how avoid tip a friend abuse?
how avoid tip a friend abuse?
Tuesday 12 September 2006 1:20:52 pm - 8 replies
Hello,
I am trying to avoid "tip a friend" abuse.
some spammers use this feature to send msg with their own spam comments.
Installed the antispam captcha extension, but where is the tip a friend template?
Thanks.
Andre Felipe
Tuesday 12 September 2006 7:58:10 pm
Many thanks for your hint.
Now I am still having the same problems to enable Antispam captcha as at the comments at
http://ez.no/community/contribs/datatypes/antispam
Anyone got this extension working?
I have to disable the tip a friend feature of my site, because a spammer is trying to exploit it. I would like to re enable it with captcha (or another antispammer measure).
Regards.
Andre Felipe
Modified on Tuesday 12 September 2006 8:21:13 pm by Andre Felipe Machado
Thursday 14 September 2006 10:32:33 pm
Hello,
The spammer managed to access the tip a friend kernel module directly and exploit it.
I had to remove the file.
The exploit ceased, as far as the logs show.
Before, he/she tried many forms of the site, even the registration.
I guess the tip a friend kernel module should be improved to avoid this kind of abuse.
Many thanks for the hints.
Regards.
Andre Felipe
Friday 15 September 2006 1:57:28 pm
Hello,
please, see
http://ez.no/bugs/view/9016
I will backup the site logs for forensics.
I already have at home pc, some of the bounced msg.
Regards.
Andre Felipe
Friday 15 September 2006 2:18:27 pm
Hi,
I had the same problem, reported in http://ez.no/community/bugs/spammer_is_abusing_the_tipafriend_function
There is a tip how you can disable the the tip a friend function in site.ini.append
Best wishes,
Georg.
Friday 22 September 2006 10:31:05 am
Hi there
Here are some of my ideas about of what might be useful to deter spammers like this. Unfortunately I am not to good with preventing exploits like this so I would like to have some input on whether implementing this would help at all or not.
- Log all IP addresses of people trying to send a form for the last 5 minutes or so. If someone sends more than 2 or 3 messages in this period, display a nice apologetic error message.
- Add a javascript to the form which contains a unique variable that is set by EZ and maybe stored in the session. The Javascript executes onblur for the one of the required inputboxes and writes the value of this variable into a hidden formfield which is then posted together with the other stuff.EZ checks whether this variable was posted and is the same as in the session and deletes the corresponding session variable every time.
Problem: The form will not work without javascript (which I think is ok for tipafriend but might be a problem for other, more important forms).
- Add a captcha. This will cause problems with accessibility for vision impaired people.
- A bit more restrictive: Limit tipafriend to registered users only.
Greetings from Luxembourg
Claudia
You must be logged in to post messages in this topic!