#1 2013-12-08 4:12 pm

avjoomla

Member

Registered: 2013-12-08

Posts: 1

How to submit spammer without username

Hi,

I run a website with a form. I use stopforumspam to check, if a user that wants to submit the form is a know spammer. This works very good but sometime new spammer, that not yet listed at stopforumspam are able to submit the form with "information" that is obviously spam. I had a bunch of such form submissions right now. They all come from the IP 111.76.52.226 with emails like
65847@yahoo.com
77875@yahoo.com
44608@yahoo.com
48840@yahoo.com
48532@yahoo.com
61426@yahoo.com
39166@yahoo.com
72984@yahoo.com
20650@yahoo.com
56737@yahoo.com

For there is no username field in my form, I cannot submit the data with your form to submit spammer.
Who should I proceed (in future) to add such spammers?

Regards,
avjoomla

Maikuolan

Member

From: Perth, Western Australia

Registered: 2011-08-09

Posts: 799

Website

Re: How to submit spammer without username

Based on what you've written in your post, there are two things I am wondering regarding your submissions.

- Are you verifying those email addresses prior to submission to SFS? Email addresses must be verified prior to submission, otherwise you risk (and undoutedly will at some point) submitting false-positives.

- Does your system exert any sort of control or restriction regarding who can submit data using your form? If anyone from the public can use your form to submit data using your API key, that's almost as bad as having your API key compromised, because a spammer could use your form to intentionally submit malicious data, perhaps even your own details.

Regarding your question;

At this point, SFS requires a minimum of three data points (username, email address and IP address) in order to have data submitted to it; If you don't have a username, the data can't be submitted.

That may sound wasteful, but, look at it this way - SFS is about stopping forum spam, and what percentage of all forums out there allow users to post or register without a username of some sort? If forums don't allow posting or registering without a username, then, those forums won't need to query SFS for inbound data that doesn't include a username anyhow, because that inbound data is not likely to ever end on their forums anyhow, thus, incomplete data becomes unnecessary. Overall, usernames are not as valuable as email addresses or IP addresses, and perhaps your data could be useful to others, even if it is incomplete, but due to the nature of how SFS is supposed to work, incomplete or unverified data shouldn't be submitted to it.

Last edited by Maikuolan (2013-12-08 6:06 pm)

Papa Parrot

Member

From: Mexico

Registered: 2011-08-19

Posts: 1,826

Website

Re: How to submit spammer without username

For there is no username field in my form,

You could edit or re-write your form, so it also has a username field.

---

Everything is for the Birds

And now, Papa Parrot and his kids

sklerder

Member

Registered: 2012-10-11

Posts: 336

Website

Re: How to submit spammer without username

Hi.

And don't be surprised if most of spammers won't forget to submit it, even if it's a hidden field for normal users ...

kpatz

Member

Registered: 2008-10-09

Posts: 1,437

Re: How to submit spammer without username

- Does your system exert any sort of control or restriction regarding who can submit data using your form? If anyone from the public can use your form to submit data using your API key, that's almost as bad as having your API key compromised, because a spammer could use your form to intentionally submit malicious data, perhaps even your own details.

I think the form he's referring to is to post messages on his site, not to submit data to SFS.

But, like others have said, you need the following to submit data to SFS:

* A username
* An IP address
* A confirmed email address.  Confirmed meaning your site sends an email and they respond to it before it allows the user to post.
* That actual spam was posted to your site using the above credentials, or spammed links added to the user's profile or signature..

Without all of the above, you can't submit data here.  You can use the query API to check users that register/post on your site against existing data.

---

Spam happens when greed meets stupidity.

zaphod

Jägermonster

From: USA

Registered: 2008-11-22

Posts: 2,985

Website

Re: How to submit spammer without username

Now, on some sites, a person's email IS their username. In those cases (rare) then I think we would accept the email address in the username field.

BUT...

The email address must be validated by automated check on registration. If it is not validated, then the record may not be added to the database here.

ALSO...

The user must have made an actual spam posting, either in a topic, or in their profile/signature. If they have not actually spammed, the record may not be added to the database here.

However on duplicating the email to the username field, I could use a clarification on that from pedigree.

Zap

---

Get Protected, Stay Protected...
With ZB Block, GNU/GPL Freeware Anti-Spam/Anti-Hack protection for your php based website.

Little boxes in the server farm, little boxes running php...