| Author |
Message |
|
|
|
Sorry to disappoint you, but the entry you talk about is NOT a spam entry. Before releasing this one to the list of entries, I carefully checked the log. The positive statement (even though also used in spam entries) is in this particular case a manually entered message by someone who visited the site in fact.
|
 |
|
|
Well, I assume it's not quite pointless. I deliberately wrote the script in a way that it spams only 1 site with ONE message. I'm sure that each of our forum readers has enough programming skills to enhance it (i.e. read website names from an Array or database).
the point was to prove that Lazarus boards CAN BE spammed, which you now have admitted.
|
|
|
|
Well, I assume it's not quite pointless. I deliberately wrote the script in a way that it spams only 1 site with ONE message. I'm sure that each of our forum readers has enough programming skills to enhance it (i.e. read website names from an Array or database).
the point was to prove that Lazarus boards CAN BE spammed, which you now have admitted.
|
|
|
|
This simple, stupid script will create spam entries into the lazarus.co.uk guestbook with an arbitrary name.
- It gets the entry form
- then it grabs the special value by parsing the source code and enters it into the bottest field
- then it waits for 30 seconds before it posts it to the forum
This is where the advantage of a picture display over a parsable text display shows up.
|
|
|
|
Yes, it's true, the first version (2.5) removed a lot of spam, but not all of it, it e.g. limited the # of messages per day to 9 (or a different value set in the preferences). It though already distinguished between faked and real IP addresses (faked ones no longer admitted)
The big break-through occurred with version 2.6 in which I added a 2 level human verification (by user and / or admin). From that time forward, the spam rate dropped to 0%.
Other than in Lazarus, the human verfication value in version 2.6 / 2.7 is not a static per site value; it is randomly chosen from a range of 255 values at display time. Also, the antibot value is not parsable by spammers, because it's displayed as a graphical image.
In version 2.7, I further added automated delta-checks for the database-structure. Any missing fields and/or tables will be added automatically, whereas existing columns and tables are NOT removed.
New in version 2.7.3:
- Language-safe: If a new value was not translated into the Advanced Guestbook target language, the English value will be displayed, along with the keyname between brackets. This helps the administrator to identify missing entries in their language file
- Graphic files for antibot values no longer contain surrounding text ("Please enter value..."). This text may now be configured via the language file
Get the latest version at http://www.freerelationshipadvice.com/downloads/guestbook27.zip
|
|
|
|
Hi,
In file install.php, replace the 2nd line to read as follows:
include_once "./admin/ctl.inc.php";
Then it should work. Please give feedback.
|
|
|
|
Yes, that's a good point, Carbonize. The images are not yet language sensitive. This will be included in an upcoming revision.
As the validation value is a mandatory field, spam posted by bots will be rejected. As an additional security feature, a validation mode is in place (as mentioned before), so that new posts will not show up unless they're authorized. Since the introduction of the user validation field, my spam rate dropped by 100% !!
Your comment re non-banning of spammers using the HTTP_X_FORWARDED_FOR header is not quite correct. In my version, users are banned based on their real IP address ($_SERVER['REMOTE_ADDR']) while the HTTP_X_FORWARDED_FOR address is kept in a separate variable. If acceptance of faked IP addresses is disabled (default), any difference between an existing HTTP_X_FORWARDED_FOR address and the real IP address will be rejected.
|
|
|
|
Yes, Carbonize, I am aware of that. I invite you to have a closer look at the whole package. Security features include:
- Distinguishing between real and fake IP
- enforced delay for posting
- protection against fake of significant form data (such as form load timestamp)
- 2 level human verification: User must enter a value shown in an randomly chosen image at display time. Plus optional approval mode (Guestbook Administrator must approve new incoming messages). All these options (and many more) can be turned off and on at any time through the Administration panel
Additional convenience feature for the Administrator:
- necessary database upgrades are automatically discovered upon upload of a new version (no matter which version you are on currently)
- /admin/config.inc.php no longer needs to be saved away and restored
Full list of features: http://www.freerelationshipadvice.com/guestbook/whatsnew.txt
|
|
|
|
|
There's a bug in Advanced Guestbook that allows spammers or hackers to use faked IP addresses (incl 127.0.0.1 localhost). I've released a new version of Guestbook that solves this and many more security issues. It can be downloaded from http://www.freerelationshipadvice.com/downloads/guestbook27.zip
|
|
|
|
![[Search]](/forum/templates/html/images/icon_mini_search.gif){kind=icon}
![[Hottest Topics]](/forum/templates/html/images/icon_mini_recentTopics.gif){kind=icon}
![[Members]](/forum/templates/html/images/icon_mini_members.gif){kind=icon}
![[FAQ]](/forum/templates/html/images/icon_mini_faq.gif){kind=icon}
![[Register]](/forum/templates/html/images/icon_mini_register.gif){kind=icon}
Register![[Login]](/forum/templates/html/images/icon_mini_login.gif){kind=icon}
Login