To all,
I have added security features to the 'comments' portion of my site at
http://JeffBlogworthy.com . I know that some will not appreciate the political nature of my blog, so be forewarned. Don't beat up on me too badly
I hired a programmer to do this because I do not know php. It was prepared for my site, but can probably be finished as a fully compatible plugin by someone who knows what they are doing. I am happy to provide any files to anyone who may wish to pursue finishing it up. It is not a 'foolproof' system but it should certainly be able to slow down most spammers.
The security features consist of 2 parts:
1) A randomly generated security code image which must be entered into a text field before the form will be accepted.
2) A limitation of 3 comments per hour from the same IP address. This post/time ratio was randomly chosen by me.
Here is the documentation that I have from the author if anyone wants to tackle a final implementation. Suggestions for finishing are at the end of the file.
------------------------------------------------------------------------------------
Module specifications:
- module is separated on two parts, image and per hour IP blocking
- Image work from two parts, one is separate script:
http://www.jeffblogworthy.com/spam_bloc ... _image.php
This script shows random image (letters and numbers). Image with code
in it is created direct from TrueType files located in:
/spam_blocker_fonts/*.ttf
Each new image is created by choosing random TTF file, so You can
add new files, but be careful if it is not True Type file system will hang'
when that file is choused for draw string. You can delete all files and
leave one if You want. PHP site that uses this plug-in need to have
installed GD and FreeType library (--with-gd --with-freetype)
PHP script above also when it is called saves visitor IP to:
http://www.jeffblogworthy.com/spam_bloc ... og.csv.txt
This files contains unique IPs, same IP is replaced instead adding new row,
with IP is saved string code written on image. This file should be
hidden, one of ways is to rename it to some unused extension and restrict
browsers to view this file. Possible hack is [deleted].
Any way if this hack success attacker will be stopped at second filter (3 comments
per hour).
Second filter is comments limit to 3 per hour. It have same log file format:
http://www.jeffblogworthy.com/spam_bloc ... og.csv.txt
with IP, log time and log time human readable (for test). System first check is
comment valid, than checks how many comments are submitted in last
hour and stop if there is > 3. if comment is valid it add to this file new IP row with
current time. before saving file all times that are older than one hour are
deleted, so this file contains only comments in last hour.
Both filters can be separate allowed or disallowed from administration. Because
old Serendipity have event when comment for is submitted process of
adding image security code is automated, problem is that old Serendipity
does not have event for "when form is submitted" check. So I have used
an code addition to existing Serendipity "comment.php". This means if
You upgrade system again You will loose this two filters
check runtimes. Code I have added can be easy found in comment.php:
Code: Select all
//
// Start of SPAM BLOCKER INSERTION CODE
//
$imageSecurityCodeIsNotOk = false;
if (class_exists("serendipity_event_spam_blocker") &&
isset($serendipity_event_spam_blocker_ClassInstance) &&
$serendipity_event_spam_blocker_ClassInstance != null){
$tempClass = $serendipity_event_spam_blocker_ClassInstance;
$SUBMIT_FORM_VARS = array_merge($HTTP_POST_VARS,$HTTP_GET_VARS);
// IMAGE CODE SECURITY CHECK
$tempClass->checkAfterFormSubmitImageSecurityCode($html_header,$SUBMIT_FORM_VARS);
// MAX COMMENTS PER HOUR IP CHECK
$tempClass->checkAfterFormSubmitMaxCommentsPerHourReached($html_header,$SUBMIT_FORM_VARS);
// submit will be ok, register as success comment
if (!empty($comment['comment'])){
if ($tempClass->isAllowedmaxCommentsPerHourCheck()){
$ipBlockerClass = new IpBlocker();
$ipBlockerClass->addCommentIp(getenv("REMOTE_ADDR"));
}
}
}
//
// End of SPAM BLOCKER INSERTION CODE
//
I have found on Your site that new Serendipity has support for
"on comment submit" event. It is still untested.
Project files are:
[./]
Serendipity file --> comment.php
spam_blocker_security_comments_per_hour.log.csv.txt
spam_blocker_security_image.log.csv.txt
spam_blocker_show_security_image.php
[./plugins/serendipity_event_spam_blocker/]
serendipity_event_spam_blocker.php
[./spam_blocker_fonts/]
arial.ttf
comic.ttf
gothic.ttf
tahoma.ttf
times.ttf
trebuc.ttf
verdana.ttf
So current system works, but If You want to share it with another blog site
I need to make additional tasks (max 4 hours/$20 hr.):
- adding English, German language support strings
- test for new events and implement them
- add administration option (combo 1..n comments per hour)
- add admin defined log file names
- add "send me mail" when comment max per hour is reached
- make README and INSTALL documentation
- prepare complete ZIP with plug-in
- fix founded bugs, if any
