Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Filter HTTP_REFERER

  1. #1
    Join Date
    Mar 2010
    Posts
    9

    Default Filter HTTP_REFERER

    I know that formmail.php contains this comment and this is technically correct:

    PHP Code:
    // Note that HTTP_REFERER is easily spoofed, so there's no point in
    // using it for security. 
    But a lot of spammers don't bother spoofing it, so one can filter out some spam at least and filtering a HTTP_REFERER from a different domain is better than nothing.

    So I suggest to include HTTP_REFERER filtering it in the future.

    PB

  2. #2
    Join Date
    Dec 2003
    Posts
    3,980

    Default Re: Filter HTTP_REFERER

    Hi,

    Yes, I know you're right about some spammers not bothering to spoof referrer.

    The problem is that referrer checks also break things.

    We've come across some servers that don't pass the referrer through to PHP.

    Also, some people's browsers don't pass it through and some PC's have "security" software installed to block this information.

    Overall, we think it's much more trouble than it's worth.

    We're more interested in automated ways of preventing spam attacks, such as those already built into FormMail.

    From the feedback we've got, people can get virtually zero spam without using Captcha by using the other anti-spam features in FormMail.

    If someone is getting successfully attacked by a bot while using these features, then we really want to see the details so we can analyze the problem and solve it.
    Russell Robinson - Author of Tectite FormMail and FormMailDecoder
    http://www.tectite.com/

  3. #3
    Join Date
    Mar 2010
    Posts
    9

    Default Re: Filter HTTP_REFERER

    )Yes I agree, since swapping over from nms Formmail to your Aussie product a fortnight ago, I reduced heaps of URL spam.

    But on a daily basis I have people calling the formmail.php script directly therefore bypassing any configuration (like required fields etc). The common thing they have is a long and foreign referrer with a few hundred characters of URL parameters (like 2FelZjiKwBU%2Bq1%2FYd9XDNwrkiPeb%2Bw6kbHVHWFGNGuuYu9UcBFbUOGwNiZaajBpCslpvszBPjp2YWRByLTMOB4fHfTKcQMjnWRZjFLLY%2Bw0%2BQ6OLIDuhdcM%2Frw5kLpeA0Ld4xsE%2F031e%2FtYpMCk2b0zAznWGB3o8%2FSESozMbBK2sA2FxCA1HIKYju33qolgRPzOcZogI6KcRF.

    PB

  4. #4
    Join Date
    Dec 2003
    Posts
    3,980

    Default Re: Filter HTTP_REFERER

    Hi,

    Does this come through in the email as junk words?

    If so, check out this feature:
    http://www.tectite.com/fmdoc/attack_detection_junk.php
    Russell Robinson - Author of Tectite FormMail and FormMailDecoder
    http://www.tectite.com/

  5. #5
    Join Date
    Mar 2010
    Posts
    9

    Default Re: Filter HTTP_REFERER

    Unfortunately the junk is not in the normal fields, only in the referrer field.

    I have two cases:

    a) Two fields submitted: email and realname both empty, a long "junky" URL in the referrer. I think the only way to achieve this is calling formmail.php directly rather than through a form. No idea how they manage to have the email field empty. No idea what purpose it has to send junk in the referrer field.

    b) A dummy email and one field filled in and a long URL with junk parameters in the referrer.

    Since the junk is in the referrer rather in a field the junk filter you are referring to won't work for this case.

    PB

    PS: The first case a) concerns me most.

  6. #6
    Join Date
    Dec 2003
    Posts
    3,980

    Default Re: Filter HTTP_REFERER

    Hi,

    My suggestions....

    Use an INI file to make "email" a required field.

    You could also derive a field from the referrer information and then configure junk detection and FormMail may reject the spam based on that (derived) field.

    Here are the relevant HOW TO guides and documentation:
    http://www.tectite.com/fmhowto/inifile.php
    http://www.tectite.com/fmhowto/derived.php
    http://www.tectite.com/fmdoc/attack_detection_junk.php
    Russell Robinson - Author of Tectite FormMail and FormMailDecoder
    http://www.tectite.com/

  7. #7
    Join Date
    Mar 2010
    Posts
    9

    Default Re: Filter HTTP_REFERER

    Thank you for your suggestions.

    Quote Originally Posted by russellr View Post
    Use an INI file to make "email" a required field.
    Good idea, will be done ASAP.

    You could also derive a field from the referrer information and then configure junk detection and FormMail may reject the spam based on that (derived) field.
    Won't work as deriving field cannot be configured in ini files and they post directly to formmail.php.

    PB

  8. #8
    Join Date
    Mar 2010
    Posts
    9

    Default Re: Filter HTTP_REFERER

    Russell,

    I did run into a snag with having the required parameter in the ini file: The ini file required parameter overrides the form hidden field parameters.

    For most forms I have different required parameters.

    So the ini file parameter should be a default but one should be able to add to those using hidden fields.

    PB

  9. #9
    Join Date
    Dec 2003
    Posts
    3,980

    Default Re: Filter HTTP_REFERER

    Hi,

    Won't work as deriving field cannot be configured in ini files and they post directly to formmail.php.
    Ooops...that's right.

    I did run into a snag with having the required parameter in the ini file: The ini file required parameter overrides the form hidden field parameters.

    For most forms I have different required parameters.

    So the ini file parameter should be a default but one should be able to add to those using hidden fields.
    Yes, that's a snag too.

    We'll be doing something better with INI files soon.

    Anyway, your FormMail is being hit with a GET request. You can adjust your .htaccess (assuming you're using Apache) to disallow any GET requests to your FormMail script.

    Your forms are using POST (probably), so that will stop this particular attack straight away.
    Russell Robinson - Author of Tectite FormMail and FormMailDecoder
    http://www.tectite.com/

  10. #10
    Join Date
    Dec 2003
    Posts
    3,980

    Default Re: Filter HTTP_REFERER

    Hi,

    I should say "if your FormMail is being hit with a GET request"....
    Russell Robinson - Author of Tectite FormMail and FormMailDecoder
    http://www.tectite.com/

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Filter not found ?? installing fmencoder
    By wrightb in forum FormMailEncoder/Decoder
    Replies: 9
    Last Post: 20-May-2006, 12:02 AM
  2. Filter Fields query
    By Tower Theatre in forum FormMailEncoder/Decoder
    Replies: 3
    Last Post: 05-Apr-2006, 09:52 PM
  3. Filter Fields query
    By Tower Theatre in forum Community Support
    Replies: 0
    Last Post: 03-Apr-2006, 01:42 PM
  4. Can filter only be used with cgi scripts?
    By Emmy in forum FormMail Subscription Support
    Replies: 2
    Last Post: 16-Oct-2005, 07:43 PM
  5. filter name
    By crabtree in forum FormMailEncoder/Decoder
    Replies: 1
    Last Post: 07-May-2004, 11:38 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •