Honeypot (Spam Prevention)

  1. 6 years ago
    Edited 6 years ago by ciruz

    Hi guys,

    today i made a esoTalk plugin called Honeypot, it adds hidden form fields (to a human user invisible) into the signup form, to catch spambots.

    I combined three techniques:

    • one form field gets hidden with CSS
    • one form field gets hidden with JavaScript
    • one form field gets hidden with JavaScript and is prefilled with a pseudo security hash from the users session.

    Download Honeypot on GithHub

    So how does it works?

    If any of this hidden form field has a value, or the security hash gets changed the registration won't work and you become redirected to your startpage. The fields are only visible in the sourcecode (to a bot).

    Please notice following:

    1. I made it realistic as possible, so i used realistic field names (zipcode / phone / homepage). Pseudo names or names with an prefix will not work so well.

    2. I didn't find any esoTalk events who becomes triggered in the signup form. So i had to reimplement the "join" - method and the signup view (join.php) too. If you made any changes in this method or in the view (i hope not), you have to do it again in the Honeypot plugin folder (plugin.php for method and resource/join.php is the view).

    Method & view are the same like in the latest esoTalk version, just with some little changes.

    If you have problems, just disable Honeypot and esoTalk will use the standard signup method & view again. :)

    And of course, this is not a 100% protection! If you have any ideas to my thoughts or improvements, please let me know. Maybe we can make later a better plugin with Honeypot and a regular Captcha (like reCaptcha), i had no time to check the reCaptcha API. :(

    You know enough now? Ok then download Honeypot on GithHub .

    PS: If the user has JavaScript disabled, he won't see the form fields hidden by JavaScript neither, cause the have a minimal css height. ;)

  2. thanks! I'll try it on my forum

  3. Edited 6 years ago by hajduk

    tried it and got an error:

    Fatal error: Call to protected method ETUserController::sendConfirmationEmail() from context 'ETPlugin_Honeypot' in /home/yandexru/public_html/esotalk/addons/plugins/Honeypot/plugin.php on line 82

    any ideas?

  4. Edited 6 years ago by ciruz

    Hello @hajduk,

    thank you for your feedback. I had the email confirmation disabled in my test system, i'm sorry. I fixed this little bug and updated the source on github, just download it again. :)

  5. works fine now

  6. Works fine
    thanks for this nice plugin @ciruz

  7. thanks for this plugin and i hope it works well :)

  8. 5 years ago

    Does the plugin work on g4 correct?

  9. 4 years ago

    Honeypot plugin seems not to work with latest esotalk dev. So maybe also not working with g4...
    Anyone have an updated and working version?

  10. Yeah can confirm it doesn't seem to work either here. If someone could update it that'd be great, even with StopForumSpam and reCAPTCHA my forum is occasionally getting spammed.

  11. @pwFoo Honeypot plugin seems not to work with latest esotalk dev. So maybe also not working with g4...
    Anyone have an updated and working version?

    @Martyn Yeah can confirm it doesn't seem to work either here. If someone could update it that'd be great, even with StopForumSpam and reCAPTCHA my forum is occasionally getting spammed.

    Honeypot isn't going to be updated till all the bugs are fixed in g5, so you'll have to wait. g5 is still under development so of course there will be plugins that don't work, just give it time and don't update to g5 till the bugs are fixed.

  12. Hello @Felli , maybe I'm wrong... But there are some important bug and security(!!!) fixes in dev branch. Fixes seems not commited to latest stable (last commit Jul 2014!).
    So it should be insecure to use the stable / master branch release...

  13. Edited 4 years ago by Martyn

    @Felli Honeypot isn't going to be updated till all the bugs are fixed in g5, so you'll have to wait. g5 is still under development so of course there will be plugins that don't work, just give it time and don't update to g5 till the bugs are fixed.

    It's a must to be updated to g5, there are a lot of XSS security holes in the g4 version. I rather run a development version than have my forum hacked (also because esoTalk is open-source hackers can easily find out what the XSS bugs in the g4 version are).

    @pwFoo I'll see if I can get the Honeypot plugin working with g5, will say here when I have something working :)

  14. You have to change "getResource" to "resource", but there is more to do...

    I changed that, activated the plugin and checked register form source code, but no additional fields are added.

  15. @Martyn It's a must to be updated to g5, there are a lot of XSS security holes in the g4 version. I rather run a development version than have my forum hacked (also because esoTalk is open-source hackers can easily find out what the XSS bugs in the g4 version are).

    @pwFoo I'll see if I can get the Honeypot plugin working with g5, will say here when I have something working :)

    The reason it's not updated is because g5 isn't complete, let those that are developing g5 fix all the known bugs then update, even a lot of the mods here were telling people that it's still under development, I'm sure that after g5 is finished someone will come and update all the plugins. I know you're wanting to keep your forums safe, but switching to g5 now will just cause more problems as there are still a lot of bugs in it and most of the plugins haven't been updated to fit g5 of yet. Just give it time, as they say, Rome wasn't built in a day.

  16. Hello @Felli , running a insecure forum with known security problems... That can't be the way to use Esotalk...

    Maybe @Toby could release a new version with bug fixes only?
    Because Flarum is focused maybe Esotalk and plugins wouldn't be updated in the future. So a last stable and secure release would be fine.

  17. @pwFoo Hello @Felli , running a insecure forum with known security problems... That can't be the way to use Esotalk...

    GitHub is at your service .

  18. @ciruz I have submitted a pull-request for the updated Honepot plugin. Changed the folder structure as well, so it will clone easier. Hope you don't mind.

    There is some work left tho, see https://github.com/tvb/Honeypot/issues/1

  19. thank you @Tristan i merged your pull request

  20. @ciruz Could you help me with https://github.com/tvb/Honeypot/issues/1 ?

  21. Newer ›
 

or Sign Up to reply!