[wp-hackers] Another anti-spam technique

Dennis Williamson dennis at netstrata.com
Thu Oct 28 16:55:54 UTC 2004 

I'm trying to understand these redirect ideas. If you require the referrer 
to be a index.php (from a post display page) either through a random URL 
with mod_rewrite or a random file with a meta refresh and a test in the 
destination comment, can't the spambot just navigate from index.php in the 
same way a legitimate human visitor would. Is it that this technique only 
prevents direct access to wp-comments-post.php?

Would this work (without doing any referring/randomness)?:
         rename wp-comments-post.php to something site-specific (through 
the theme facility via its $theme_root/$template where $template is, in 
effect, a rename?)
         store that new name in the db (or use themes)
         any code that needs to know where to go would look in the db (or 
use themes)
         wp-comments-post.php (renamed or themed) would check to see that 
it got referred

Using themes doesn't make sense because wp-comments-post.php isn't 
theme-able in that it doesn't display anything.

One problem with the random techniques seems to be that some facility would 
need to accommodate users who get the comment post page and sit there 
reading or typing and the random name/URL changes out from under them. 
Tying the random whatever to the visitor could leave a lot of litter (dead 
end files or rules) on the floor that would have to be cleaned up.

Am I "getting" it? Does any of the above make sense/have utility?

Dennis

At Thursday 10/28/2004 09:19 AM, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>| Assuming that mod_rewrite is enabled, first create a rule that makes it
>| impossible to access wp-comments-post.php directly, instead returning a
>| 403.  Then, create a rule that redirects a randomly generated URL to
>| wp-comments-post.php.  Change the comment posting page so that it uses a
>| PHP function in the form action to insert the appropriate redirected URL.
>
>As not everyone has a mod-rewrite rule enabled, we should try to have a
>method which doesn't rely on it or Javascript.  How about creating a
>random dummy php file, such as 19jscqip.php which just performed a
>silent redirect to wp-comments-post.php?  This could then check that the
>referrer filename matches the stored random string.  This random string
>and file could be regenerated every 10 posts or whatever...
>
>Just thinking out loud :)
>
>Jamie.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.5 (MingW32)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFBgP/3rovxfShShFARAjRKAJ96TgR3BXDzvMMizavEYFBt5FA5wgCeOTKE
>3LnmArD4Cv2F4RiGQ1UwieA=
>=Ta7B
>-----END PGP SIGNATURE-----
>
>
>_______________________________________________
>hackers mailing list
>hackers at wordpress.org
>http://wordpress.org/mailman/listinfo/hackers_wordpress.org

More information about the hackers mailing list