NYCPHP Meetup

NYPHP.org

[nycphp-talk] capricious submission of forms

michael lists at genoverly.net
Sun Feb 11 11:10:17 EST 2007 

On Sun, 11 Feb 2007 10:07:26 -0500
"Peter Sawczynec" <ps at sun-code.com> wrote:

> The use of the captcha technique has become a type of industry
> standard.
> 
> I have found customers to quickly recognize and endorse this
> technique. The Pro PHP Security guidebook offers an elegant
> deployment of this solution. 
> Plus, I thought, that email validation(s) by any technique is fraught
> with 
> delays, failures and spoofing, likely making it too unreliable to use
> at this 
> potentially important new customer juncture.
>  
> Warmest regards, 
>  
> Peter Sawczynec 
> Technology Dir.
> Sun-code.com 
> Web related services 
> 646.316.3678 
> ps at sun-code.com
>  
>  
>  

Peter has a point.  The increasing use of email servers implementing
grey-listing makes using 'SMTP connect' a bad idea.  The server may not
return what is expected -and- may block your IP as a potential spammer,
if you keep doing it and they are aggressive.

It is not bad to lookup the domain and see if there is an MX record.
That can catch some obvious noodling.  Collecting email bounces and
scripting unsubscribe should be a no-brainer.. and part of a complete
app. 

The best you can do is weigh your security needs and 'customer
experience' against your percieved threat model.. and act accordingly.
Keep in mind; in this constantly escalating war, they *will* win.
Regretably, planning for security against meanies is part of life now.
	a. what attacks are being done?
	b. what is to gain by the attack?
	c. what happens if they 'win'?
	d. do I really need this app.. really?
	e. should I call in somebody who knows what they are doing?
	...
	x. what security plan do I have in place?
	y. what security plan do I NEED in place?
	z. how do I get there?
While not even close to a complete list.. it is a start.

Your threat model appears to be light weight, albeit annoying.  You
make it so easy to fill out the form that a script kiddie enjoys doing
it.  You need to remove that joy so they will move on to other low
hanging fruit.

Captcha is currently popular and very effictive.  But, it must be
*part* of your security plan, not the silver bullet.  Captcha is not
fool proof; there are ways to crack it. If they figure out the
bitmapping of your font, introduce more fonts. It won't stop them, but
may help to slow them down.  In order to collect a large enough
bitmapping, they have to collect a bunch of them.  The firewall or
other rules sets can help to prevent repeated connections.  .. unless
they own a botnet with countless IP's.  

If you have a botnet attacking your guestbook then your threat model is
much different; and needs to be addressed differently.   Otherwise
captcha, combined with other measures, will suit your model.


p.s. to the OP: try not to hijack threads in the future.. and for
everyone else; I'll add a vote to stop top-posting. [grin]

-- 

michael


(this address does not accept public email)

More information about the talk mailing list