Forum
Comments:
-
- on Thu 25 Jun 2009
- 08:25:38 PM UTC
...
#1 Embed the address in a graphic (and use "noise" (such as those used by captcha) to prevent spambots scraping it via OCR)
#2 My sGB service has antispam filters in place if it helps? (http://guestbook.it-mate.co.uk)
Your site seems to be in HTML, otherwise I would've suggested using my SBST to filter the bots;
http://support.it-mate.co.uk/?mode=Products&p=spam...
It currently only has provisions for PHP and ASP (HTML isn't a dynamic language, so can't load files or functions or perform filtering dynamically)
Regards
Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net -
- on Thu 25 Jun 2009
- 10:26:42 PM UTC
Hi Steven
I do have, of course the usual bot traps (hidden images linked to a notification script) which also adds them to the .htaccess list of banned IP's. However, by the time they are found, they have already broken security, but it does prevent them from getting back in. Of course, also a correct robots.txt file is in place, but sometimes, I think that just shows illegal bots where Not to bother looking, and where is the best place to look.
But to do what I want to do, I think I will need a PHP program which will generate images as a user makes entries to the Queries page, one of the most popular parts of my site. Meanwhile, I am modifying my script to present emails as soandso (AT) whatever.com - it isn't an elegant solution, but will help somewhat.
Just an attempt to close all doors where a robot might get into the page.
Sadly, there appears to be no Guestbook script with both CAPTCHA and emails represented as images.
I just want to eliminate any way that an email gathering robot could possibly get into that page and read addresses.
Will keep looking!
Dave
-
- on Fri 26 Jun 2009
- 01:19:41 AM UTC
honeypot
Not exactly what you're looking for, but with a high traffic site...
http://www.projecthoneypot.org/
-------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
G7W {G.O.M}
http://g7w.net/ -
- on Fri 26 Jun 2009
- 12:22:30 AM UTC
Captcha..?
Too bad that captcha is no longer 100% secure.
I read about it last year, so it aint even news. :-( -
- on Fri 26 Jun 2009
- 12:50:37 AM UTC
SunBelt
SunBelt Blogs wrote an article concerning this, made a point to put a "star" on it for future reference.
-
- on Fri 26 Jun 2009
- 01:35:26 AM UTC
Basically what I am doing by
Basically what I am doing by obfiscating the address by using the " (AT) " in the address. What I am hoping to find, though is a software which will develop images on the fly, eliminating the need to go into the page and manually obfiscate the address. I spend actually more time working n the page than I do at my "paying job" at the Post Office, so anything that can make life easier while tightening security is a plus.
Surely there must be someone who has done a PHP guestbook script with this type of security. I wish I were better doing PHP, but am a beginner at it. I can modify scripts somewhat, but wouldn't trust myself with a project of that size. I would also like to see CAPTCHA confirmation in the script. If CAPTCHA is well designed, it works, especially with warped lettering and noise in the background as someone mentioned. I had a problem with automated robots leaving spam in my books, and eliminated it by using a Captcha image that had to be visually decoded before posting. So, one eliminates the spamming robot, and the other makes it much harder to harvest email addresses using robots.
As phantazm inferred above, Captcha is no good any more if it is easy to OCR, but can still be an effective deterrent to automated message posting.
D.
-
- on Fri 26 Jun 2009
- 01:34:01 AM UTC
re: software which will develop images on the fly
You're looking for a CGI script (Perl, PHP, etc) that can call either GD Lib or ImageMagick libraries (must be pre-installed on the server) that would generate user input to graphical (PNG or JPG) output, this normally requires a database nd a handler, not something you're going to do with HTML.
convert email to image
-------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
G7W {G.O.M}
http://g7w.net/ -
- on Fri 26 Jun 2009
- 01:41:34 AM UTC
Images
That is why I am thinking PHP might be the way to go, as it is installed on the server... So is, of course, PERL. No problem getting libraries installed on the server - my son is the server administrator, as well as the ISP's Network Administrator. I have also asked him to keep on the lookout for a solution.
D.
-
- on Fri 26 Jun 2009
- 01:41:10 AM UTC
security
Perl is (always has been) much more secure than PHP (long story) but PHP has become the preferred language due to it's lower learning curve. Generally if it's an Apache server, Perl is installed.
-------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
G7W {G.O.M}
http://g7w.net/ -
- on Fri 26 Jun 2009
- 01:55:53 AM UTC
Perl vs. PHP
Yes, it is an Apache server, but both Perl and PHP are installed, as I use some PHP functions on the site. My way of thinking using either Perl or PHP, kept in a database, and producing a page on the fly on an template producing HTML on demand, it is more secure than straight HTML against a robot incursion. Am I correct? Time I should fire up the old test server and try some things...
-
- on Fri 26 Jun 2009
- 02:28:15 AM UTC
PHP example
http://www.daftlogic.com/projects-text-to-image.ht...
based on PHP function: imagettftext — Write text to the image using TrueType fonts
-------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
G7W {G.O.M}
http://g7w.net/ -
- on Fri 26 Jun 2009
- 11:03:45 AM UTC
Guestbooks
I am now looking into several PHP guestbooks as a replacement for the Queries page using Postgres or MySQL databases to store emails. Both are installed on the server, so I have a few to chose from. They don't have the addresses stored as images, but only offer links to a routine which reads the address from a database and offers a form for replying, still without displaying the address. Most offer IP banning, CAPTCHA, and various other methods of banning robots.
Jeff and I are going to play with some this weekend setting them up on my test server. I am hoping one of them will be suitable. As soon as I find one I feel comfortable with, I will post a link to it.
Though I have no reason to suspect that a robot harvested addresses, I want to tighten up security to make it even more unlikely one could, and that is why this thread.
Will let you all know what I find out, as it will offer a much more secure means of providing one of the most popular features of my page. Hopefully, it will help others to address similar issues.
D.
-
- on Sat 27 Jun 2009
- 01:34:29 AM UTC
proxy2.de
http://www.proxy2.de/guestbook/
-------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
G7W {G.O.M}
http://g7w.net/ -
- on Mon 29 Jun 2009
- 03:47:48 PM UTC
Advanced Guestbook
Unfotunately, after looking at this program, we found several things that made it unsuitable for a queries page.
Therefore, I enlisted my son to rewrite the posting routine in our current book to obfuscate addresses when posted automatically. Thanks to all. I am still looking for more secure software, but for now, this should help any problem there might be.
All future postings will be automatically obfuscated. Still , the existing robot trap and banning mechanism, robots text and banned IP's in the .htaccess file will remain in
place as well as meta tags to deny robots, but this adds an extra level of security it didn't have before.Thanks again!
D.
-
- on Fri 26 Jun 2009
- 10:52:13 AM UTC
Speaking of...
A little bit of background. When my son, Jeffery was seven, I built him his first machine, an XT. He then began amazing me with the speed he picked up not only operating the machine, but then programming. The next year, I gave him an old 286 or 386.
By the time he was nine, he had set up the first apache server in our house which he called Radon, as well as home networking. Funny story, when he was nine he wanted the machine in a more impressive case. He asked me to do it, and I agreed to but was busy at the time, and he went ahead without my knowledge. After a while we heard him crying. I killed Radon! He had broken the insulators on the motherboard, and simply set the motherboard on the painted cabinet to try it. He got away with it for a while, but it finally broke through the paint and shorted it out.
So, I figured it was time for him to learn computer design and repair. From a friend at work, I was able to get a large quantity of components drives, cases, old motherboards, memory, and showed him how to assemble a machine (of course emphasizing insulating the motherboards from the cases :-) Within days he was assembling machines like a pro.
He never looked back from that point. In school, he was the kid teachers came to when they had computer problems. His senior high school teacher didn't hold him back, and let him go way ahead of the class.
To make a long story short, after school he started working for a community access site, and then did side work setting up servers for an startup ISP with offices in the same building. Soon, he was hired away from his original employer by that company, and has worked for them ever since. He is the network administrator for the company, and has built the reputation of being one of the best administrator on the Island. He is earning as much as I am after my long career. That ISP is now one of the largest on the Island. Any time his boss can't figure out something (his boss is the money man, Jeff is his technical whiz), Jeff always comes to the rescue - I must say also, any time his Dad can't figure out something, he comes to my rescue. He also administrates the server the Island Register is on.
He is now 24 years old. Wouldn't be proud of my son, would I? Sorry, it is off-topic, but I had to say it.
D.
-
- on Sun 28 Jun 2009
- 07:30:55 PM UTC
Hi Dave, you sound beaming
Hi Dave, you sound beaming proud of your son and rightly so. I am glad to read of a younger person advance so well early in his career, all the best to him and you.
Spamming info forum - inboxrevenge.com -
- on Mon 29 Jun 2009
- 04:14:38 AM UTC
Hi Meep:
I guess I was. If I did one thing right, it was the way I introduced computers to him. I think if I had forced them on him, he would have rebelled - just the way he is.
What brought that on was he had just offered in his professional capacity of network controller to test out various guest book programs until we are able to find exactly what we need for the page. The queries page requires email addresses to be linked, but eventually not viewable, or at the very least obfuscated, as people need to reply to the submitters. But, I don't want these to be readable by robots, just the human beings who use the page. To stop guest book spamming, it needs to have good CAPTCHA in place, flood control, not be too "Pretty" and preferably be in PHP with MySql database. Preferably, the email address will only be pulled from the database when requested by the viewer. So, I have a lot of things I am looking for for the "Perfect" secure guestbook and it is going to be quite a chore running test books through their paces to see if they meet my needs.
For now, I have manually obfuscated or munged the old queries page, which will have to do till I find something really suitable.So, his helping me will really make a difference. He knows how much the security of the page has always concerned me.
So far, I am finding it is going to be a long, hard search for exactly what I want. I have found a large number of scripts giving many of the features I need, but none with all of them
But we will keep looking!
D.
Website Security
Does anyone have any new and innovative ways to prevent illegal robot incursion to a web site?
Also possible other items for discussion.
!) What is the best way to hide emails from harvesting (unicode, graphics, etc), and has anyone found a program which can do this on the fly as users enter them into a form?
2) Does anyone know of a secure guestbook software which will use both?