1 Topic by svo

  • svo
  • Member
  • Offline
  • Registered: 2007-03-24
  • Posts: 19

Topic: Important thing to avoid Spam

Hi all,

I have observed that some mods anti-spam doesn't work when Javascript is not active in the navigator.

I have check this with the mod of moaiamorfo http://punbb.org/forums/viewtopic.php?id=14069 .
When you disable Javascript, then registration is made it without need to enter nothing in the antispam inputs.
I fear it can happen with other mods using Javascript.

To avoid that, just include the following line in header.php (around line 64):

before <title>

<noscript><meta HTTP-EQUIV=Refresh CONTENT="0; URL=/forum/nojs.html"></noscript>

where /forum/nojs.html is the absolute path to a new html page to warn the user about the need to activate Javascript.


Check by yourself,


greetings,

  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: Important thing to avoid Spam

The issue with using a META tag to redirect is that the main targets of anti-spam tools are bots, and bots don't have to -- and probably won't -- obey the META tag.

Requiring Javascript for registration is an accessibility issue anyway, so the best solution is simply to restrict yourself to anti-spam tools that don't use it.

Looking for a certain modification for your forum? Please take a look here before posting.

3 Reply by svo (edited by svo 2007-04-03 18:08)

  • svo
  • Member
  • Offline
  • Registered: 2007-03-24
  • Posts: 19

Re: Important thing to avoid Spam

yes, although the use of javascript is not bad idea at all.  In this example with this mod, just one must be careful so the bot don't parse the META.

In example: 

<META HTTP-EQUIV=Refresh CONTENT="1; URL=checkjs.php">
<noscript><meta HTTP-EQUIV=Refresh CONTENT="0; URL=/forum/nojs.html"></noscript>
<? if ($_SESS['js'] == 1) { // ok } else { die("spam");   } ?>

and in checkjs.php:
<? 
  $_SESS['js'] = 1;
  header ("Location: register.php"); 
?>

as one simple idea which can be improved much more, of course. It force the visitor to use javascript to complete the registration.
If the bot comes from a form design of page register.php (which is very possible), then the execution will die.

I will implement this idea in my forum with the mod  of moaiamorfo, wich is enough to me.


best regards,

  • Registered: 2006-03-03
  • Posts: 86

Re: Important thing to avoid Spam

youre better off changing the name of the page that does the registration to something else than what the standard punbb gives you, since bots will be looking for it

you might even require a referrer from your domain but that isnt guaranteed to work and it might affect regular users who use tools to stay anonymous

  • From: U.S.A.
  • Registered: 2005-08-26
  • Posts: 1,607

Re: Important thing to avoid Spam

svo wrote:

It force the visitor to use javascript to complete the registration.

Which is one reason not to depend upon Javascript.

Also, your above example assumes that a bot will care about the NOSCRIPT tag. It certainly isn't obligated to.

Your code will probably work (for the time being) due to its obscurity, but spambot authors are always adapting their work.

You must remember that the client isn't at all obligated to do what HTML and Javascript instruct it to do. If that client is a spambot, it probably won't.

Looking for a certain modification for your forum? Please take a look here before posting.

6 Reply by svo

  • svo
  • Member
  • Offline
  • Registered: 2007-03-24
  • Posts: 19

Re: Important thing to avoid Spam

Hi,

yes, you are right. A good anti-spam system cannot depend only of Javascript.
It is only a way so these mods can work. 

Probably, a better system to validate the use of Javascript should include a session variable passed to the same javascript code.

regards,