bbAntiSpam: Discuss how to stop web spam

The forum is retired.

bbAntiSpam Forum Index - Advanced Textual Confirmation - Protecting Perl scripts

Author Message
beng
Guest





Posted: Tue Jul 17, 2007 3:47 pm    Post subject: E-blah bulletin board  

HI, i would like to use ATC to block spambots from registering on my forum, which is using E-blah software.
http://www.eblah.com/
This software is written in perl. How do i run bbantispam.php from a perl script file?
Guest






Posted: Tue Jul 17, 2007 3:53 pm    Post subject: Re: E-blah bulletin board  

PS: I tried the method
Code:
#!/usr/bin/perl
use LWP::Simple;
print "Content-type: text/html\n\n";
$url= "http://mydomain.com/bbantispam.php";
getprint($url);

But it just gave me a page of random characters with something about content-encoding gzip at the top.
admin
Site Admin


Joined: 18 Apr 2006
Posts: 805
Location: Saint-Petersburg, Russia

Posted: Wed Jul 18, 2007 2:28 am    Post subject:  

Using bbAntiSpam to protect Perl scripts? It's a good question. My first impression that the following process will work:

* If the request method is POST:
* Make a POST-request to bbantispam.php, with an updated HTTP variable HTTP_X_FORWARDED_FOR.
* If cookies were set, repeat setting from Perl script.
* If the body is empty, then Perl script can continue execution.
* Otherwise, it's a confirmation form. Print the form and exit.

Can you code it yourself or not?

P.S. I'm going to split the topic, and move our discussion to a new topic.
_________________
Oleg Parashchenko, bbAntiSpam
Do you love our tools? Please sponsor further development!
beng
Guest





Posted: Wed Jul 18, 2007 8:33 am    Post subject: calling php from perl  

Hi, i don't really know perl, i just find perl code on google that i try out.

If you (or anyone else reading this) know perl could you help me out with this? Finding out how to run php from perl will also be of use to other people trying to use your script to protect theri perl applications. I will also try to do what i can and post any info i can find here.

admin wrote:
* Make a POST-request to bbantispam.php, with an updated HTTP variable HTTP_X_FORWARDED_FOR.


I found some info on perl and HTTP_X_FORWARDED_FOR here:
http://www.thepcspy.com/articles/programming/getting_the_real_ip_of_your_users

Code:
$IPAddress = $ENV{HTTP_X_FORWARDED_FOR};

if ($IPAddress == "") {
    $IPAddress = $ENV{HTTP_X_FORWARDED_FOR};
}



Quote:
* If cookies were set, repeat setting from Perl script.

Sorry i don't know enough about cookies or how the E-blah forum software uses them to find out (i know it does use cookies but i don't know where in the code, or how it sets them).

But there is some info on using perl to set cookies here:
http://articles.techrepublic.com.com/5100-22-1045105.html

more can be found by googling "perl cookies"

Quote:
* If the body is empty, then Perl script can continue execution.


Sorry, the body of what?

Quote:
* Otherwise, it's a confirmation form. Print the form and exit.


You mean if the body (whatever that is) is empty, your php script will print a form and exit? Or you mean i should try and make the perl script print the registration form?

Quote:
Can you code it yourself or not?

I would like to, but i know hardly any perl

Quote:
P.S. I'm going to split the topic, and move our discussion to a new topic.


Yes this is a topic on its own

Anyway this is what i tried so far:

The problem is i need to find a way to execute your bbantispam.php from a perl script since the forum registration form is a perl script. Also, the forum software uses gzip to compress data to save bandwidth.

There is a perl library of perl modules called LWP which lets perl do things to access WWW data.

I tried one of the modules, LWP::Simple, but it will not work for this because i don't know if it can allow gzip encoded data, and also it can't do a POST method.

I am therefore trying to use LWP:UserAgent, which lets perl make it's own virtual browser or user agent, which it uses to access other web files via the Apache server. This looks like it can enable the handling of gzip data, and also it can do POST method of request.

There is some in fo on LWP here (with info on using it for cookies and posting form data on page 2):
http://www.perl.com/pub/a/2002/08/20/perlandlwp.html?page=1

LWP::UserAgent documentation:
http://search.cpan.org/~gaas/libwww-perl-5.803/lib/LWP/UserAgent.pm
http://cpan.uwinnipeg.ca/htdocs/libwww-perl/LWP/UserAgent.html

And some info on how to set up the LWP::UserAgent object to use a header to enable it to handle gzip compressed data here:
http://pond1.gladstonefamily.net:8080/cgi-bin/shame.pl

An example with code for retrieving Data from POST Scripts using LWP:USerAgent here:
http://stein.cshl.org/genome_informatics/cgi_s_1/retrieval2.html

Another example on using LWP:USerAgent for Post, as well as documentation for LWP:USerAgent:
http://search.cpan.org/~gaas/libwww-perl-5.805/lib/LWP.pm

Based on the example in the last link above, i tried putting this at the top of the forum registration perl script:

Code:
### Advanced Textual Confirmation ###

# Use the LWP and HTTP modules.
use LWP::UserAgent;
#use HTTP::Request::Common;

# URL path to the php script
my $ATC_url= "http://wisdac.org.uk/turingtest/bbantispam.php";

# Create a new LWP::UserAgent object. This is a "virtual browser" that
# knows how to contact remote sites and retreive URLs
$agent = LWP::UserAgent->new;
$agent->default_header('Accept-Encoding' => 'gzip'); #This is line 20 in the error code
#$agent->default_headers->push_header('Accept-Encoding' => "gzip");

# Create a new HTTP::Request object. This contains the URL of the thing
# you want to retreive and the method to retrieve it with.
#my $req = POST($ATC_url, Content_Type => 'form-data', 'Accept-Encoding' => 'gzip', Content => "" );
my $req = HTTP::Request->new(POST => $ATC_url );
   $req->content_type('multipart/form-data');
   $req->content('');

# Send the request via the user agent's request() method, receiving an HTTP::Response object as the result.
my $response = $agent->request($req);

# Check the error code.
  if ($response->is_success) {
      print $response->decoded_content;
  }
  else {
      print $response->status_line, "\n";
  }

# Call the response object's content() method to get the returned page.
#my $record = $response->decoded_content;
#print $record;

### End Advanced Textual Confirmation ###


The result of this was that when i tried to do a registration, the script did not work but gave this error code:

Code:
./Register.pl
Can't locate object method "default_header" via package "LWP::UserAgent" at ./Register.pl line 20.
Compilation failed in require at Blah.pl line 111.


So i guess there is some problem with the part where i try to tell the user agent to put the Accept-Encoding = gzip in the http request header (this is at line 20 i nthe perl code).

So i commented out line 20 and changed $response->decoded_content; to $response->content; to see if i could at least get some gzip data showing up.

This time, there were no errors, but it worked as though i did not put in any new perl code at all, as if i had left the perl script unchanged. It did not show me the ATC form but just behaved like the normal registration form.

[/code]
beng
Guest





Posted: Wed Jul 18, 2007 3:09 pm    Post subject:  

I am wondering if there is another way to do this:

Is it possible that if i change the reistration link on the forum homepage so that instead of starting the registration script, it just opens a web page (.html or .php), which auto-submits (via a javascript) a post request to bbantispam.php and then if the user passes the test, it then opens the registration perl script?

The question is how the html or php page will know if the user answered the question correctly?
workaround found
Guest





Posted: Wed Jul 18, 2007 5:52 pm    Post subject:  

Hi i have now found a simple workaround for the problem of how to use ATC with perl scripts.

In my case, i modify the link on the forum page that the user will click to register, so that instead of going to the register script, it is a submit button on an empty form that just submits a post request to bbantispam.php:
Code:
<form action="bbantispam.php" method="post">
<input type="submit" value="Register">
</form>


Then i edited bbantismap.php itself, and put some html under the code, like this:

Code:
<!doctype html public "-//w3c//dtd html 3.2//en">
<html>
<head>
<title>Advanced Textual Confirmation</title>
</head>
<body bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#8000ff" alink="#ff0000">
<table height=100% width-100%>
   <tr>
      <td align="center" valign="middle">
<p align="center">Congradulations, you have passed the test! Please <a href="http://mysite.com/path-to-registration-script/">click here</a> to continue to the registration form.</p>
      </td>
   </tr>
</table>
</body>
</html>
[/code]
admin
Site Admin


Joined: 18 Apr 2006
Posts: 805
Location: Saint-Petersburg, Russia

Posted: Thu Jul 19, 2007 2:27 am    Post subject:  

Unfortunately, your simple workaround might fail: if a spammer knows where the Perl script is located, he can go to the Perl script directly.

I think I'm going to integrate bbAntiSpam and Perl. If you are interested in it, send your e-mail to me <olepar gmail com>, and I'll notify you when ready.
_________________
Oleg Parashchenko, bbAntiSpam
Do you love our tools? Please sponsor further development!

Ok.