Guestbook Spammers Bypassing My Entry Forms?

Quote: But now look at the entry right before mine, from "frank". He spammed me from the same crappy w w w s k e e z y site that spams me every day, AFTER I puroposely broke my form. So how did he get his entry into my guestbook if that field in the form doesn't function? Can they be bypassing the form completely? Do you think the 'bot just recognizes the system used and then goes right for the database?

Absolutely! I once had a popular submit-your-own-links script in place on a website I ran, and I ran into the same exact thing. The way that they spam so many guestbooks is by having a program that completely bypasses that actual form and page completely. They just fill out the fields in a program or in another web page, and it goes through and submits that form directly to URLS that have been found to use that popular script.

That's why, whenever I use one now that allows anonymous submitting of links or guestbook signatures, or anything similar, I just write it myself, using unusual form element names.

Hmmm. I suppose I will need to get into my phpMyAdmin and either
A) delete the url field from the database
B) change the url field in my database and web form to an unusual name and allow real people to post again.

But if I do "B", will the 'bots just learn the new field name and continue spamming again?

In my personal experience, no. I believe (and this is conjecture) that they only know exactly how popular scripts works. ie They know the form fields that it accepts as input.

Is the script you're currently using one that you downloaded and implemented without modification to the part that actually takes the form's input and puts it in the database?

Yes. I used a visual theme but the guts of the operation were as is from a script I downloaded off the net. So I never changed, nor even chose, the name of the form input field or the corresponding database field.

That would fit with my theory of how the spammers work, then. It's still theory, as I have no desire to download whatever program(s) they use and actually check it out, but it does fit the facts.

Try your option B you listed above, and let me know how it works.

One thing you can do it change your script that processes the submition, have it check to make sure that the refering page is your own site. Two things come from this.

1. People who have the referer blocked (either by their browser, or by using a virus program that does it without them knowing), won't be able to use it. On your error page, let them know this is why, as like I said, there are some people that don't even know AV programs may block this by default.

2. Since the information comes from the browser, I'm sure there would be SOME way of faking referring page info. But it may be worth a try to see if something that simple won't fix it.

Another posibility I just thought of, and again, if the user has it blocked it still won't work, but have the form page set a temp cookie that the submittion page looks for.

Now these may prevent some people from using the form, but it is a lot let people that are prevented compared to just shutting it down.

And remember, make sure your "error" page nicely and in simpliest terms lets the users know why it was rejected (either becuase referer was missing, or cookie was refused). Add a note explainging you are forced to do this due toe the spammers.

-Greg

Also, just checked the source code for you page, you may wish to remove all indications you are using Xeobook.

The spammers probably do a search for sites that have known code in them for that guestbook, and make a list of sites to nail from that.

I know this is what I would do anyhow. (I have agreat criminal mind, luckily I only use it for preventing others from doing the same to me

One idea I formulated from a Viper GB I ran: These "attacks" come in two waves. The first being the "Great Site!" posts that you mentioned in the previous thread. These posts appear to be "probes" or data collection. The second wave is the hack attack. In my case, every post in the GB was erased. Viper had a fix posted for this, but I figured out an easier method the prevent the frustration and hair-pulling: Delete the GB If anyone has something worthwhile to say, they can post it on the message board, which I prefer to be a less known (under the radar) script, such as punbb. And now life is good (or better anyway.)

Thanks y'all. Here's an update on what I did, how it worked, and what's happening now.

I changed the field name on the form AND the database and did a mass find/replace on all other instances of where that old field name showed up in the application. My form does still work.

Today it seems like I got this change just in the nick of time. What had started as a few posts each day has turned into several posts every hour now. And the good news is that although you can list a homepage if you actually use my web form, all these recent spammers auto-entries are void of any URLs!

However, I didn't anticipate the exponential growth in guestbook entries per day (or per hour now) and I think they're still going to ruin my guestbook with their masses of generic "great job" messages. So it looks like I'll need to go back in and change the code for all of the other fields that show up in the display as well (name, email, message).

------------------------------

I've always hated spam emails. Who doesn't? But it really irks me bad when spammers place porn links on a personal family website, an me having to work this hard to change what I was doing just for fun.
SPAMMERS SUCK!

Have you notified your provider? Does it seem to be all coming form same IP (or IP range)? Notify them, maybe they can put a block on it.

Did you try the requiring the referrer to match your site?

-Greg

Since recently, I get poker spam in comments on my blog. I'd been expecting it for about a year, since my site was launched. I was starting to worry that I had none while everyone else was getting it -- I saw it as a measure of success, or the extent of publication, I guess.

Anyway, I was prepared for it when it came a few weeks back. I spent a couple of weeks manually handling the spam to wait and see if it was the real thing. When I was satisfied that it was, I simply installed Drupal's Spam.module. Works like a charm.

You can try installing this:
http://www.plebian.com/news.php?artc=138&

it will stop bots cold

Thanks everybody for the help. "IP Deny Manager" may or may not have worked. I woke up this morning to a new flood of guestbook spam and thought the Deny Manager didn't work because it wasn't using my webform anyway. But after checking my database I can see that all the new spam is now from 63.246.133.54 unknown.sagonet.net. So the bottom line is that it's pointless to try to ban them. Crap! I'm about to notify my host provider and also try those links y'all mentioned. Thanks again.

One follow up question: If they aren't using my webform to submit info to my MySQL database, then how can they add information without knowing my username and password????

You have to realize how this works.

Normally you have a form on your site, that when submitted, sends the information to a script on your site that processes all of the information. (sometimes, it is the same file, usually not).

Here is what is most likely happening. They call your script file, just as your form would. They have it programmed to send the same information your form sends in. (which is why changing the names of the form fields can make a difference). You script does realize that the information it is being sent is NOT coming from your form.

If i remember right, your script is in PHP. If so, go in there where it saves the data to your database. Make a field in your database, and send to it the value of $_SERVER['HTTP_REFERER']. This is the page that the person was at when they clicked to get to your script. Normally, this should be the URL of your form.

Remember though, some people have this information blocked (either manually, or their antivirus software does it without them knowing).

After a day, check these values, you will most likely notice all the spam ones are coming from "-" (or just an empty string) which indicates that it was directly called. Well you know your script should always be called from your form, so if the referer isn't your form, block the saving of information.

Like I said, you may loose those whose refer is blocked, but that is a lot less than how many you loose by shutting off the guestbook. Again, remember to leave a "polite" error message explaining why the information was not submitted. "We're sorry, but we were unable to determine which page sent you here. Either you have your 'referer' information disabled, or your antivirus software may have blocked this information."

BTW, ever wonder why all these sites anymore have those weird text pictures and ask you to enter the text?? This is exactly why. Bots automatically making new accounts.

-Greg

I took the time to change all the fields of my mySQL database. It worked for over a month but they're starting to sneak back in again, even thought I customized all the database fields to non-standard names.

I can't figure out if these new entries are automated or entered manually (automation should be much more difficult now) but the latest entry has an odd message that I wanted to ask about. The website field is empty but the message field is full of spam links. Then it ends off with "If see this message email THIS url to [email protected]"

Is this a trick? I assume that if I send an email to this address (from Russia once again) that I'll just be put on 10,000 more spamming lists.

It's not the database fields, it's the form input names that are the issue. What these bots do is rescrape the page source and retrieve the names.

With a bit of programming you can generate random names for the inputs each time the page is opened, store the names & fields in a cookie\session variable and retrieve these on submission. This makes it absolutely impossible for auto-submitters to recover the names for future use because they will never be the same on two occasions.
For instance; You can use the session id and split that into say 8 char chunks for the names this will be unique for each visit.

definitely don't reply