I'm not sure if this is the most appropriate forum but here goes...
I have a Guestbook functionality on my personal site which incorporates an Akismet check and a "hidden" (by display:none) field to catch automated form entries. Basically the logic upon form submission was:
1. Verify Akismet account 2. If Akismet verification fails then create the Guestbook entry as a subnode and save the document. 3. If Akismet verification succeeded then post the form content to Akismet for spam check 4. If (!isSpam) then save the document 5. If (isSpam) then check a DocumentType property to see if the document should be saved anyway, and do accordingly.
Oddly enough it seems to be saving the Document, even when it is verified as Spam! I then changed the logic to skip the check for DocumentType property in step 5 and discard Spam anyway. Compiled the library and uploaded the DLL....and waited....
Next day....BAM!! Another Akismet-verified Spam was saved as Guestbook entry! I checked the DLL and it was definitely the correct version. I then added a bit of logging logic to mark the saving of hams and spams as an Umbraco "Save" log entry type with appropriate comments. Compiled the library and uploaded the DLL....and waited....
Next day...well...you can probably guess....yup, another couple of Akismet verified Spams were saved, but this time there're entries in the Log but it doesn't correspond to the comment I included! It almost feels like these documents were created by some weird means, ie. something has been hacked?
I'm normaly a winform/WPF guy so I'm not an expert in ASP.NET security issues. Does this type of thing ring bells for anyone? I'm pulling my hair out here and have decided to completely hide (again with display:none) the guestbook entry form. I've only just done that an hour ago and waiting to see what will happen. Usually these spam entries occur around early-mid evening our time, which is still 4-5 hours away...
If someone can perhaps point me in the right direction it may save the remaining strands of hair on my head!
Cheers, Dany.
PS. These guestbook entries are automatically created and content is emailed to me, I then have to go to umbraco and publish it manually should it be cleared as ham.
Oh, forgot to mention...normally this is not a problem with 1 or 2 spams. Recently it has increased to 6-8 spams/day. With the dodgy content tree then deleting 6-8 spams becomes a horrible chore in umbraco.
Security around data entry form
I'm not sure if this is the most appropriate forum but here goes...
I have a Guestbook functionality on my personal site which incorporates an Akismet check and a "hidden" (by display:none) field to catch automated form entries. Basically the logic upon form submission was:
1. Verify Akismet account
2. If Akismet verification fails then create the Guestbook entry as a subnode and save the document.
3. If Akismet verification succeeded then post the form content to Akismet for spam check
4. If (!isSpam) then save the document
5. If (isSpam) then check a DocumentType property to see if the document should be saved anyway, and do accordingly.
Oddly enough it seems to be saving the Document, even when it is verified as Spam! I then changed the logic to skip the check for DocumentType property in step 5 and discard Spam anyway. Compiled the library and uploaded the DLL....and waited....
Next day....BAM!! Another Akismet-verified Spam was saved as Guestbook entry! I checked the DLL and it was definitely the correct version. I then added a bit of logging logic to mark the saving of hams and spams as an Umbraco "Save" log entry type with appropriate comments. Compiled the library and uploaded the DLL....and waited....
Next day...well...you can probably guess....yup, another couple of Akismet verified Spams were saved, but this time there're entries in the Log but it doesn't correspond to the comment I included! It almost feels like these documents were created by some weird means, ie. something has been hacked?
I'm normaly a winform/WPF guy so I'm not an expert in ASP.NET security issues. Does this type of thing ring bells for anyone? I'm pulling my hair out here and have decided to completely hide (again with display:none) the guestbook entry form. I've only just done that an hour ago and waiting to see what will happen. Usually these spam entries occur around early-mid evening our time, which is still 4-5 hours away...
If someone can perhaps point me in the right direction it may save the remaining strands of hair on my head!
Cheers,
Dany.
PS. These guestbook entries are automatically created and content is emailed to me, I then have to go to umbraco and publish it manually should it be cleared as ham.
Oh, forgot to mention...normally this is not a problem with 1 or 2 spams. Recently it has increased to 6-8 spams/day. With the dodgy content tree then deleting 6-8 spams becomes a horrible chore in umbraco.
is working on a reply...