Home
Home Page
XML on the screen of a browser
Interaction with life cycle of page
How to overtake competitors and at once to do{make} liderskie pages
Adjustment of parameters PHP in php.ini
KHehshirovanie passwords in PHP
Total Automation of Reception of payments on a site
Object-oriented programming, classes in PHP
Abstract classes and interfaces
The module of definition of a geographical position on IP - mod_GeoIP
Conclusion of messages to the user in webs - applications.
Manipulation date on PHP
The truth about Sessions
Realization of patterns on PHP.
Protection against a spam on a site
Imitation of files and directories
Door in protection: the post web - interface
Safety of search engines in the corporate environment
CHPU and PHP (revisited)
Links
 
topic
 

Protection against a spam on a site

Introduction in a problem


All of us know, that such a spam because or collided{faced} with it, or read about it. All of us know, how spamery collect addresses for dispatches. As not a secret, that it is impossible to win a spam completely. The problem will be how as much as possible to protect the users leaving kontanktnye coordinate on your site, the minimal efforts.


Earlier tested ways of protection


The biggest threat to mail boxes represent the programs swinging sites and taking from the text of pages post addresses. They swing or only your site, or wander, as search engines, on all network. If your site small, is quite enough protection by such autoreplacement of the text:



<? php

$text = preg_replace (" ~ (<a [^>] +href =) ([" ']?) mailto: ([\w_\.\-] +) ([\w_\.\-]) ". <br> " ([\w_\.\-]) ([\w_\.\-] +\. [a-z] {2,4}) \2 ([>]) ~i "," \1 "mailto:spamux@nospam.ru" <br> onMouseover = " this.href ='mai '+' lto:\3 ' + '\4 ' + '%40' + '\5 ' + '\6; " \7 ", $text);

?>


Unfortunately, she will not work, if at you the big site. We shall say, spectator.ru, which author one of the first began to use this method. Be I spamerom, I would climb in personal adjustments, have put ticks " to not show ushki ", 1000 responses on page, and have caught kuki Proxomitron'om. Then a rocking chair or a php-script would extort pages with comments (having substituted kuki with adjustments) and by means of regular expression has caught addresses. Would receive small base for advertising dispatch.


There was still a pair ways of protection, in which link mailto: it is automatically replaced on cuckoo - or another, but the effect remained former - by pressing it{her} the system client would create the letter to the necessary address. Both they have not sustained criticism.


Get acquainted: echinoid mittens


It is obvious, difficult to think up other way of protection except for already tested - grantings of the form on a site for sending the message. We shall engage in its{her} designing. Advantages of a way are obvious: anybody cannot get from your site of the address for the spamerskoj a database any more. To send messages, having hidden the address as it do{make} spamery, will fail - the web - server will record his  IP-address. Lists of public anonymous proxies are on a regular basis updated, and to block access from them easily.


Formootpravitel`


Let's start with him  because it is the most complex  part.


Establishing formootpravitel` on a site, it is important to protect it  from hooligan attacks which can be not easier at all than a spam. Therefore we should make the big efforts in this direction.


First, we shall be protected from silly double clicks and sending of set of identical searches. The idea is those: the message will not be sent, if before it the user has not opened page with the form, and, having opened page with the form, it is possible to send the message only once. To make it it is possible by means of built - in in PHP sessions. At opening page with the form we shall start session in which we shall save a variable, we shall say $flag. The identifier of session we shall deduce{remove} as the hidden element right at the end of the form. The user enters the message and sends the form. Receiving the form, the script starts session and checks presence and value of a variable $flag. If the variable does not exist, this repeated pressing means, the letter is not sent and given out the message on a mistake. If the variable is, and the given forms of us have arranged (the necessary fields are filled), the script sends the letter and deletes session.


Second, we shall be protected from clever hooligans, writing down broad gullies of messages. If the user otpravljat correctly filled form, a script will look in broad gullies and to check, that there. So, it is necessary to forbid


* To send messages to the same address is $more often than the certain period

* To send the same text to different addresses

* And simply too often to use formootpravitelem - we shall say, no more than 10 messages in day on one user


ID sessions it is deduced{removed} right at the end of the form that the hacker needed to download the form and to assort her , that it is more complex , than simply to send HTTP-searches. Naturally, formootpravitel` will give out error messages in a spelling of the message, the requirement to specify a return address, etc.


The turned out code formootpravitelja appeared too big to result it  in the text. He is placed in archive on a site. Like, the script works and sends messages.


Replacement of addresses in the text


Now formootpravitel` it is ready, and it is necessary to replace all email ` y with links to him . Certainly, manually to do{make} it does not cost. For myself I have written a script automatically replacing the addresses on the links to formootpravitelju.


The account of links / beaten links. Often it is necessary to refer on same, also often links become outdated and "break". Idea: to store{keep} all links in one place, numirovat` them, and to refer to them as <a href=link.php3? id=10>.


... Minuses: greater time for arrangement of links (compensated by the catalogue of links), the user, directing the cursor on the link, does not see, to what address he will get. (Dmitry Smirnov, " the Ideal author's project, hypertextualism ")


All mentioned minuses are easily eliminated if to use a code similar to a volume which I now shall describe and I shall show.


Anything complex  here no, if it is links greater time for arrangement " is not required ". On the site I use a script of a cursor which is caused by all pages, therefore does not make a problem to add in him  or to call from him  a code replacing the addresses. Post addresses both were written, and written directly in the text of pages, but before a conclusion to the user they are replaced with the necessary text. To make base of links or post addresses thus does not make a problem.


So, that the substitute of addresses does{makes}. He searches in the text of the link " mailto: ", chooses from them addresses, sends search in base to count up (count (*)), how much addresses of that on page, are in the special table. If on page new addresses their number will be more, than result of search. It is in that case interpellated, in which values of addresses get out, and already existing in the table are excluded from the list. The stayed list is sent in the table by INSERT-search.


As to ID addresses, that, in my opinion, is better to use something, that the visitor of a site could not pick up. Represent, on formootpravitel` the link/email.php conducts? id=10? What temptation to substitute there 11, 12, etc. and to try to send all of them the message. Therefore as identifiers I have decided to use md5-khehsh from addresses. To select khehsh hardly who will undertake. In a case with the catalogue of links it is possible to do without and ID but then it is necessary to choose all values from base, and for replacement of addresses by them khehshi all is much easier.


The command of a kind is carried out



<? php

$text = preg_replace (" ~ (<a [^>] +href =) "." ([' "]?) mailto: ([\w_\.\-] + [\w_\.\-] + "." \. [a-z] {2,4}) \2 (. *?>) ~ ie "," '\1\2 "/email.php? email = '. urlencode (md5 ('\3 ')). ' " \4 ' ", $text);

?>


... Which replaces addresses with them khehshi. Other addresses which are taking place in the text, I have not dared to replace with links, and have made simple replacement by addresses such as vasya_at_pupkin_dot_ru. The code of an autosubstitute as is in archive.


Result


To hide post addresses from visitors rather simply. The mechanism of autoreplacement does not demand additional efforts, and you can write pages of a site further, as if has taken place nothing. Complexities arise at protection formootpravitelja from webs - hooligans. This protection demands the big efforts and a complex  code, therefore meanwhile I did not begin to use the written code on a site. You can download archive with a substitute of addresses and formootpravitelem, only very much I ask: do not put it  on the site in that kind in which have downloaded, I do not know, as far as reliably he works.


However, probably, I too rigidly try zahhitits`ja from fluda. In fact one business to send a spam, using mistakes of mail servers and hiding the address, and another - to come on on the web - server which writes down everything, that you did{made}. From anonymous proxies to formootpravitelju, naturally, it is necessary to close access.