Web based family history software

Question protect against spam

  • jeanmare
  • Topic Author
  • Offline
  • New Member
  • New Member
More
1 year 3 months ago #1 by jeanmare
protect against spam was created by jeanmare
Je salue bien la communauté, here is my question :
How is webtrees protected against spam and can reCAPTCHA be installed?

Please Log in or Create an account to join the conversation.

  • bertkoor
  • Offline
  • Platinum Member
  • Platinum Member
  • Greetings from Utrecht, Holland
More
1 year 3 months ago - 1 year 3 months ago #2 by bertkoor
Replied by bertkoor on topic protect against spam
Hi, salut!

In the 12 years that I run a website with webtrees, I have received zero spam messages, while my site is quite public and visited by many crawlers and bots. I have not read of any other webtrees user here reporting getting spammed.

Here is my understanding of why.

For one, webtrees instances have no forum. So spam won't reach many people, only the site admin. This makes webtrees sites not so interesting as a target.

Then the form used to send a message requires javascript. It is rare for spam bots to execute javascript. And there are other techniques under the hood that prevent unwanted site visitors doing malicious things. For example all requests coming from cheap server farms used by most bots are blocked. Spam is not the primary concern here.

The overall site security of webtrees is rather good. Any attack vector that gets known will be patched with priority.

If you really want, I think an add-on module can be made for captchas on certain pages.

stamboom.BertKoor.nl runs on webtrees v2.1.20
Last edit: 1 year 3 months ago by bertkoor.

Please Log in or Create an account to join the conversation.

More
1 year 3 months ago #3 by fisharebest
Replied by fisharebest on topic protect against spam
webtrees has built-in spam prevention on the contact-form and registration pages.

1) the page must run javascript - which sets a hidden field
2) the user must view the page for more than 3 seconds before submitting the form.

This is pretty simple - but it is effective.
As bertkoor says "I have not read of any other webtrees user here reporting getting spammed."

Obviously, someone could write a dedicated script to bypass this. But webtrees is a small target, and most spammers use tools that are designed for wordpress and other popular software.

It is also possible to block requests from server-hosting companies.

Find the ASN for the IP address, and add a line like this to your data/config.ini.php

block_asn="AS1234,AS2345,AS3456,..."

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

  • jeanmare
  • Topic Author
  • Offline
  • New Member
  • New Member
More
1 year 3 months ago #4 by jeanmare
Replied by jeanmare on topic protect against spam
Merci bertkoor, merci fisharebest, I am completely reassured.
Je suis un très vilain ignorant !

Please Log in or Create an account to join the conversation.

More
1 year 2 months ago #5 by WGroleau
Replied by WGroleau on topic protect against spam

webtrees has built-in spam prevention on the contact-form and registration pages.

1) the page must run javascript - which sets a hidden field
2) the user must view the page for more than 3 seconds before submitting the form.

This is pretty simple - but it is effective.
As bertkoor says "I have not read of any other webtrees user here reporting getting spammed."
I’ve received a lot of obviously malicious account requests in the past, but none for several months.  So I’d say the features Greg mentioned are working.

--
Wes Groleau
UniGen.us/

Please Log in or Create an account to join the conversation.

More
1 year 2 days ago - 1 year 2 days ago #6 by WGroleau
Replied by WGroleau on topic protect against spam

In the 12 years that I run a website with webtrees, I have received zero spam messages, while my site is quite public and visited by many crawlers and bots. I have not read of any other webtrees user here reporting getting spammed.

 
I did average one bogus account request per month, but NO other form of spam.  There were a lot of them in a short time but other long periods with none,

--
Wes Groleau
UniGen.us/
Last edit: 1 year 2 days ago by WGroleau.

Please Log in or Create an account to join the conversation.

More
1 year 2 days ago #7 by durangod
Replied by durangod on topic protect against spam
I use a honeypot on my forms  For those that dont know the old term honeypot.  It takes advantage of the fact that bots will fill out all fields in a form regardless.  So the honeypot is a hidden field, so normal users dont enter data into it, but bots do.  So if the field has value then its a bot doing it and you reject the submission.  Im sure that webtrees uses tokens in their process. 

Please Log in or Create an account to join the conversation.

More
1 year 2 days ago #8 by fisharebest
Replied by fisharebest on topic protect against spam
> Im sure that webtrees uses tokens in their process.

webtrees uses something similar.

There are hidden fields, and we rely on Javascript to populate them.

We also use a timer. You need to view the form, and then wait a number of seconds before submitting it.

Of course, since we are open source, anyone can look at the code and write a bot to get round it. But that would require someone writing a bot to target webtrees. We are a small target and not worth the effort. We just need to make sure we aren't caught up by bots that are targeting well-known forums, blogs, etc.

Nothing is ever going to be perfect, but what we have works pretty well.

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

More
1 year 2 days ago #9 by durangod
Replied by durangod on topic protect against spam
I totally agree Greg, all we can do is code for the masses, and do our best to keep our projects safe enough that they cant be exploited to get to bigger fish on the server.  I use tokens on my project but i also split the token up so that the userside cannot see the full token, ever!   Even though the token is temp per page and it probably would not matter, one day it might and i want to have that protection in now.   

I coded a contact page that allows them 3 tries, after the third try it blocks them for 24 hours.  This has stopped so many attempts, i see in my table so many visits but no attempts (which means the bot or SE spider came and went) and then 1 try (bot tried once and left).  Those that need to get a message done it works great, for bots it shuts them down.  I am very happy with it.   

Please Log in or Create an account to join the conversation.

Powered by Kunena Forum