[conspire] Web spam and yandex forms

Ivan Sergio Borgonovo mail at webthatworks.it
Wed Dec 8 09:13:49 PST 2021 

On 12/8/21 17:45, Akkana Peck wrote:
> Ivan Sergio Borgonovo writes:
>> Rick wrote something that it's worth a bit more explanation.
>> Generally they try to use forms as mail reflector... but also as link
>> factories. Because sometimes what you put in forms end up being published.

> Yes, makes sense. In this case, it wasn't published, just sent to
> one email address. But the link to their yandex form was in the email.

>> I'd check the whole form validation (or lack of...) since they were able to
>> send a really long bunch of text in the user name field.

> Yes, definitely. I had validation for the email field, but the
> only check on username was that it be non-null. I've since added
> a few other heuristics: a max length and that it not contain "://".
> I'll probably add others as I think of them.

If I remember correctly flask has some plugin to validate forms that 
comes with something a bit more sophisticated than maximum length etc... 
still I struggle everyday with choosing between external dependencies 
and maintainability... and in this case I'd surely go for a 
library/framework.
It's pretty tricky to carefully think to all the ways a web form can be 
exploited.

>>> And I hate recaptcha (the number of hours of my life I've wasted
>>> clicking on traffic signal photos over and over, because Google
>>> *never* agrees with me about traffic signals -- I have no idea what
>>> they think a traffic signal is) and was very resistant to that idea,
>>
>> Newer versions of recaptcha may not require any effort from the user and
>> just check some other signal to guess if you're a legit user (IP, browser
>> signature, possibly even how you interact with mouse/touch screen.

> I think so; in the past few months, sometimes (maybe half to 2/3 of
> the time) I can even get past "traffic signal" ones. I still hate
> them. For years they penalized non-google users, i.e. if you're
> signed in to a google account in that browser, it's easy to pass,
> but if you prefer not to do all your browsing signed in with google
> cookies, sometimes it would be a gauntlet of eight or ten different
> screens, no matter how accurate your clicks might be. But that seems
> to have gotten better recently; perhaps something to do with EU or
> CA privacy laws.

I assume this is something configurable. I've installed recaptcha on 
just one website and too long ago to remember but I always surf without 
being logged in ANY service and generally I get asked to find buses or 
traffic lights no more than a couple of times, but *some* sites 
regularly ask me 3 or 4 times.

> Reading Rick's description of his English questions and Bruce
> Schneier's question, I got to thinking how I could ask NM-specific
> questions, like "What's the Governor's first name?" or "What shape
> is the state capitol?" or "red or green?" (The real answer to that
> last one is of course green, but I'll probably allow red or Christmas
> for nonbelievers.) And I figure I'll put the questions and their
> allowable answers in a local file that the flask site reads, not
> in the checked-in code where anyone could see the answers on github.

I've to assume that Schneier knows what's doing but I'm wondering if he 
is trying to solve a different problem.
He is surely a high reward target and I think what I've understood about 
his system is too simple to avoid circumvention.

>> If I were a spammer I'd go to the list Rick mentioned in a previous post and
>> see which one I can easily circumvent... and dice captcha would be on the
>> top of my list.

> Meanwhile I've figured out how to ban IPs in apache. In the past
> day the requests have all come from two IPs, though I know that will
> change and I'll have to add more over time, and I'm noting when IPs
> are added in case I want to move them off the blacklist after a
> while. I think I'm going to need some intelligent log-monitoring
> scripts, keeping track of which IPs are seen when.

Give a look to fail2ban. I'm not really sure if it can be still tricked 
to shut you out of your home (originating IP can be spoofed), but 
consider that if you plan to use it.

-- 
Ivan Sergio Borgonovo
https://www.webthatworks.it https://www.borgonovo.net

More information about the conspire mailing list