie sites use it, how wrong can they all be? If there were a
> better way, wouldn't at least "some" of them be using this other method?
>
Herd mentality does not make things right. I read what was being discussed
not as good/bad, but as inconvenience to the user, which is what any captcha
is.
They also only make it more difficult to abuse a site, not impossible. With
a bit of brain power and a little time (or a really good OCR program) you
could write a program to take the graphic and determine the code. It
probably won't always work (hence the design premise of captchas), but even
1/100 are good odds for spammers.
Matt
| |
| Daniel Kaplan 2006-01-09, 9:00 pm |
| "Matt Garrish" <matthew.garrish@sympatico.ca> wrote in message
news:ZEUqf.2674$1Y4.304857@news20.bellglobal.com...
> Herd mentality does not make things right. I read what was being discussed
> not as good/bad, but as inconvenience to the user, which is what any
> captcha is.
>
> They also only make it more difficult to abuse a site, not impossible.
> With a bit of brain power and a little time (or a really good OCR program)
> you could write a program to take the graphic and determine the code. It
> probably won't always work (hence the design premise of captchas), but
> even 1/100 are good odds for spammers.
Totally agree, and while the original poster has not replied again (nor
posted in the proper forum,), just wanted to leave last bit of advice as in
the path I chose, if it helps:
I used the module GD::SecurityImage::AC which was very flexible in terms of
using different fonts, colors, lines, shapes, etc.
Used a bunch of random variables so each image would be as different as
possible in terms of which; fonts, size, colors, line shapes, # of lines,
line colors, and font angles, were generated in each instance.
And of course I set it so that if the verification failed just once, a new
Captcha would be generated (to avoid the brut-force method).
Granted a real knowledgeable abuser will eventually get by all that in the
end, but I guess getting rid of the 95% of remaining punks out there is a
time-saver in itself.
As for it being an inconvenience to the end-user, hey, what can you do?!? I
mean Norton Anti-Virus has become a XXXXX in itself to keep happy and
running smooth...but what choice do I have? It's just the way the world is
right now.
| |
| mehere 2006-01-27, 9:57 pm |
|
"Daniel Kaplan" <NoSPam@NoSpam.com> wrote in message
news:1135446420.618892@nntp.acecape.com...
> "Matt Garrish" <matthew.garrish@sympatico.ca> wrote in message
> news:ZEUqf.2674$1Y4.304857@news20.bellglobal.com...
>
>
>
> Totally agree, and while the original poster has not replied again (nor
> posted in the proper forum,), just wanted to leave last bit of advice as
> in the path I chose, if it helps:
>
.... snip
Yes OP - being me - did not reply as have not been here for a liitle while
also as per the first reply I was politely told wrong forum and had not yet
got around to reposting in 'correct' forum.
Thanks
Greg
|
|
|
|
|