So, that's it? There's no way to stop the gits!

[Sic]

i think i must've tried everything to stop my blog getting spammed.

when i first wrote it, it didnt have some form of CAPTCHA...so i wrote a very primitive form, which could probably do with an update...but it seemed to work for like 2 days.

i was then putting up with getting about 2 (what i can only assume were) manually submitted pieces of blog spam a day, just removing them as they were added.

then last week, enough was enough. i noticed all the spammers were either advertising tramadol, phentermine or scooters (wtf!!) so i decided to write a little something so i could ban certain words in my comments. i knew this wasnt going to stop it altogether, but it didnt even make a difference, even slightly (maybe it might when i put up a bigger list of banned words).

after that, i thought "maybe these are all coming from the same ip", i mean they were coming from the same email address...so i asked my host and he confirmed that there was an amount of usage for my comments posting file from this IP address. so i wrote something else to block ip addresses (ugh). so just as i block that ip address, i get submissions from 4 other ip addresses in one night. now i KNOW i'm not going to be able to block all ip addresses that would cause me trouble! although i might be able to thin them out somewhat

is there anything i can do to lessen these? as the blog has grown with age/size, it's getting more hits (god knows why) and more spam. have i missed anything blindingly obvious that i can do, or do i just have to put up and shut up?

 

[Beansprout]

They're possibly automating passing the CAPTCHA - try making it less easily legible.

 

[Adz]

Couldn't you just add submitted comments to a queue and manually validate them before they are displayed? Not the most technical solution but probably the simplest.

 

[Sic]

They're possibly automating passing the CAPTCHA - try making it less easily legible.

i can barely read it sometimes i might redo the whole image now as i'm a little better with imagecreatefromgif

Adz - the problem is the moderation full stop. i dont really want to have to do any and that'd involve doing more.

 

[NathanE]

Assuming it's robots doing this:

Include some Javascript in the process when a user submits a comment. E.g. make it so when the user clicks "Submit" it runs some Javascript code that _then_ performs the actual submission in a different way.

 

[Sic]

Assuming it's robots doing this:

Include some Javascript in the process when a user submits a comment. E.g. make it so when the user clicks "Submit" it runs some Javascript code that _then_ performs the actual submission in a different way.

could you be a little less vague...i dont really know what you're talking about

 

[Adz]

I think he's suggesting that you have the form submit to a 'dummy' location then use javascript to take the details entered when the form is submitted and submit them to the 'real' location. The automated robots parse the form, pick out the fields and submit to the action="..." which will obviously achieve nothing.

Are you sure it's automated though, that's the thing. If not, it will have no affect. In fact, if it's not automated, there's very little you can do .

 

[Sic]

that's the thing, i thought if it was automated then there'd be more of it.

 

[Dj_Jestar]

Are you certain that it is just the spam bots 'reading' your captcha and that you don't have a loophole somewhere?

Seriously, 9/10 spambots bypass CAPTCHA's rather than read them.

 

[Sic]

this generates my image

<?php
session_start();
$_SESSION['random'] = $random;
//generate random 6 digit number
$random = rand(100000, 999999);

$im = imagecreatefromjpeg("img/random.jpg");

$textcolor = imagecolorallocate($im, 255, 255, 255);

imagestring($im, 3, 75, 3, "$random", $textcolor);

header("Content-type: image/jpeg");
imagejpeg($im);
?>

this is cut from my post comment file

$random = intval($_SESSION['random']);

$verify = htmlentities(intval($_POST['verify']));

   if (eregi("\r",$verify) || eregi("\n",$verify)){

     die("Why ?? :(");

if ($name == "" || $email == "" || $comment == "" || $verify != $random ){

echo "there's been a mistake";

it doesnt allow you to post if there's nothing there or if the code's wrong, but i don't know how they'd read it/bypass it. the code isnt printed anywhere but the image

 

[Dj_Jestar]

A few things..

You were assigning $random to $_SESSION['random'] before you had generated the number - this is probably your loophole.. the first instance of the captcha for that session has no value! There for the user doesn't need to submit a verification code and the captcha will pass!

<?php
session_start();

//generate random 6 digit number
$random = rand(100000, 999999);
$_SESSION['random'] = $random;

$im = imagecreatefromjpeg("img/random.jpg");

$textcolor = imagecolorallocate($im, 255, 255, 255);

imagestring($im, 3, 75, 3, "$random", $textcolor);

header("Content-type: image/jpeg");
imagejpeg($im);
?>

Next up, and less importantly, your validation is somewhat over done. If you have intval()'d a value, there is no need to check for newline/carriage return char's - int's don't have those

You can cut down your if's by using in_array(), and I have made the verification a little tighter, but again that's more personal preference than a necessity:

<?php

if (in_array('', array($_POST['name'], $_POST['email'], $_POST['comment']))) {
    //failed validation..
}

if (intval($_POST['verify']) !== intval($_SESSION['random'])) {
    //failed CAPTCHA
}

?>

 

[Sic]

oooh, thank you when i copied that code, i did wonder why i'd declared the session variable first