CF Meetup presentation and code

Posted At : July 17, 2008 3:07 PM
Related Categories: ColdFusion

I just finished my CF Meetup presentation, thanks to all those that were able to attend. Here are my presentation and files.

Comments (6) | Print | del.icio.us | Digg It! | Linking Blogs | 521 Views

Related Blog Entries

Comments
[Add Comment]
Thanks for sharing your time Jake. You did a great job and brought some great ideas to the table.
# Posted By Steve Withington | 7/18/08 5:56 AM
Thanks, Steve. I think I could have done better (and I have done better in the past), but I got my ideas across. For some reason I had a hard time getting the words from my brain to my mouth. :)
# Posted By Jake Munson | 7/18/08 6:15 AM
Thanks for the presentation. I missed it at CFUnited, and I wasn't able to watch it live, but I watched the archive this morning. Lots of good ideas! I do have a couple of questions about other methods. I have had a bit of luck checking for the HTTP referrer before processing the form, and making sure that it matches the submitting URL. I have had some luck, but I wan't sure if that was something that is easy for bots to spoof. Any thoughts on that? Also, I heard a speaker mention (at a previous CFUnited) the possibility of checking in the Application.cfc file to see if the FORM scope is defined without a session existing at the start of a request. I don't know how these spam bots work, or if they work within persistent sessions or not. Thanks!
-Jon
# Posted By Jon Hallenberg | 7/18/08 9:36 AM
Jon,

I'd think that both methods you mention would help stop the spam. Maybe not all of it, especially not human spammers, but it would help thwart the tide.

I am not sure if a bot could spoof the HTTP referrer...I suppose they could, because those values are passed in by the browser (which in this case is the bot). But it would mean that the bot would have to have your site well defined in their attack definition, which is unlikely.

Also, I would think your second suggestion would work well for most spam bots, as most of them just go directly for your form processor, so they'd not have a session. I've heard of similar techniques where people create a unique key in the form, store it in the session, and then check the for the key in the processor. But again, this will not stop human spammers, which is where Project Honeypot and Akismet come in.
# Posted By Jake Munson | 7/18/08 11:26 AM
Hey Jake,

Watched both the CF United and CF Meetup presentations. Both left me with some great ideas on how to fight back the daily spam posts we get on our site.

One of our forms that was always getting attacked we decided to remove since we didn't really need it anymore.

I've still got one more that's constantly getting hit, sadly. I changed the name of a form field and told the form processor to only work if CGI.HTTP_REFERER contained our site's domain. Two days later, the spams still got through. I think it's time to implement Akismet.

I went into the Akismet web site and under their section for third party downloads I found CFAkismet. Unfortunately, all the download links on the developer's web site were broken.

http://devnulled.com/software/cfakismet/

Is CFAkismet currently the only CF code that works with Akismet?
# Posted By Jose Galdamez | 8/6/08 12:30 PM
It looks like Brandon's code is till in the Google Code SVN repository:
http://code.google.com/p/cfakismet/source/browse/#...

but you'd have to manually browse through all the folders and download each file one at a time, unless you check it out with an SVN client.

You coud also get my Akismet code from CFFormProtect. You don't have to use the whole package, you could just swipe the Akistmet part:
http://cfformprotect.riaforge.org/
# Posted By Jacob Munson | 8/6/08 3:30 PM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.9. Contact Blog Owner