[thelist] tracking spammers

Lee Kowalkowski lee.kowalkowski at googlemail.com
Mon Jul 18 03:35:36 CDT 2011

On 17 July 2011 04:48, Renoir Boulanger <renoirb at gmail.com> wrote:
> I would suggest one thing.
> The symfony framework has this auto gemerated hidden field implementing CSRF. It is in fact a string generated ising a shared secret and will accept posts coming with that field who gets validated.
> I did not read about how exactly symfony implements it but it is a good starting point.
> I doubt that you can accept posts coming from your own server because it is in the nature of a post to submit to a url from code... we just hooe its from our own and not for misleading reasons.

I guessed that "posts coming from your own server" was meant to mean
check the refer[r]er header.  This, along with CSRF prevention (like
what Nan Harbison suggested in his reply), will assume the client is a
web browser, in many cases, spam bots are not.  The workaround for
CSRF prevention in a spam bot will to be to issue a GET before a POST
to acquire the necessary hidden field values and cookies, from what
I've seen, there are spam bots that are capable of this.

Spam bots generally have two forensic traits: speed, and irrelevant content.

Speed is significantly easier to detect automatically, but a spammer
could always create a slow bot with negligible loss of throughput by
staggering the requests, these don't exist yet as far as I know.  A
30-second no-POST interval on your GET should see off all spam bots
for now at least.  This would be trivial to implement using a
short-lived persistent cookie that you don't want returned, but better
implemented within in server-side session state to guarantee the POST
is at least 30 seconds after the GET.

Irrelevant content is much more effort to detect, but will always be present.


More information about the thelist mailing list