Domains and IP addresses can be spoofed. What you need to do is create an authentication system. Passive authentication just doesn't work. The obvious caveat is that passive authentication is better than no authentication and crackers typically go after low hanging fruit. However, if they already have handy tools to spoof that information, then they'll use them.

If you show us your code, we may be able to offer some suggestions.

Cheers,
Ovid

New address of my CGI Course.
Silence is Evil (feel free to copy and distribute widely - note copyright text)

From what I've seen, one of the most reliable ways of ensuring that a human is filling out a form and not a bot is to have one of those warped, ocr-proof images which display a word that the user has to enter into a text field. If you've never seen it before, register a bogus account on Yahoo. If I remember correctly they use that.

Of course, keep in mind that that is not completely spam-proof. I have seen code that will read words from those images. However, it is very unlikely that the people spamming your site know about that, or are willing to put the effort into implementing it.

The other possibility, which is more effective and easier, is to have every upload mail the admin before it can be activated. When you get 20 requests in a row from spampot.np you can ignore them.
Benefit: you have full control over your system.
Drawback: you have to keep on authorizing uploads.

Update: As Abigail-II pointed out, the text-in-image thing is not exactly uber-Accessible (in the 'I'm impaired and I need access' sense). So, rather than use the gimmick, I'd say go for the admin mail. It's a simple enough system to implement, and its simplicity contributes to its effectiveness.

LAI

From what I've seen, one of the most reliable ways of ensuring that a human is filling out a form and not a bot is to have one of those warped, ocr-proof images which display a word that the user has to enter into a text field. If you've never seen it before, register a bogus account on Yahoo. If I remember correctly they use that.

Yes, I have the code to do that in one of my columns, and code was posted here by jcwren to spoof it, because I didn't work very hard at making it OCR-proof. {grin}

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.

I figured I had probably read it in one of your columns, but I was too bogged down with RL work at the time to do a search. Thanks for the clarification and links :o)

LAI

__END__

You would also very effectively lock out blind users. Depending on your jurisdiction and the service you provide, you may actually violate a law doing so.

Abigail

If the 'place an advert' process were a little more 'specialist' - dropdown categories, price ranges etc., especially when combined with some of the ideas above, then your spammers may well not bother. I'd be glad to help with this as a side project if you liked - it's something I've meaning to contact you about for a while anyway, by happy coincidence :) Msg me for contact details.

Cheers,
Ben.

Hi Ben, Thanks for your offer to help out. I'm always open to hearing from people who use the site so please feel free to drop me a note.
Thanks again,

-Bob

If you have control of your httpd server's configs, you can modify them to only allow your subnet, IP, domain, etc. from even accessing the cgi script to begin with. In this way, you let the httpd server do the ip-based authentication rather than reinventing the wheel in your script.

Good luck

As Ovid correctly points out above, IP addresses and domains can be spoofed, so this won't add much security at all. The only reliable way for this to work would be on an intranet behind a firewall -- which would render the OP's question moot.

Limiting access by IP address will add enough security for his purposes. Sure, a determined hacker could spoof IP addresses and access the script. But a spammer's bot isn't that sophisticated. Blocking by IP address will stop them and is easy to implement. It should be implemented with web server access control instead of in the script.

Similarly, basic authentication would be helpful and easy to get working. Won't stop sniffing or brute-force search, but it will provide a little more security for leaving it open to the world.

He is using a Matt Wright script is probably a good idea too. Lack of access controls means anyone can post messages. Bad code can mean that anyone can do violenc to his machine.

I'm not familiar with "httpd server's configs," but am already using .htaccess to block IP addresses. Can I use .htaccess "to only allow your subnet, IP, domain, etc. from even accessing the cgi script to begin with"? If so, how? Many thanks, -Bob