Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am having trouble blocking unwanted spam from being mailed to me from online contact us form on my website.
I put up a captcha, my own version which outputs a 5 digit number on a shaded background.
Noticed that spam mail is still getting through. So I checked access.log for the IPs and found that they are using on two pages to get the captcha. and then third post message to submit it.
i am storing captcha in session file so how come the spammer get my captcha code.
Using PHP 7 on apache on linux.
I want to know how are they getting the captcha code right.
A large amount of this spam is auto-generated to fill in the forms but the actual solving of the captcha is done by "outsourced" workers in known spam / scam countries like India and China.
The supposed humans are accessing only the index.php and captcha.php and then submitting it via post arguments. How can i prevent users from only viewing these two files and ensure legitimate users only post message to me.
My request is kind of little screwed but i don't like spammers screwing me by using only two files mentioned above.
My guess:
Your form submission is not using the captcha correctly...that is, it's apparently possible to submit the post without the captcha.
Look into how the captcha is supposed to prevent the submission, and why that is not working.
For example, is there something in your php script that checks for the source of the post and only accepts posts from your server?
My guess:
Your form submission is not using the captcha correctly...that is, it's apparently possible to submit the post without the captcha.
Look into how the captcha is supposed to prevent the submission, and why that is not working.
For example, is there something in your php script that checks for the source of the post and only accepts posts from your server?
Thanks i was not checking this part of the problem. I was just checking whether the captcha was correctly submitted or not and whether it was the same as i provided, but was not checking whether the submission originated from my own server.
A Big Thanks for the Idea. I learnt something new.
Thanks i was not checking this part of the problem. I was just checking whether the captcha was correctly submitted or not and whether it was the same as i provided, but was not checking whether the submission originated from my own server.
A Big Thanks for the Idea. I learnt something new.
You're most welcome. To give credit where due, that's not my idea. I learnt it from Matt Wright's FormMail script, which checks the "referring URL," among other things, to validate an input.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
