View Issue Details

IDProjectCategoryView StatusLast Update
0008219phpList 3 applicationSubscribe Processpublic21-06-18 14:01
Reportermichiel Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status newResolutionopen 
Summary0008219: spam prevention, by using a traplist
DescriptionSpammers that have scripts to automatically subscribe tick every available list, so adding a Traplist would catch them.

See also http://forums.phplist.com/viewtopic.php?p=22779
Tagsplugin-development

Relationships

related to 0002705 closed PHPList v2.11 release 
related to 0008877 new SPAM Bot Protection 

Activities

h2b2

09-11-06 04:02

manager   ~0020818

A link to an article on alternate strategies for spam prevention was posted by clee991 ( http://forums.phplist.com/viewtopic.php?p=24063#24063 ). This is an interesting part of that article:

"The second method is simpler, and does not require javascript. Instead, one or more fake form fields are added to the form. But style sheets are used to make them "invisible". To further confuse the attacker, the fake form fields are given names like "subject" and such suggesting to the bot that these are the form fields they are looking for. However, whenever a form is submitted with content in a "hidden" field, it is discarded. I am not talking about the classic hidden form fields that are not user changeable, but form fields that are marked with "display: none" like:

Sure, in particular after I write this article, attackers may catch on. But there are many ways to mark a form field as "invisible". You can randomize the names of your form fields to further confuse them. In short: you again increased the workload on the spammer without affecting the regular user. For a sample, just take a look at our contact form. We received only about 3 or 4 pieces of spam after implementing this last week. Usually we received dozens of pieces of spam a day.
All modern browsers do support style sheets, and for those that don't you can leave a little note in the form telling them whats going on. The fact that still some spam makes it past this method suggests that there is some manual spamming going on. But its minimal... and sure, lets have them hire armies of spaminators to have them submit these forms. Either way you succeeded in making spam more expensive and shifting the economics against it."
Source: http://isc.sans.org/diary.php?storyid=1836

michiel

09-11-06 10:47

administrator   ~0020823

what a fantastic idea. One of those "why didn't I think of that first".

One to add for sure.

michiel

02-11-12 18:18

administrator   ~0051844

USE_SPAM_BLOCK implements the hidden field and has been there for some time now. Would be interesting to know how effective it is though.

The spam trap list is still an idea. Also, there are now subscription based services for this, like Mollom and Akismet. Next step would be to use http://www.phplist.com/formspamclass and add configuration of it.