A few days ago, olaha (https://sourceforge.net/users/olaha/) posted for help (https://sourceforge.net/forum/forum.php?thread_id=1363092&forum_id=296475) because he faced spam problems. yesterday, I also got spam postings in my guestbook. ATM the volume is low, but this may change
Apparrently, someone has written a script for this guestbook to make automated submissions. And it's also clear that he will read this and countermeasure any preparations we take to the script engine.
So what is your opinion: should we implement captcha support? It shouldn't be that difficult since there are several free captcha- engines available. I would do it, but ATM I can't find the time to.
Hi very interrested if someone could add a spam protection to the flatbook phpscript because I'm hardly spammen since one month.
Implementing captcha seems to be a good idea, is it possible ?
Thanks,
Sebastien
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
there are CAPTCHA Services like http://captchas.net/ This is a Server which generates a captcha and its answer which can be used in a PHP script.
There is also a PHP sample implementation for use with this server.
There's only one caveat: the service is based on a secret key and a random string. The string is passed to the client and the client passes it on to the captcha server from which, in return, it gets the Captcha image.
BUT: to protect the answer from being calculated by the (evil) user the secret key is used.
My suggestion: the script has to download the captcha and provide it to the User on its own server, so the string is not passed to the user.
Another proposal: find another captcha service.
- Wanja
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi.
I'm an Italian Guy.
The spam is the unique and biggest problem of this wanderful guestbook.
We can make 30-40 images that rapresent code cripted but readble from a human, associate to that image a code (the same that we can read) leave this image to appear during a post.
A control that make a MD5 of the name of image and look if it is the same 7-8 caracter of the name of image.
Is a simple mode to fuck the spam systems.
Very simply.
We can try it.
Thank you.
Diavoletto_Taz
taz(at)sitoserio(dot)it
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
>We can make 30-40 images that rapresent code
>scripted but readble from a human, associate to
>that image a code (the same that we can read)
>leave this image to appear during a post.
yes, we could. The problem is, every webmaster needs to create his own pictures: If we generate a few static images and *distribute* them, a spammer will adapt his script to identify which picture it is and which answer is the right. For example, he could check the filename in the <img> tag or examine the picture directly.
-Wanja
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Dear Wanja,
we can make a simple thing.
47images from 1.gif to 47.gif (this is an example).
When the webmaster goes to install the program, a script can rename every imagefile with a name taht depends from time (in nanseconds) of installation time.
After the program that show the image and verify it, can make many operation type (max 4 for limit the use of server). In this way I think the spam program can't operate.
I think it will be a good soluzion forr a beta release.
After we can wai some months to verify the goodness of this solution.
After we can think another solution.
Thank you my friend.
My email address is:
taz(at)sitoserio(dot)it
If I can help you directly via email, I'll be happy.
Nice things.
Diavoletto_Taz
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I didn't fully understand your approach, but it seems your idea may work.
Currently, I wonder whether it wouldn't be easier to implement real captcha support - I read some PHP documentation lately, and it seems to be easier than I thought it would be.
I'll think about it
BTW: to make your guestbook temporarily invulnerable, you could replace all occurences of
$_POST["Message"]
with
$_POST["Mes_xxx_sage"]
and all occurcences of
name=\"Message\"
with
name=\"Mes_xxx_sage\"
Where xxx is a string you should change. This renames the name of the input field so the spammer script has to be adapted.
-Wanja
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Dear Wanja, looking around i sayed that there are some PHP libraries that transform an alfanumerica code in IMAGE.
We can generate the word random mode and make an "IF then else".
That's all.
Now we must find this grafic libraries.
See you.
Taz
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The only thing I am puzzled about is how to save the answer string until the next call of the script. There is a mechanism called PHP sessions, but I don't know how to use it yet.
It may take a few weeks, I need to fix another bug first, but I know how to do it.
-Wanja
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I also noticed the increase in spam entires these days. Interestingly along the way I also noticed, that the number count and the splitting up in several pages are currently broken. At the moment all posts are included in the count. Therefore if you receive a hundred spam posts :-(( there are 10 empty pages before you see the real entries.
I posted a patch that will at least correct the counter for the number of posts. However I haven't yet had time to fixe the page splitup.
On the subject of CAPTCHA, I would very strongly suggest to use an existing implementation. This would really be a significant imporovement of the guestbook.
Let me know if I can help.
Greetings,
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
yes, I also noticed the empty page problem - could you mail me the fix? I didn't found it on the forum.
CAPTCHA:
Do you know an existing implementation? It seems easy for me to make my own. The greater difficulty seems to be the integration
>Let me know if I can help.
If you want to help, you could tackle the empty page problem. It should be a different part of the script than captcha support, so there shouldn't be conflicts when merging
-Wanja
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
the patch for the number count is already posted in the patch section. I'll try to look into the empty pages problem after my vacation, which would be in april.
Concerning CAPTCHA: the problem avout doing it on your own is, that you have to take up the spammers on your own. If your implementation is too weak they'll work around it.
Anyway, at the moment I would be happy for any implementation :-). Currently there are up to ten messages a day in my guestbook.
Greetings,
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
i sent some emails to diavoletto_taz to get new version of guestbook, but nobody was answering. Does somebody can send me new version with antispam filter.
Thanks
zeras
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I think Captcha really is the best idea (although there will never be a 100% solution).
I tried to integrate the code from "b2evo Captcha" (also a sourceforge project). So far I managed to get the Captcha Image displayed on the Input form, but checking the correct entry gives me a headache. I always end up in some errormessages and as a "PHP-newbee" its not easy at all to find out why.
If you look at the included "b2evo_captcha.example.php" in this project, it is only a few lines to be added to the PHPbook.
I am not sure if you can use this code, but at least it gives an idea of "howgozit".
Rgds.
Andy
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Now I have a guestbook version with the B2evo_Captcha included. Because this is a separate PHP, it might as well be possible to extend it to read out the image, without further changes to the guestbook itself. The Captcha can be switched on or off in the guestbook.ini file. As a next step, I might add the Captcha configuration options to the geustbook.ini (If I find the time).
In addition I made the following changes to the guestbook:
- changed the german timeformat to "dd.mm.yyy, hh:mm" and added the timeformat "germansec" which displays the seconds at the end ("dd.mm.yyyy, hh:mm:ss").
- included the numbercount patch (thanks marksman), however the empty line problem is still open.
- added an empty line after each guestbook entry. (I guess this might as well be possible by changing the CSS, but I did the changes on a flight between Singapore and Melbourne and I simply forgot to copy the CSS to my notebook, before I left home.)
- added the option to send the complete new entry in a mail notification. This includes the change of the mailformat to content-type text/html.
- the entry in "gbName" will now be send in the subject line of the mail notification.
- in moderated mode there will be an additional message ,to tell the user that the post needs to be approved.
- in order to read the message a refresh time addon may be set for the moderated mode.
- english and german language files and the guestbook.ini file modified for the changes in the guestbook.
Unfortunately I do not have my own webspace at this time, but if someone is interested in this version you can send me a mail and I will send you the whole package (ZIP). Maybe somebody could even put it on his webspace for a demo until I have the time to produce my own website.
Just one little catch (took me a while to find out): The captcha needs at least PHP 4 (maybe even 4.2 or greater, I had no chance to try this) and GD 2.0. Some providers have a default setting for PHP 3. So if it is not working check the setting of your webspace. In my case it is working with PHP 4.4.1
Maybe I could even upload it to the patches section, but I dont want to do this without "thumbs-up" of the admins, because its actually two different projects combined in one.
Best regards
Andy
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Just had some time left this afternoon. As I have my own webspace now, you can see a demoversion of my guestbook with Captcha (and some "finetuning") on www.andylevin.de/test/guestbook.php or download it at www.andylevin.de/test/guestbook.zip
In the demoversion on my site I disabled the mailfunction. Instead it opens a new window, showing what the mailmessage will look like. You need to allow popups to see this window. (Of course the download versions sends the mail). If you want to use it, you also need to use the new language and ini files, because I modified these too.
I also left the original login, so you can try out the settings, but please reset it after your trials so you give other a chance to try it too.
rgds.
Andy
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
First, in b2evo_captcha.config.php, line 63 -> syntax error, it should be "maxlifetime'=>$maxlifetime" ($ is missing
Then I get systematically the error : "Notice: Undefined variable: public in e:\flash tpl\slyv v6\gbook3\b2evo_captcha.class.php on line 394"
(but the captcha displays correctly)
Sometimes, when I hit refresh a couple of times, I get this additional error: "Notice: Uninitialized string offset: 63 in e:\flash tpl\slyv v6\gbook3\b2evo_captcha.class.php on line 633" (but this is not very frequent)
Could you please help, as I am a real php n00b?
Thanks!
S.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Very strange, because it is running on a few different places, so far without any major problems. As I mentioned before, the b2evo_captcha is not my work. I just combined it with the guestbook and did some "finetuning" to the guestbook. I know the captcha has some minor problems (one is just beeing fixed), but this really is a bigger one.
The b2evo_captcha is another sourceforge project and I think its a good idea to put your bugreport to the bugs section of this project.
I will have a look at it myself, but I have two problems. First of all I am a PHP newbee myself and second I am very busy in my regular Job in the summertime. I am afraid it will take until Mid August.
Could you send me some more details in the meantime? I could not reproduce it. So far I know it is very sensitive about the correct PHP Version. In my case its running on PHP 4.4.1
Sorry I have to keep you waiting, but if I find some extra time inthe summerweeks I promiss I have a look at it and let you know.
rgds.
Andy
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello everyone,
A few days ago, olaha (https://sourceforge.net/users/olaha/) posted for help (https://sourceforge.net/forum/forum.php?thread_id=1363092&forum_id=296475) because he faced spam problems. yesterday, I also got spam postings in my guestbook. ATM the volume is low, but this may change
Apparrently, someone has written a script for this guestbook to make automated submissions. And it's also clear that he will read this and countermeasure any preparations we take to the script engine.
So what is your opinion: should we implement captcha support? It shouldn't be that difficult since there are several free captcha- engines available. I would do it, but ATM I can't find the time to.
(for everyone who doesn't know what a captcha is: http://en.wikipedia.org/wiki/Captcha\)
write your opinion!
-Wanja
Hi very interrested if someone could add a spam protection to the flatbook phpscript because I'm hardly spammen since one month.
Implementing captcha seems to be a good idea, is it possible ?
Thanks,
Sebastien
there are CAPTCHA Services like http://captchas.net/ This is a Server which generates a captcha and its answer which can be used in a PHP script.
There is also a PHP sample implementation for use with this server.
There's only one caveat: the service is based on a secret key and a random string. The string is passed to the client and the client passes it on to the captcha server from which, in return, it gets the Captcha image.
BUT: to protect the answer from being calculated by the (evil) user the secret key is used.
My suggestion: the script has to download the captcha and provide it to the User on its own server, so the string is not passed to the user.
Another proposal: find another captcha service.
- Wanja
Hi.
I'm an Italian Guy.
The spam is the unique and biggest problem of this wanderful guestbook.
We can make 30-40 images that rapresent code cripted but readble from a human, associate to that image a code (the same that we can read) leave this image to appear during a post.
A control that make a MD5 of the name of image and look if it is the same 7-8 caracter of the name of image.
Is a simple mode to fuck the spam systems.
Very simply.
We can try it.
Thank you.
Diavoletto_Taz
taz(at)sitoserio(dot)it
>We can make 30-40 images that rapresent code
>scripted but readble from a human, associate to
>that image a code (the same that we can read)
>leave this image to appear during a post.
yes, we could. The problem is, every webmaster needs to create his own pictures: If we generate a few static images and *distribute* them, a spammer will adapt his script to identify which picture it is and which answer is the right. For example, he could check the filename in the <img> tag or examine the picture directly.
-Wanja
Dear Wanja,
we can make a simple thing.
47images from 1.gif to 47.gif (this is an example).
When the webmaster goes to install the program, a script can rename every imagefile with a name taht depends from time (in nanseconds) of installation time.
After the program that show the image and verify it, can make many operation type (max 4 for limit the use of server). In this way I think the spam program can't operate.
I think it will be a good soluzion forr a beta release.
After we can wai some months to verify the goodness of this solution.
After we can think another solution.
Thank you my friend.
My email address is:
taz(at)sitoserio(dot)it
If I can help you directly via email, I'll be happy.
Nice things.
Diavoletto_Taz
Dear Taz,
I didn't fully understand your approach, but it seems your idea may work.
Currently, I wonder whether it wouldn't be easier to implement real captcha support - I read some PHP documentation lately, and it seems to be easier than I thought it would be.
I'll think about it
BTW: to make your guestbook temporarily invulnerable, you could replace all occurences of
$_POST["Message"]
with
$_POST["Mes_xxx_sage"]
and all occurcences of
name=\"Message\"
with
name=\"Mes_xxx_sage\"
Where xxx is a string you should change. This renames the name of the input field so the spammer script has to be adapted.
-Wanja
oh, sorry, I forgot:
you can contact me at
webmaster (AT) zanshin (MINUS) karate (MINUS) do (MINUS) ettlingen DOT de
-Wanja
Hi guys,
I'm really waiting for a solution...
Thanks a lot for your research.
Seb
Dear Wanja, looking around i sayed that there are some PHP libraries that transform an alfanumerica code in IMAGE.
We can generate the word random mode and make an "IF then else".
That's all.
Now we must find this grafic libraries.
See you.
Taz
The Library is named GD And it seems to be easy.
The only thing I am puzzled about is how to save the answer string until the next call of the script. There is a mechanism called PHP sessions, but I don't know how to use it yet.
It may take a few weeks, I need to fix another bug first, but I know how to do it.
-Wanja
Hey there,
I also noticed the increase in spam entires these days. Interestingly along the way I also noticed, that the number count and the splitting up in several pages are currently broken. At the moment all posts are included in the count. Therefore if you receive a hundred spam posts :-(( there are 10 empty pages before you see the real entries.
I posted a patch that will at least correct the counter for the number of posts. However I haven't yet had time to fixe the page splitup.
On the subject of CAPTCHA, I would very strongly suggest to use an existing implementation. This would really be a significant imporovement of the guestbook.
Let me know if I can help.
Greetings,
Markus
Hi Markus,
yes, I also noticed the empty page problem - could you mail me the fix? I didn't found it on the forum.
CAPTCHA:
Do you know an existing implementation? It seems easy for me to make my own. The greater difficulty seems to be the integration
>Let me know if I can help.
If you want to help, you could tackle the empty page problem. It should be a different part of the script than captcha support, so there shouldn't be conflicts when merging
-Wanja
Hi Wanja,
the patch for the number count is already posted in the patch section. I'll try to look into the empty pages problem after my vacation, which would be in april.
Concerning CAPTCHA: the problem avout doing it on your own is, that you have to take up the spammers on your own. If your implementation is too weak they'll work around it.
Anyway, at the moment I would be happy for any implementation :-). Currently there are up to ten messages a day in my guestbook.
Greetings,
Markus
Dear Wanja,
I implemented antispam filter.
I send you an email.
Look it end tell me around.
Cheers
Diavoletto_Taz
You can find an example of the antispam filter on this link:
http://www.aprivativo.org/librosacro/
Tell me about.
If you want I can send the .tar.gz to someone.
See you.
Diavoletto_Taz
Hello,
i sent some emails to diavoletto_taz to get new version of guestbook, but nobody was answering. Does somebody can send me new version with antispam filter.
Thanks
zeras
Hi Wanja,
Hello everybody
I think Captcha really is the best idea (although there will never be a 100% solution).
I tried to integrate the code from "b2evo Captcha" (also a sourceforge project). So far I managed to get the Captcha Image displayed on the Input form, but checking the correct entry gives me a headache. I always end up in some errormessages and as a "PHP-newbee" its not easy at all to find out why.
If you look at the included "b2evo_captcha.example.php" in this project, it is only a few lines to be added to the PHPbook.
I am not sure if you can use this code, but at least it gives an idea of "howgozit".
Rgds.
Andy
Hi admins,
Hello everybody.
Now I have a guestbook version with the B2evo_Captcha included. Because this is a separate PHP, it might as well be possible to extend it to read out the image, without further changes to the guestbook itself. The Captcha can be switched on or off in the guestbook.ini file. As a next step, I might add the Captcha configuration options to the geustbook.ini (If I find the time).
In addition I made the following changes to the guestbook:
- changed the german timeformat to "dd.mm.yyy, hh:mm" and added the timeformat "germansec" which displays the seconds at the end ("dd.mm.yyyy, hh:mm:ss").
- included the numbercount patch (thanks marksman), however the empty line problem is still open.
- added an empty line after each guestbook entry. (I guess this might as well be possible by changing the CSS, but I did the changes on a flight between Singapore and Melbourne and I simply forgot to copy the CSS to my notebook, before I left home.)
- added the option to send the complete new entry in a mail notification. This includes the change of the mailformat to content-type text/html.
- the entry in "gbName" will now be send in the subject line of the mail notification.
- in moderated mode there will be an additional message ,to tell the user that the post needs to be approved.
- in order to read the message a refresh time addon may be set for the moderated mode.
- english and german language files and the guestbook.ini file modified for the changes in the guestbook.
Unfortunately I do not have my own webspace at this time, but if someone is interested in this version you can send me a mail and I will send you the whole package (ZIP). Maybe somebody could even put it on his webspace for a demo until I have the time to produce my own website.
Just one little catch (took me a while to find out): The captcha needs at least PHP 4 (maybe even 4.2 or greater, I had no chance to try this) and GD 2.0. Some providers have a default setting for PHP 3. So if it is not working check the setting of your webspace. In my case it is working with PHP 4.4.1
Maybe I could even upload it to the patches section, but I dont want to do this without "thumbs-up" of the admins, because its actually two different projects combined in one.
Best regards
Andy
Hi everybody.
Just had some time left this afternoon. As I have my own webspace now, you can see a demoversion of my guestbook with Captcha (and some "finetuning") on www.andylevin.de/test/guestbook.php or download it at www.andylevin.de/test/guestbook.zip
In the demoversion on my site I disabled the mailfunction. Instead it opens a new window, showing what the mailmessage will look like. You need to allow popups to see this window. (Of course the download versions sends the mail). If you want to use it, you also need to use the new language and ini files, because I modified these too.
I also left the original login, so you can try out the settings, but please reset it after your trials so you give other a chance to try it too.
rgds.
Andy
Hi Andy,
I've tested your script on my website... it rocks !
Na I will not give it here ... dono want a other spamming source lol :o)
Thanks a lot man !
Now we have the best Guestbook around the world ;o)
Seb
Hmmm, I have problems with your script, Andy.
I downloaded the zip file.
First, in b2evo_captcha.config.php, line 63 -> syntax error, it should be "maxlifetime'=>$maxlifetime" ($ is missing
Then I get systematically the error : "Notice: Undefined variable: public in e:\flash tpl\slyv v6\gbook3\b2evo_captcha.class.php on line 394"
(but the captcha displays correctly)
Sometimes, when I hit refresh a couple of times, I get this additional error: "Notice: Uninitialized string offset: 63 in e:\flash tpl\slyv v6\gbook3\b2evo_captcha.class.php on line 633" (but this is not very frequent)
Could you please help, as I am a real php n00b?
Thanks!
S.
Hi slyv1977.
Very strange, because it is running on a few different places, so far without any major problems. As I mentioned before, the b2evo_captcha is not my work. I just combined it with the guestbook and did some "finetuning" to the guestbook. I know the captcha has some minor problems (one is just beeing fixed), but this really is a bigger one.
The b2evo_captcha is another sourceforge project and I think its a good idea to put your bugreport to the bugs section of this project.
I will have a look at it myself, but I have two problems. First of all I am a PHP newbee myself and second I am very busy in my regular Job in the summertime. I am afraid it will take until Mid August.
Could you send me some more details in the meantime? I could not reproduce it. So far I know it is very sensitive about the correct PHP Version. In my case its running on PHP 4.4.1
Sorry I have to keep you waiting, but if I find some extra time inthe summerweeks I promiss I have a look at it and let you know.
rgds.
Andy
Ok, thanks Andy for the answer.
I suspected a version conflict problem.
I tried it on my server which runs on php v5.1.4-0.1 and it's simply allright!
I'll post the verison of my local php server where I had the problem before.
again, thanks for your answer!
S.
I'm sorry.
I not received no email in these days.
My email address is:
taz(at)sitoserio.it
Write me now. I sent you the code.
See you.
Diavoletto_Taz
N.B. There is no spam on my guestbook since 2months. Very good.