[pmwiki-users] An possible anti-spam measure

Patrick R. Michaud pmichaud at pobox.com
Wed Jun 7 15:07:13 CDT 2006


On Wed, Jun 07, 2006 at 02:56:11PM -0400, David Spitzley wrote:
> Actually, I should confess that the idea for the anti-spam 
> suggestion originated from what I've realized is a probable 
> error in my understanding of how spambots would work.  

> Ultimately it came down to the idea that they have to be 
> identifying the target components of the form somehow, and 
> that requires some sort of heuristic for identifying important 
> fields, one that could probably be screwed with.  

> Maybe just a config.php value for $EditFieldName, so that 
> every site uses a different name for the data entry field 
> that the spam goes in?  

All a spambot would have to do is to retrieve the page
with ?action=edit (many seem to do this already), figure 
out the name= value associated with the <textarea>, and 
then use that name when submitting.  (This is exactly what a 
browser will do, so a spambot just emulates that.)

> For that matter, if the field names were just encrypted 
> with a site-specific key, spambots couldn't identify 
> what goes in which field.

If I were writing a spambot, my first version would hard-code
the fieldnames being returned from a wiki's edit page,
and so changing those names would indeed defeat my bot.
But my second version would just start scraping the
fields' names from the retrieved edit form, rather than
having them hard-coded in my script.  I suspect many spambots
do this already, since it causes the bot to readily adapt to
other changes as packages evolve.

Once we're scanning the input form for field names, it's
not that hard to get the spambot script to analyze the form
and figure out what goes where.  The complexity of the form
is always upper-bound by the limits of what browsers can 
understand and process, which isn't very high.  (Using 
javascript in a browser to obscure things could potentially 
raise the upper-bound a bit, but it's still computable and 
therefore accessible to a spambot script.)

So, in general spambots don't have to be "smart" about what goes
where...they just have to make it look as though it's a valid
post coming from a human sitting at a browser.  And a spambot
always has the option of just guessing -- even if the bot's
guesses are correct only 10% of the time a spammer will 
generally consider that a "win".

Pm




More information about the pmwiki-users mailing list