Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

SitePoint PHP Blog:
Fighting Recruiter Spam with PHP – Proof of Concept
Oct 03, 2016 @ 11:56:29

On the SitePoint PHP blog editor Bruno Skvorc has a new tutorial posted showing a possible way to "fight recruiting spam" in your inbox with the help of a little bit of PHP.

The biggest concern I have with modern email providers, is the fact that they are all quite bad at spam control. [...] I don’t mean the “Nigerian prince” type of spam, which is mostly blocked successfully (unless you’re using FastMail – they can’t even recognize those) but stuff that I’m really, really not interested in getting. Case in point, recruiter spam.

In this tutorial, we’ll get started with building a custom email processor which can read individual emails, run them through some predefined rules, and act on them. The end result will be very similar to what many providers offer out of the box, but it’ll lay the groundwork for more advanced aspects in future posts.

His example application will do things like: do keyword matching for recruiter-ish things and auto-reply (then delete the original) and purge emails sent after unsubscribing from the service. He builds out the example application on a Homestead Improved VM, coming pre-installed with the IMAP extension for PHP (used to access the user's inbox). He then installs the tedivm/fetch package for the PHP code and shows how to read the emails from your inbox. He uses the FastMail service so he walks through how to hook the script into that service using an "application password".

From there he develops the functionality of the application including:

  • pattern matching on the body contents for "recruiter-ish" terms
  • setting a "points" threshold for the number of matches
  • sending replies with Swiftmailer
  • whitelisting certain terms
  • moving the messages into an "auto-replied" folder so we know who the script talked to

All of the code you'll need is included in the post along with several screenshots that help to ensure you're on the right path.

tagged: recruiter spam inbox script autoreply tutorial imap

Link: https://www.sitepoint.com/fighting-recruiter-spam-with-php-proof-of-concept/

Jelle Raaijmakers:
Dissecting a spammer’s spam script
Apr 19, 2016 @ 13:48:37

In this post to his site Jelle Raaijmakers dives into a script that's commonly injected into vulnerable sites and used by spammers to send messages without the knowledge of the site owner.

Let’s take a look at a PHP script used to send spam. These types of scripts run on servers all over the world and might give you some insight into a spammer’s dedication to annoy the hell out of you. Spammers abuse known flaws in unsecured websites and applications to break into a server and install scripts that are able to send loads of spam.

[...] Everyone running a mildly popular WordPress site knows that exploits can be really easily introduced by installing plugins from a less than reputable source – or by not keeping your plugins up to date. Sometimes, a zero-day exploit for a popular WordPress plugins becomes known and thousands of installations worldwide are infected at once.

He then goes through a script he found in an infected WordPress instance of his own on a shared hosting provider. He talks about what these kinds of scripts usually look like (an encoded eval injected into current scripts) and the process he followed to dissect it:

  • Step 1: determine method of obfuscation
  • Step 2: introduce newlines
  • Step 3: replace the $j10 values
  • Step 4: concatenate constant strings
  • Step 5: replace function invocations
  • Step 6: prettify the PHP code
  • Step 7: remove default $j10 argument
  • Step 8: decode the $pate payload
  • Step 9: replace $_POST references
  • Step 10: map function and variable names

It's not a super simple process, but in the end he's left with the complete PHP script that loads a remotely defined configuration, tries to send the emails and even retries if there's a failure. He includes a few noteworthy things about the script including STMP connection auto-detection and DNS lookups over UDP.

tagged: spammer script dissection reverse engineer email spam security

Link: https://jelleraaijmakers.nl/2016/04/dissecting-spammers-spam-script

How to Protect any Site from Spam using Akismet
May 30, 2011 @ 08:10:59

From Script-Tutorials.com there's a new post that wants to help you prevent one of the biggest menaces of the social online world - spam. Their solution uses the Akismet service to detect possible spam and notify you.

What is spam? – this is (usually) any message which not relevant to this page – usually just an advertisement of something (and even with a backward link to another site). Yes, you can put the first line of defense – a captcha, but I think spammers are also ready for this and find ways to avoid the CAPTCHA (or, they even can solve its by self). In today’s tutorial I’ll show you how to create a second line of defense against spam - using web services - for example akismet.

They include all the code you'll need to create a simple interface to the Akismet system with the help of this library that handles a lot of the connection and messaging for you. They apply it to a comment form and check the POSTed values against the Akismet spam checking. You can download the full package to get started immediately.

tagged: spam protect akismet tutorial


Chris Jones' Blog:
Malicious website use will never go away: how do you manage it?
Apr 28, 2011 @ 11:06:43

Chris Jones has a new post to his OTN blog today pointing to two new articles by Eli White about managing malicious website use:

The techniques Eli covers will always be applicable in one form or another. They should be a fundamental part of any website architect's bag of tricks.

The first article focuses more on methods for preventing and dealing with the inevitable spamming that comes with running a larger site. Eli's experience at Digg has provided him with recommendations like creating hurdles for spammers to get past and evaluating the content (services like Defensio or Akismet are useful for this).

The second article talks about something a bit harder to deal with - when users "game the system" and find the loopholes. His recommendations to combat this sort of abuse include rate limiting, pattern matching and leaving "traps" by tracking user usage.

tagged: malicious usage user manage recommendation spam gaming


How to spam in PHP..
Apr 11, 2011 @ 10:20:41

On RooJs.com there's a recent post from Alan Knowles looking at how to spam in PHP. No, nothing malicious - it's more about scalability in sending emails from PHP applications.

The reason this has been relivant in the last two weeks is two fold, first off, my slow and sometimes painfull Pman.Core and Pman.Base). It seemed like an ideal time to write some generic code that can solve both issues.

He mentions the usual method of generating numerous emails and sending them to a remote SMTP server, but points out that there's a better way. You can take advantage of queuing and batch sending techniques and, the way he decided to do it for mtrack, using queue tables and a backend runner (a cron job) that uses proc_open to send out multiple emails at once. You can see the code for it here.

tagged: spam email send smtp process procopen mtrack


Asirra Captcha PHP Integration
Jul 29, 2010 @ 10:36:28

On DevShed.com today there's a new tutorial about implementing the Asirra CAPTCHA system (from Microsoft) into your application for spam prevention.

Unlike other types of captcha that utilize difficult text obfuscation techniques (such as Google reCaptcha), this system utilizes images of dogs and cats, such as those shown in this screenshot.

They describe some of the reasons to use the system (hard to break, doesn't use sessions, easy to integrate) and how it works. They show how to implement the system on both the server and client side.

tagged: asirra captcha tutorial integrate spam


Robert Basic's Blog:
Honeypot for Zend Framework
Apr 21, 2010 @ 14:58:36

Robert Basic has posted a port of a WordPress plugin that helps you easily make a "honeypot" in your Zend Framework form to help keep the spam bots out.

I just hacked up a little code snippet based on Matthew's Honeypot Wordpress plugin. It's basically just a Validator for a Zend Form element which is hidden from the user via CSS. Cause it's hidden, users won't see it, but spambots will, well, cause they are bots.

The code snippet is included in the post for your cut & pasting pleasure and makes using it as easy as a normal "addElement" call when building your form.

tagged: honeypot zendframework zendform form spam


Web Development Blog:
E-mail links, protective solutions against SPAM
Feb 17, 2010 @ 08:28:55

In a recent post to the Web Development Blog they talks a look at some methods you can use on your site to help reduce the amount of spam sent to email addresses by protecting them from scripts that might harvest them right from the page.

There are lots of spam bots checking the Internet for email addresses on regular websites, forums, blog and mailing lists. Once caught by some spam bot your mailbox is in need of a strong spam filter or sometimes it might be better to use a new e-mail address. In this article we show you different ways, how you’re able to show your e-mail address to human visitors and hide it for spam bots.

They give four solutions, some a bit more practical than others - using an image instead of the text-only version of the address, hiding the @ symbol, hiding it with PHP (converting it to ASCII) and using Javascript to handle it similarly.

tagged: email spam suggestion protection tutorial


Top 10 ways to stop spam in WordPress
Sep 03, 2009 @ 09:11:57

In a recent post to the CatsWhoCode.com site Alex Denning takes a look at ten ways you can help stop those dreaded comment spammers on your WordPress blog.

Spam is a nuisance, and as bloggers, we have all experienced a flood of spam every now and then. Not only is it a pain, but it can slow down your blog and use up your resources. In this post we’ll look at ten ways to combat spam.

Here's his list of suggestions - some can be combined with others to give you additional protection:

  • Install Akismet
  • Ask your readers to do 1+1
  • Stop spam trackbacks
  • Make users login to comment
  • Ban spammers by IP
  • Ban spammers by IP, on a massive scale
  • Deny comment posting to no referrer requests
  • Stop content theives
  • Stop spammers stealing your images
tagged: wordpress spam prevent


Building a Spam Free Contact Form without Captchas
Aug 12, 2009 @ 08:14:53

New on the ITNewb.com site today there's a tutorial looking at making your forms a bit more "spam free" without resorting to CAPTCHA images.

Most anti-spam methods used by websites today are annoying at best. They use impossible-to-read captcha images, or they make users jump through some kind of hoop to get the email address instead of just clicking on it. This can mean lost sales and opportunities for you, because each hurdle turns away more users.

The trick uses some CSS and Javascript to hide a form field (display:none) and check on the submit to ensure that it's empty. The email address is the output of a Javascript document.write() as well, preventing those pulling the information off of your site without Javascript support (like some automated tools) to miss it completely.

tagged: spam form protect tutorial contact