SfS
Close
Improving Hacker Resistance for Class Reunion Website Visitor Response Forms
« posted: October 12, 2008, 12:39:12 AM »
If you are using the SfS Class Reunion website template and have implemented its HTML/PHP user-response forms, chances are you've encountered the nuisance of would-be hackers attempting to use your Guestbook page to direct traffic to their sites.
Guestbooks are targeted with the expectation that submissions will wind up online. The spam submission usually includes only a list of URL's, the strategy being search engine optimization; spammers evidently believing that search engines use link frequency as their primary ranking criteria. In reality, that's no longer true, because Google and others are not dumb. Nobody really knows exactly how their ranking system works, but it is clear that they attempt to evaluate links for relevance as part of their scoring system. A link to a porn site found on your class reunion Guestbook page would probably be considered bogus and would be ignored. So the spammer's strategy is rather lame from that point of view.
Online Guestbooks are often automated, so spam submission may appear for a while, until removed by the webmaster. In your case, since the simple guestbook is 100% moderated and you simply delete these spam submissions immediately upon receipt, the threat of inappropriate and possibly objectionable content appearing in on your site is zero, and the spammer's efforts are a lame waste of time on their part. Nevertheless, it's an aggravation and disappointment - a constant reminder that there are lots of greedy, unprincipled and malicious people in the world. Who needs it?
Basic PHP forms are great because of their simplicity. Unfortunately, they're also easy to hack. To help stop that, many have resorted to "CAPTCHA" schemes. That's basically a server script that sends a code along with the requested form. The code comes in the form of an image, so is readable only by human eyeballs. A person submitting the form must type in the code that came with it; else their submission will be rejected and discarded. This method isn't foolproof, since hackers and vandals willing to fill in the form manually are still able to do so, just like any legitimate visitor to your website. But the more malicious hacker intrusions are automated, and since the code isn't readable, most of the automated submissions are effectively blocked. That's the good news.
The bad news is that while free CAPTCHA schemes are often not easy to implement, commercial web form applications are likely to be out of the question for class reunion websites, most of which have no financial support and no budget. Scripts that are made available free for public use are very often poorly documented and impossible for non-programmers to implement.
After a rather extensive search, we happened to find a system generously offered by Simon Jarvis and Keith Stephenson of White Hat Web Design - London. You can download the latest version of their script at the WhiteHat Web Design Website, or from the SfS "Examples and Downloads" page.
The SfS download includes step-by-step instructions for integrating the White Hat CAPTCHA system with the Class Reunion Website Template's Guestbook feature. Having accomplished that successfully, you will be able to add the same protection to your other forms, if you wish. If the system works out to your satisfaction, White Hat accepts donations at the above URL, and short of that, at least a "Thank You" would probably be appreciated.
If you are using the SfS Class Reunion website template and have implemented its HTML/PHP user-response forms, chances are you've encountered the nuisance of would-be hackers attempting to use your Guestbook page to direct traffic to their sites.
Guestbooks are targeted with the expectation that submissions will wind up online. The spam submission usually includes only a list of URL's, the strategy being search engine optimization; spammers evidently believing that search engines use link frequency as their primary ranking criteria. In reality, that's no longer true, because Google and others are not dumb. Nobody really knows exactly how their ranking system works, but it is clear that they attempt to evaluate links for relevance as part of their scoring system. A link to a porn site found on your class reunion Guestbook page would probably be considered bogus and would be ignored. So the spammer's strategy is rather lame from that point of view.
Online Guestbooks are often automated, so spam submission may appear for a while, until removed by the webmaster. In your case, since the simple guestbook is 100% moderated and you simply delete these spam submissions immediately upon receipt, the threat of inappropriate and possibly objectionable content appearing in on your site is zero, and the spammer's efforts are a lame waste of time on their part. Nevertheless, it's an aggravation and disappointment - a constant reminder that there are lots of greedy, unprincipled and malicious people in the world. Who needs it?
Basic PHP forms are great because of their simplicity. Unfortunately, they're also easy to hack. To help stop that, many have resorted to "CAPTCHA" schemes. That's basically a server script that sends a code along with the requested form. The code comes in the form of an image, so is readable only by human eyeballs. A person submitting the form must type in the code that came with it; else their submission will be rejected and discarded. This method isn't foolproof, since hackers and vandals willing to fill in the form manually are still able to do so, just like any legitimate visitor to your website. But the more malicious hacker intrusions are automated, and since the code isn't readable, most of the automated submissions are effectively blocked. That's the good news.
The bad news is that while free CAPTCHA schemes are often not easy to implement, commercial web form applications are likely to be out of the question for class reunion websites, most of which have no financial support and no budget. Scripts that are made available free for public use are very often poorly documented and impossible for non-programmers to implement.
After a rather extensive search, we happened to find a system generously offered by Simon Jarvis and Keith Stephenson of White Hat Web Design - London. You can download the latest version of their script at the WhiteHat Web Design Website, or from the SfS "Examples and Downloads" page.
The SfS download includes step-by-step instructions for integrating the White Hat CAPTCHA system with the Class Reunion Website Template's Guestbook feature. Having accomplished that successfully, you will be able to add the same protection to your other forms, if you wish. If the system works out to your satisfaction, White Hat accepts donations at the above URL, and short of that, at least a "Thank You" would probably be appreciated.