-
Website
http://www.brodwall.com/johannes/blog/ -
Original page
http://www.brodwall.com/johannes/blog/2006/07/22/anti-spam-measures/ -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
All Comments
By the way, I had another idea. It seems like most comment spammers use software like this one: http://onlinemarketingreport.blogspot.com/2006/...
Now, if I can draw your attention to the following line:
print("".substr($spammed,0,50)."...\n");
This is returned to the spammer's dweeb-ass "control panel". What is that which I see? A HTML-injection vulnerability. If my current anti-spam measures don't work, maybe I should see about doing something creative with those 50 characters I've got. :->
God, I wish I had more time on my hands...
it\'s kay here - author of this script
the line u mention:
print(\"\".substr($spammed,0,50).\"...\\n\");
does not contain any threat... at least - not the one u mention :-)
actually.. i wrote it in one purpose - to see how people comment spam. As u c, there is this part in the script:
&comment;=as-94783-sa\\n\\n\".$_POST[\"comment\"]
of course it puts this strange word \"as-94783-sa\" in every comment...
so i can...
http://www.google.com/search?q=%22as-94783-sa%22
I think you were the last person I would expect a comment from. I think we\'re talking about different lines. I couldn\'t find the code online any more, but in google\'s cache, I found the following:
<pre>
$con=fsockopen($urls[$ind].\".wordpress.com\",80);
fwrite($con,$header.$query);
while(!feof($con))$return.=fread($con,2048);
fclose($con);
if(ereg(\" 302 Found\",$return) and ereg(\"Location: http://\".$urls[$ind].\".wordpress.com/\",$retu...
$spammed=explode(\"\\r\\nContent-type: \",$return);
$spammed=explode(\"Location: \",$spammed[0]);
$spammed=$spammed[1];
print(\"<li>\".substr($spammed,0,50).\"...</li>\\n\");
}
}
</pre>
Now, PHP makes my eyes hurt, but as far as I can see, if I send 302 back, you\\\\\\\\\\\\\\\'ll grab everything on the Location: header and push it into a link. This is a perfect place for a XSS attack.
it's true - it would work... i wrote this script before i even heard about XSS, now it's my hobby hehe...
but on the other hand - can u really do something like this in practice? i mean - my script serches for .wordpress.com blogs - and u don't really have that much control over their server responses!
it's a proof of concept - but I don't think you could really make it work..
btw. sometthing screwed with escaping " and ' in your comments
btw2. this "new kind of captchas" with math operations... they are very lame - i can write a script to comment spam blogs using it in 5 minutes.. it works - coz it's new and not too many spammers have scripts for it, but it's just a matter of time
You're right, I probably could not get this amount of control on a .wordpress.com-hosted blog. But on a custom hosted blog, changing the Location header is very simple.
The escaping of comments is caused by a stupid wordpress "feature". I tried removing the escaping, but every time I edited the message, it got worse!
I agree with what you're saying with the new captcha. Most measures will be a temporary respite.
Millions of webmasters are using CPanel. Due to stupid "feature" of cpanel, most of them are always logged in to their cpanels.
I have a script that does this "referer spam" - it sends hundreds of GET requests to a site, AWstats shows them as visits, i make a fake referer value, webmaster clicks on it and goes to a site that has an iframe with src:
http://www.VICTIMSDOMAIN.com:2082/frontend/x/mi...
hope not many ppl actually read this :-)