Hi there

I have just spent some time re-done a form on my on my site, I have added
one of those random images.

Please can somebody tell me if what I am doing is correct, the reason I ask
I was under the impression
you could not read a session ID without opening up the site in a browser, so
without this you can't make a
posting.
It now seems that I am being targeted again and not sure if this is a remote
script or somebody trying to
piss me off.by manually entering stuff

So the question is how are they getting pasted it?

Any help or advise would be great :)

Many thanks

Brian



------------------------------------------------------------ --------------------
I am using the free version of SPAMfighter for private users.
It has removed 1348 spam emails to date.
Paying users do not have this message in their emails.
Try SPAMfighter for free now!

| I have just spent some time re-done a form on my on my site, I have added
| one of those random images.

oh, you mean 'one of those random images' so common in terminology and
application among us that we all know what the fuck you'd be talking about.

| Please can somebody tell me if what I am doing is correct, the reason I
ask
| I was under the impression
| you could not read a session ID without opening up the site in a browser,
so
| without this you can't make a
| posting.

you really need to learn the difference and useage of periods and commas.

if you perhaps made *some* indication of wtf you actually are doing, we'd be
able to tell you with complete certainty that, indeed, you are doing it
wrong. as for reading a session id...read about sessions. they aren't magic.
they are re-written into your php outputted html if you are using them. see
PHP_SESSID. posting/getting the session id to *any* server is no big deal.
what you need to realize is that the session id lets php know what local
file is storing session information. THAT DATA is what is difficult to share
among servers/domains.

| It now seems that I am being targeted again and not sure if this is a
remote
| script or somebody trying to
| piss me off.

or, you're just being paranoid. however, give my your domain name and i'll
be happy to hack your server. ;^)

| by manually entering stuff


see how there *shouldn't* be a period after 'piss me off' since 'by manually
entereing stuff' is the rest of the sentence? and god forbid you allow users
*use* the *USER* forms on your site...everyone knows they're just
decoration.

| So the question is how are they getting pasted it?

english: not your native language, is it.

| Any help or advise would be great :)

stop now, pay to be tutored in php (english/grammar wouldn't hurt either),
or pay a professional to do it right.

Brian wrote:
> Hi there
>
> I have just spent some time re-done a form on my on my site, I have added
> one of those random images.

As we don't see how you added it, it's difficult to say yes or no.


> Please can somebody tell me if what I am doing is correct, the reason I ask
> I was under the impression
> you could not read a session ID without opening up the site in a browser, so
> without this you can't make a
> posting.

It's possible to hijack someone else session, but it's not something that you
do by automatics. Depending on how long a session is allowed to be alive on
your side, someone could visited your site once, save the session id and then
reused it. From the man page for wget you can see how easy it's to reuse a
session or make an automatic login.
http://www.cbi.pku.edu.cn/Doc/CS/wget/man.wget.html


> It now seems that I am being targeted again and not sure if this is a remote
> script or somebody trying to
> piss me off.by manually entering stuff

As you don't describe what is happening and no code, we still don't know what
to say.


> So the question is how are they getting pasted it?

They use a blue wand, kind of the same as Harry Potter, but a blue one.


--

//Aho

| > So the question is how are they getting pasted it?
|
| They use a blue wand, kind of the same as Harry Potter, but a blue one.

roflmfao !

i use a pink wand, just like your blue wand, but pink. ;^)

On 26 Mar, 01:39, "Steve" <no.... [at] example.com> wrote:
> | > So the question is how are they getting pasted it?
> |
> | They use a blue wand, kind of the same as Harry Potter, but a blue one.
>
> roflmfao !
>
> i use a pink wand, just like your blue wand, but pink. ;^)

you are both so naughty.

look Brian, as has been said, don't be afraid to provide the link, so
we can actually tell you have done wrong, after all your link is
public already; you will have peace of mind after you fix it - if
indeed anything is wrong!

You should know though sessions don't provide protection, the ID is
sent to the user-agent to be sent straight back, that's it!

If you think you are being targeted by a human, there's little you can
do, as they can solve Captcha's. If you think it is automatic then you
have either done something wrong - named the image by the random text
it contains, or have the image src="image.php?random=Rt8d" both of
which I have seen in the wild - or perhaps you have attracted a
professional - someone whose script finds the captcha url and grabs
the image sending it off to one of his/her sites which is heavily
used, the captcha is then presented to a real likfe person on /that/
site and the answer sent back through to your site - harder.

Perhaps you can just make it harder for the script by
(there are accessiblity problems with the following)
* randomising the names of the input fields, and image url
* time the solving time.
*have the posts build up (if you are getting loads of them) dump
collections of them based on IP and other data colected (see below) or
have them emailed to you first, with a validation link at the top,
then have the emails go through a Bayseian antispam filter like
spamassasin or spampal, which learns adaptively, so you only get to
see stuff considered ok.
* have the image dynamically inserted into the DOM using a separate
XHR call
* require that the IP that makes the request for the page be the same
that makes the request for the image
* require that the page must be part of a "flow" that is don't allow
post from someone who requests the html and no css/script/images,
track their requests to ensure the browser they claim to be using
matches the requests made. This is like using referer but is not so
easily spoofed as each page takes a "breadcrumb" and stored it to
track the user, award point to users who continue on round your site,
or come from somewhere within. Using a session i nice here.
* in a similar way require javascript to ask questions of the
capability of the user, if it's a script the js will fail, so require
js if you need to, if they are automating firefox, download some auto
stuff like chicken foot/solvent etc.. and see what it takes to fuzz
their script. Have a fake input hidden above the real one etc...?
* require validation of an email address, preventing mytrashmail
etc...
* prevent the script from accepting posts if at certain times.
* google for latest techniques in revealing true IP, often script
kiddies use tor/privoxy which by itself isn't enough, ask the user-
agent what time they have, screen res, use google analytics for this,
etc..
* try to tag you user with persistent data objects (eg flash),
cookies.
* download a list of know proxies at start of play, and check the
poster's IP. (including those associated with tor)

there are loads more of course, but I think you are now thinking - man
it's not worth it, I'll just delete them, so write a routine that
gathers info on the poster, and store it in the db table or wherever
and use that in a where clause, you will find they come from a
selection of IPs which repeat, so store them.

finally, have some fun, if you suspect its an autobrowser, send a
bunch of CPU chewing code to gobble up their memory using javascript,
or maybe if you get a request from a known proxy send it

I get this kind of spam from one of my sites, they have similarites,
so get killed. I find it amusing how persistent, relentless and futile
it all is, I havent taken any of the above steps to prevent it, just
to see if it will ever stop of it's own accord!

>
> look Brian, as has been said, don't be afraid to provide the link, so
> we can actually tell you have done wrong, after all your link is
> public already; you will have peace of mind after you fix it - if
> indeed anything is wrong!
>
> You should know though sessions don't provide protection, the ID is
> sent to the user-agent to be sent straight back, that's it!
>
> If you think you are being targeted by a human, there's little you can
> do, as they can solve Captcha's. If you think it is automatic then you
> have either done something wrong - named the image by the random text
> it contains, or have the image src="image.php?random=Rt8d" both of
> which I have seen in the wild - or perhaps you have attracted a
> professional - someone whose script finds the captcha url and grabs
> the image sending it off to one of his/her sites which is heavily
> used, the captcha is then presented to a real likfe person on /that/
> site and the answer sent back through to your site - harder.
>
> Perhaps you can just make it harder for the script by
> (there are accessiblity problems with the following)
> * randomising the names of the input fields, and image url
> * time the solving time.
> *have the posts build up (if you are getting loads of them) dump
> collections of them based on IP and other data colected (see below) or
> have them emailed to you first, with a validation link at the top,
> then have the emails go through a Bayseian antispam filter like
> spamassasin or spampal, which learns adaptively, so you only get to
> see stuff considered ok.
> * have the image dynamically inserted into the DOM using a separate
> XHR call
> * require that the IP that makes the request for the page be the same
> that makes the request for the image
> * require that the page must be part of a "flow" that is don't allow
> post from someone who requests the html and no css/script/images,
> track their requests to ensure the browser they claim to be using
> matches the requests made. This is like using referer but is not so
> easily spoofed as each page takes a "breadcrumb" and stored it to
> track the user, award point to users who continue on round your site,
> or come from somewhere within. Using a session i nice here.
> * in a similar way require javascript to ask questions of the
> capability of the user, if it's a script the js will fail, so require
> js if you need to, if they are automating firefox, download some auto
> stuff like chicken foot/solvent etc.. and see what it takes to fuzz
> their script. Have a fake input hidden above the real one etc...?
> * require validation of an email address, preventing mytrashmail
> etc...
> * prevent the script from accepting posts if at certain times.
> * google for latest techniques in revealing true IP, often script
> kiddies use tor/privoxy which by itself isn't enough, ask the user-
> agent what time they have, screen res, use google analytics for this,
> etc..
> * try to tag you user with persistent data objects (eg flash),
> cookies.
> * download a list of know proxies at start of play, and check the
> poster's IP. (including those associated with tor)
>
> there are loads more of course, but I think you are now thinking - man
> it's not worth it, I'll just delete them, so write a routine that
> gathers info on the poster, and store it in the db table or wherever
> and use that in a where clause, you will find they come from a
> selection of IPs which repeat, so store them.
>
> finally, have some fun, if you suspect its an autobrowser, send a
> bunch of CPU chewing code to gobble up their memory using javascript,
> or maybe if you get a request from a known proxy send it
>
> I get this kind of spam from one of my sites, they have similarites,
> so get killed. I find it amusing how persistent, relentless and futile
> it all is, I havent taken any of the above steps to prevent it, just
> to see if it will ever stop of it's own accord!


Hi Shimmy

Thanks for all your help, you were the only one that didn't seem to go
off on one. I didn't want to post up loads of code as I have been told
off for doing that before, but as it's been asked for please see below.

The random image thing, I don't know if there is a official name.for it,
but I'm talking about sites that when you go to fill in a form if asks you
to type in the number in the image, this image is randomly generated
number

Below I have put both blocks of code, 1 generates the random
image and sets the session ID, that other processes the form, what I
would like to know is how secure are they, can somebody hack it and
send out spam via my site?
Lastly can they auto submit to the process script via their own script or
are the problems I am having being done by a human testing the scripts
security?
I was under the impression because the way the random image works they
would have to be viewing the site in a browser to see the image to know what
to past over?

Thanks

Brian


PS Steve, thanks for the English lesson, always very helpful to have
somebody
take the piss out of my Dyslexia and underline the fact that I do have a
problem,
it makes me feel great, thank you so much

MAKE IMAGE

<?php

include_once("mailer_conf.php"); # Import all configuration files
$randAlpha = str_shuffle( substr(str_shuffle($listAlpha),0,$numAlpha));
$bgNum = rand(1, $Numbgimages);
$image = imagecreatetruecolor($image_width,$image_height);
if ($UseBG == true) {
$fullimage = imagecreatefromjpeg($BGPath."/background$bgNum.jpg");
imagecopyresized($image, $fullimage, 0, 0, 0, 0, $image_width,
$image_height, $image_width, $image_height);
} else {
$image_BGColour = imagecolorallocate($image, $BGColourR, $BGColourG,
$BGColourB);
imagefill($image, 0, 0, $image_BGColour);
}

$textColour = array();
$colours = array();
$charPos = 3;
$charSpacing = round($image_width / ($numAlpha + 1));
$colours[0] = imagecolorallocate ($image, 255,0,0); // Red
$colours[1] = imagecolorallocate ($image, 0,355,0); // Green
$colours[2] = imagecolorallocate ($image, 0,0,245); // Blue
$colours[3] = imagecolorallocate ($image, 255,0,255); // Magenta
$colours[4] = imagecolorallocate ($image, 0,0,0); // Black

for($i=0; $i<$numAlpha; $i++) {
$cnum = rand(0, 4);
$textColour[$i] = $colours[$cnum];
imagestring($image, $font, $charPos, rand(2,11), $randAlpha{$i},
$textColour[$i]);
$charPos = $charPos + $charSpacing;
}
session_start();

$_SESSION['image_random_value'] = md5($randAlpha);

header("Expires: Sat, 01 Jan 2000 05:00:00 GMT");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
header('Content-type: image/jpeg');

imagejpeg($image);
imagedestroy($fullimage);
imagedestroy($image);

unset($randAlpha, $bgNum, $newheight, $newwidth, $image, $fullimage,
$cnum, $colours);

?>



PROCESS SCRIPT

<?php

function checkaddaddress($email) {
// First, we check that there's one [at] symbol, and that the lengths are
right
if (!ereg("^[^ [at] ]{1,64} [at] [^ [at] ]{1,255}$", $email)) {
// Email invalid because wrong number of characters in one section,
or wrong number of [at] symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode(" [at] ", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i <sizeof($local_array); $i++) {
if
(!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/ =?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$",
$local_array[$i])) {
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain
is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) <2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i <sizeof($domain_array); $i++) {
if
(!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za- z0-9]+))$",
$domain_array[$i])) {
return false;
}
}
}
return true;
}

session_start();

include("mailer_conf.php"); # Import configuration files

$error_msg = '';
$_POST['image_code'] = trim($_POST['image_code']);

// check for header injection from _POST
$header_injections = array("Content-Type:", "MIME-Version:",
"Content-Transfer-Encoding:", "bcc:", "cc:");
foreach($_POST as $k => $v){
$v = strtolower($v);
foreach($header_injections as $v2){
$v2 = strtolower($v2);
if(strpos($_POST[$v], $v2) !== false){
$error_msg .= $header_injection_msg."<br>";
}
}
}
// Check posted code is same as session ID
if(($_SESSION['image_random_value'] != md5($_POST['image_code']) ||
($_POST['image_code'] == ""))) {
$error_msg .= $incorrect_code_msg."<br>";
}
// Check email address
if (!checkaddaddress($Email)) {
$error_msg .= $invalid_email_msg."<br>";
}
// check required fields
foreach($required_fields as $r){
if ($_POST[$r] == '' ) {
$missing_field .= '<li>'.$r.'</li>';
}
}
// make missing field error rmessage
if ($missing_field <> '') {
$error_msg .= $blank_field_msg."<br>The following fields are
missing<br><ul>".$missing_field."</ul>";
}
// create set of VARs from $_POST
foreach($_POST as $k => $v){
$$k = str_replace("\n", "<br>", $v);
}
// check for header injection in the above VARs
foreach($_POST as $k => $v){
foreach($header_injections as $replace){
$$k = str_replace("$replace", "HEADER INJECTION", $v);
}
}
// make note of users deatils
$timedate = date("G:i:s, D F j, Y");
$sender_info = "$timedate Sent from: " . $_SERVER['HTTP_HOST'] . "
Remote IP: ".$_SERVER['REMOTE_ADDR'] . " Remote Host: " .
$_SERVER['REMOTE_HOST'] . " PHP Auth User: " . $_SERVER['PHP_AUTH_USER'];

include("mailer_conf.php"); # Call again to make sure the Email body has
the right info in it

if ($error_msg == '' ) {
$to = strtolower("$to_name <$to_email>\n");
$from = strtolower("From: $from_name <$from_email>");
$headers = "MIME-Version: 1.0\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\n";
$headers .= $from."\n";
if ($cc_email <> '') {
$headers .= strtolower("cc: $cc_name <$cc_email>\n");
}

mail($to, $form_subject, $email_body, $headers);
echo $message_sent_msg;
} else {
echo $error_msg;
}
session_unset();
session_destroy();
?>





------------------------------------------------------------ --------------------
I am using the free version of SPAMfighter for private users.
It has removed 1384 spam emails to date.
Paying users do not have this message in their emails.
Try SPAMfighter for free now!

On 26 Mar, 15:52, "Brian" <brian_no_s... [at] nrwp.co.uk> wrote:
> > look Brian, as has been said, don't be afraid to provide the link, so
> > we can actually tell you have done wrong, after all your link is
> > public already; you will have peace of mind after you fix it - if
> > indeed anything is wrong!
>
> > You should know though sessions don't provide protection, the ID is
> > sent to the user-agent to be sent straight back, that's it!
>
> > If you think you are being targeted by a human, there's little you can
> > do, as they can solve Captcha's. If you think it is automatic then you
> > have either done something wrong - named the image by the random text
> > it contains, or have the image src="image.php?random=Rt8d" both of
> > which I have seen in the wild - or perhaps you have attracted a
> > professional - someone whose script finds the captcha url and grabs
> > the image sending it off to one of his/her sites which is heavily
> > used, the captcha is then presented to a real likfe person on /that/
> > site and the answer sent back through to your site - harder.
>
> > Perhaps you can just make it harder for the script by
> > (there are accessiblity problems with the following)
> > * randomising the names of the input fields, and image url
> > * time the solving time.
> > *have the posts build up (if you are getting loads of them) dump
> > collections of them based on IP and other data colected (see below) or
> > have them emailed to you first, with a validation link at the top,
> > then have the emails go through a Bayseian antispam filter like
> > spamassasin or spampal, which learns adaptively, so you only get to
> > see stuff considered ok.
> > * have the image dynamically inserted into the DOM using a separate
> > XHR call
> > * require that the IP that makes the request for the page be the same
> > that makes the request for the image
> > * require that the page must be part of a "flow" that is don't allow
> > post from someone who requests the html and no css/script/images,
> > track their requests to ensure the browser they claim to be using
> > matches the requests made. This is like using referer but is not so
> > easily spoofed as each page takes a "breadcrumb" and stored it to
> > track the user, award point to users who continue on round your site,
> > or come from somewhere within. Using a session i nice here.
> > * in a similar way require javascript to ask questions of the
> > capability of the user, if it's a script the js will fail, so require
> > js if you need to, if they are automating firefox, download some auto
> > stuff like chicken foot/solvent etc.. and see what it takes to fuzz
> > their script. Have a fake input hidden above the real one etc...?
> > * require validation of an email address, preventing mytrashmail
> > etc...
> > * prevent the script from accepting posts if at certain times.
> > * google for latest techniques in revealing true IP, often script
> > kiddies use tor/privoxy which by itself isn't enough, ask the user-
> > agent what time they have, screen res, use google analytics for this,
> > etc..
> > * try to tag you user with persistent data objects (eg flash),
> > cookies.
> > * download a list of know proxies at start of play, and check the
> > poster's IP. (including those associated with tor)
>
> > there are loads more of course, but I think you are now thinking - man
> > it's not worth it, I'll just delete them, so write a routine that
> > gathers info on the poster, and store it in the db table or wherever
> > and use that in a where clause, you will find they come from a
> > selection of IPs which repeat, so store them.
>
> > finally, have some fun, if you suspect its an autobrowser, send a
> > bunch of CPU chewing code to gobble up their memory using javascript,
> > or maybe if you get a request from a known proxy send it
>
> > I get this kind of spam from one of my sites, they have similarites,
> > so get killed. I find it amusing how persistent, relentless and futile
> > it all is, I havent taken any of the above steps to prevent it, just
> > to see if it will ever stop of it's own accord!
>
> Hi Shimmy
>
> Thanks for all your help, you were the only one that didn't seem to go
> off on one. I didn't want to post up loads of code as I have been told
> off for doing that before, but as it's been asked for please see below.
>
> The random image thing, I don't know if there is a official name.for it,
> but I'm talking about sites that when you go to fill in a form if asks you
> to type in the number in the image, this image is randomly generated
> number
>
> Below I have put both blocks of code, 1 generates the random
> image and sets the session ID, that other processes the form, what I
> would like to know is how secure are they, can somebody hack it and
> send out spam via my site?
> Lastly can they auto submit to the process script via their own script or
> are the problems I am having being done by a human testing the scripts
> security?
> I was under the impression because the way the random image works they
> would have to be viewing the site in a browser to see the image to know what
> to past over?
>
> Thanks
>
> Brian
>
> PS Steve, thanks for the English lesson, always very helpful to have
> somebody
> take the piss out of my Dyslexia and underline the fact that I do have a
> problem,
> it makes me feel great, thank you so much
>
> MAKE IMAGE
>
> <?php
>
> include_once("mailer_conf.php"); # Import all configuration files
> $randAlpha = str_shuffle( substr(str_shuffle($listAlpha),0,$numAlpha));
> $bgNum = rand(1, $Numbgimages);
> $image = imagecreatetruecolor($image_width,$image_height);
> if ($UseBG == true) {
> $fullimage = imagecreatefromjpeg($BGPath."/background$bgNum.jpg");
> imagecopyresized($image, $fullimage, 0, 0, 0, 0, $image_width,
> $image_height, $image_width, $image_height);
> } else {
> $image_BGColour = imagecolorallocate($image, $BGColourR, $BGColourG,
> $BGColourB);
> imagefill($image, 0, 0, $image_BGColour);
> }
>
> $textColour = array();
> $colours = array();
> $charPos = 3;
> $charSpacing = round($image_width / ($numAlpha + 1));
> $colours[0] = imagecolorallocate ($image, 255,0,0); // Red
> $colours[1] = imagecolorallocate ($image, 0,355,0); // Green
> $colours[2] = imagecolorallocate ($image, 0,0,245); // Blue
> $colours[3] = imagecolorallocate ($image, 255,0,255); // Magenta
> $colours[4] = imagecolorallocate ($image, 0,0,0); // Black
>
> for($i=0; $i<$numAlpha; $i++) {
> $cnum = rand(0, 4);
> $textColour[$i] = $colours[$cnum];
> imagestring($image, $font, $charPos, rand(2,11), $randAlpha{$i},
> $textColour[$i]);
> $charPos = $charPos + $charSpacing;
> }
> session_start();
>
> $_SESSION['image_random_value'] = md5($randAlpha);
>
> header("Expires: Sat, 01 Jan 2000 05:00:00 GMT");
> header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
> header("Cache-Control: no-store, no-cache, must-revalidate");
> header("Cache-Control: post-check=0, pre-check=0", false);
> header("Pragma: no-cache");
> header('Content-type: image/jpeg');
>
> imagejpeg($image);
> imagedestroy($fullimage);
> imagedestroy($image);
>
> unset($randAlpha, $bgNum, $newheight, $newwidth, $image, $fullimage,
> $cnum, $colours);
>
> ?>
>
> PROCESS SCRIPT
>
> <?php
>
> function checkaddaddress($email) {
> // First, we check that there's one [at] symbol, and that the lengths are
> right
> if (!ereg("^[^ [at] ]{1,64} [at] [^ [at] ]{1,255}$", $email)) {
> // Email invalid because wrong number of characters in one section,
> or wrong number of [at] symbols.
> return false;
> }
> // Split it into sections to make life easier
> $email_array = explode(" [at] ", $email);
> $local_array = explode(".", $email_array[0]);
> for ($i = 0; $i <sizeof($local_array); $i++) {
> if
> (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/ =?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$",
> $local_array[$i])) {
> return false;
> }
> }
> if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain
> is IP. If not, it should be valid domain name
> $domain_array = explode(".", $email_array[1]);
> if (sizeof($domain_array) <2) {
> return false; // Not enough parts to domain
> }
> for ($i = 0; $i <sizeof($domain_array); $i++) {
> if
> (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za- z0-9]+))$",
> $domain_array[$i])) {
> return false;
> }
> }
> }
> return true;
> }
>
> session_start();
>
> include("mailer_conf.php"); # Import configuration files
>
> $error_msg = '';
> $_POST['image_code'] = trim($_POST['image_code']);
>
> // check for header injection from _POST
> $header_injections = array("Content-Type:", "MIME-Version:",
> "Content-Transfer-Encoding:", "bcc:", "cc:");
> foreach($_POST as $k => $v){
> $v = strtolower($v);
> foreach($header_injections as $v2){
> $v2 = strtolower($v2);
> if(strpos($_POST[$v], $v2) !== false){
> $error_msg .= $header_injection_msg."<br>";
> }
> }
> }
> // Check posted code is same as session ID
> if(($_SESSION['image_random_value'] != md5($_POST['image_code']) ||
> ($_POST['image_code'] == ""))) {
> $error_msg .= $incorrect_code_msg."<br>";
> }
> // Check email address
> if (!checkaddaddress($Email)) {
> $error_msg .= $invalid_email_msg."<br>";
> }
> // check required fields
> foreach($required_fields as $r){
> if ($_POST[$r] == '' ) {
> $missing_field .= '<li>'.$r.'</li>';
> }
> }
> // make missing field error rmessage
> if ($missing_field <> '') {
> $error_msg .= $blank_field_msg."<br>The following fields are
> missing<br><ul>".$missing_field."</ul>";
> }
> // create set of VARs from $_POST
> foreach($_POST as $k => $v){
> $$k = str_replace("\n", "<br>", $v);
> }
> // check for header injection in the above VARs
> foreach($_POST as $k => $v){
> foreach($header_injections as $replace){
> $$k = str_replace("$replace", "HEADER INJECTION", $v);
> }
> }
> // make note of users deatils
> $timedate = date("G:i:s, D F j, Y");
> $sender_info = "$timedate Sent from: " . $_SERVER['HTTP_HOST'] . "
> Remote IP: ".$_SERVER['REMOTE_ADDR'] . " Remote Host: " .
> $_SERVER['REMOTE_HOST'] . " PHP Auth User: " . $_SERVER['PHP_AUTH_USER'];
>
> include("mailer_conf.php"); # Call again to make sure the Email body has
> the right info in it
>
> if ($error_msg == '' ) {
> $to = strtolower("$to_name <$to_email>\n");
> $from = strtolower("From: $from_name <$from_email>");
> $headers = "MIME-Version: 1.0\n";
> $headers .= "Content-type: text/html; charset=iso-8859-1\n";
> $headers .= $from."\n";
> if ($cc_email <> '') {
> $headers .= strtolower("cc: $cc_name <$cc_email>\n");
> }
>
> mail($to, $form_subject, $email_body, $headers);
> echo $message_sent_msg;
> } else {
> echo $error_msg;
> }
> session_unset();
> session_destroy();
> ?>
>
> ------------------------------------------------------------ --------------------
> I am using the free version of SPAMfighter for private users.
> It has removed 1384 spam emails to date.
> Paying users do not have this message in their emails.
> Try SPAMfighter for free now!



I understand re going off on one but im not immune, I was doing that
yesterday and got in trouble.
The reason I asked for a URL rather than code, is that it's what the
attacker is seeing, and only then can I say.
Ive glanced at the code, although all of it's not there, there are
background images, conf files, and so on, and I cant see the markup,
etc... it looks needlessly complex re email validation reg exp)and
header injection, but as I say I cant tell how the mailer script works
or whether its vulnerable or whether its the correct way to be doing
it, or what your functionality is for the user etc.. so I cant make
any definitive statements.
however the main part of the problem will not be this processing code
but the code that /prints the markup/, and shows the form, that's the /
front/ end, and where the problems start, if you can send me the URL I
will be happy to take a look.

| PS Steve, thanks for the English lesson, always very helpful to have
| somebody
| take the piss out of my Dyslexia and underline the fact that I do have a
| problem,
| it makes me feel great, thank you so much

no problem brian. as one who has had many a dyslexic employee in the past,
let me be the first to say that it does not in the least effect your ability
to know when to use a comma or a period...nor does it effect your ability to
at least use the correct letters that make up a word dispite its potential
mis-spelling because of the order in which you place them.

dyslexia is a narrow blockade for poor grammar - the blockade being of
course, an excuse for it. while you may employ poor grammar as a result of
not being well read, certainly once can acheive it without reading at all. i
can assume safely, given what i know, that your memory (both long and short)
exceeds the memory of the average person. as grammar is taught equally
verbally as it is practiced visually, you have no excuse...actually, less of
an excuse - you should be able to remember the instructions better than
most!

brian, your grammar is shit. you can't hide behind an RD expecting us to let
it slide because our sympathies are somehow owed to you.

so, are you truly dyslexic or alexic? don't know the difference? hint, i
think your momma dropped you on your head when you were young...and often.
;^)

| Ive glanced at the code, although all of it's not there, there are
| background images, conf files, and so on, and I cant see the markup,
| etc... it looks needlessly complex re email validation reg exp)and
| header injection, but as I say I cant tell how the mailer script works
| or whether its vulnerable or whether its the correct way to be doing
| it, or what your functionality is for the user etc.. so I cant make
| any definitive statements.

hey shimmy,

did you puruse the code i posted under phil buckman's 'Need a simple
database for name and email only' thread?

i'm interested in seeing what wholes you find in it.

thx,

me

On 26 Mar, 17:15, "Steve" <no.... [at] example.com> wrote:
> | PS Steve, thanks for the English lesson, always very helpful to have
> | somebody
> | take the piss out of my Dyslexia and underline the fact that I do have a
> | problem,
> | it makes me feel great, thank you so much
>
> no problem brian. as one who has had many a dyslexic employee in the past,
> let me be the first to say that it does not in the least effect your ability
> to know when to use a comma or a period...nor does it effect your ability to
> at least use the correct letters that make up a word dispite its potential
> mis-spelling because of the order in which you place them.
>
> dyslexia is a narrow blockade for poor grammar - the blockade being of
> course, an excuse for it. while you may employ poor grammar as a result of
> not being well read, certainly once can acheive it without reading at all. i
> can assume safely, given what i know, that your memory (both long and short)
> exceeds the memory of the average person. as grammar is taught equally
> verbally as it is practiced visually, you have no excuse...actually, less of
> an excuse - you should be able to remember the instructions better than
> most!
>
> brian, your grammar is shit. you can't hide behind an RD expecting us to let
> it slide because our sympathies are somehow owed to you.
>
> so, are you truly dyslexic or alexic? don't know the difference? hint, i
> think your momma dropped you on your head when you were young...and often.
> ;^)

At the risk of becoming the brunt - hee hee - of another tirade,
here's what I noticed about your last post Steve ;)
* lack of capitilisation of first word - 11
* no capitalisation of proper noun - 2
* no capitalisation of personal pronoun - 3
* starting a sentence with a conjunction - 3
* sentence fragment - 1
* ambiguous meaning - 2
* incorrect spelling - 2
* incorrect hypenation - 1
* inccorect use of word - 1
* word transposition (wrong transitive verb) - 2
* over using punctuation in sentence where splitting it would be
better - 1
* naughty rude words and comments - 3
* failure to define acronymn on first use - 1

let me be the first to say, that I am particularly prone to all these
faults and more!!
so im the pot kalling the kettal blac!

On 26 Mar, 17:19, "Steve" <no.... [at] example.com> wrote:
> | Ive glanced at the code, although all of it's not there, there are
> | background images, conf files, and so on, and I cant see the markup,
> | etc... it looks needlessly complex re email validation reg exp)and
> | header injection, but as I say I cant tell how the mailer script works
> | or whether its vulnerable or whether its the correct way to be doing
> | it, or what your functionality is for the user etc.. so I cant make
> | any definitive statements.
>
> hey shimmy,
>
> did you puruse the code i posted under phil buckman's 'Need a simple
> database for name and email only' thread?
>
> i'm interested in seeing what wholes you find in it.
>
> thx,
>
> me

sure, I'll take a look, but my girl friend wants me to "stop looking
on the bloody computer" and to play frisbie instead! catch you later

"shimmyshack" <matt.farey [at] gmail.com> wrote in message
news:1174927946.420802.64900 [at] b75g2000hsg.googlegroups.com...
| On 26 Mar, 17:19, "Steve" <no.... [at] example.com> wrote:
| > | Ive glanced at the code, although all of it's not there, there are
| > | background images, conf files, and so on, and I cant see the markup,
| > | etc... it looks needlessly complex re email validation reg exp)and
| > | header injection, but as I say I cant tell how the mailer script works
| > | or whether its vulnerable or whether its the correct way to be doing
| > | it, or what your functionality is for the user etc.. so I cant make
| > | any definitive statements.
| >
| > hey shimmy,
| >
| > did you puruse the code i posted under phil buckman's 'Need a simple
| > database for name and email only' thread?
| >
| > i'm interested in seeing what wholes you find in it.
| >
| > thx,
| >
| > me
|
| sure, I'll take a look, but my girl friend wants me to "stop looking
| on the bloody computer" and to play frisbie instead! catch you later

lol.

i usually get pillows hurled at my head around 2 or 3 am when the lil' woman
can't take the monitor light anymore.

l8r.

| At the risk of becoming the brunt - hee hee - of another tirade,
| here's what I noticed about your last post Steve ;)


| * lack of capitilisation of first word - 11
| * no capitalisation of proper noun - 2
| * no capitalisation of personal pronoun - 3

i know, i know. it's a unix thing.

| * starting a sentence with a conjunction - 3

generally accepted as proper, however formally, a no-no.

| * sentence fragment - 1

i'm usually pretty good with those, as they are a pet-peave of mine. i'm
guessing it's the context of the response.

| * ambiguous meaning - 2

hmmm. context again?

| * incorrect spelling - 2

amazing, i'm shit-for-spelling. nntp posts just don't warrant me
spell-checking. 2 is actually pretty low for me. ;^)

| * incorrect hypenation - 1

i'd count that as spelling...so now it's closer to what i'd expect.

| * inccorect use of word - 1

hmmm...where?

| * word transposition (wrong transitive verb) - 2

really? i must have been out of it. where?

| * over using punctuation in sentence where splitting it would be
| better - 1

yeah, i like my elipses. ;^)

| * naughty rude words and comments - 3

lol. i don't think that counts to grammar. and as intent defines
'naughty/rude', i could have just as easily used no vulgarity at all, yet
levied the same message. proof that no word is naughty or rude. they are
just short-cuts to express intent. intent, btw, doesn't go toward grammar.

| * failure to define acronymn on first use - 1

RD is a common acronym in the context of those familiar with dyslexia and
thus, needs no definition.

| let me be the first to say, that I am particularly prone to all these
| faults and more!!
| so im the pot kalling the kettal blac!

we're all in the same boat, however i think you can view the op's posts and
compare the grammar against other posters to whom i've responded (without
mentioning grammar). among the vast array, you'll probably see when i have
hit a threshold. this op just had the whole post fubar - grammar being one
of the items i pointed out as whack.

cheers.

Brian wrote:

> Thanks for all your help, you were the only one that didn't seem to go
> off on one. I didn't want to post up loads of code as I have been told
> off for doing that before, but as it's been asked for please see below.

You can always post a link, like www.example.net/myscript.txt
When making a such copy, just remember to remove logins and passwords for
databases.


> Below I have put both blocks of code, 1 generates the random
> image and sets the session ID, that other processes the form, what I
> would like to know is how secure are they, can somebody hack it and
> send out spam via my site?

Looking at the image generator, it seems to be okey, not leaking the random value.

Your validation script seems to be ok too, but there are some things I had
done a bit different. When cheking if a variable is empty, you can use the
empty() and using it together with a isset() can save you from some confusing
error messages. I don't think it's a good use to use '<>' when you can use '!='.


> Lastly can they auto submit to the process script via their own script or
> are the problems I am having being done by a human testing the scripts
> security?
> I was under the impression because the way the random image works they
> would have to be viewing the site in a browser to see the image to know what
> to past over?

I haven't seen the image you generate, if it's too clear, there are software
that can read the text and then use the value in the form (posting form values
can be done automatically, just look at wget).


A stupid question, did you remove your old script?


> if ($error_msg == '' ) {
> $to = strtolower("$to_name <$to_email>\n");
> $from = strtolower("From: $from_name <$from_email>");
> $headers = "MIME-Version: 1.0\n";
> $headers .= "Content-type: text/html; charset=iso-8859-1\n";
> $headers .= $from."\n";
> if ($cc_email <> '') {
> $headers .= strtolower("cc: $cc_name <$cc_email>\n");
> }

Even this has nothing to do with your problem, your header isn't following the
rfc, Cc: and Bcc: should have a capital letter and header lines should be
separated with \r\n, you don't need to add that to the last line in the
header, the mail() fixes it for you. Miss formed headers could lead to that
your mail is tagged as spam.


--

//Aho

"shimmyshack" <matt.farey [at] gmail.com> wrote in message
news:1174923048.144588.105790 [at] n59g2000hsh.googlegroups.com.. .
> On 26 Mar, 15:52, "Brian" <brian_no_s... [at] nrwp.co.uk> wrote:
>> > look Brian, as has been said, don't be afraid to provide the link, so
>> > we can actually tell you have done wrong, after all your link is
>> > public already; you will have peace of mind after you fix it - if
>> > indeed anything is wrong!
>>
>> > You should know though sessions don't provide protection, the ID is
>> > sent to the user-agent to be sent straight back, that's it!
>>
>> > If you think you are being targeted by a human, there's little you can
>> > do, as they can solve Captcha's. If you think it is automatic then you
>> > have either done something wrong - named the image by the random text
>> > it contains, or have the image src="image.php?random=Rt8d" both of
>> > which I have seen in the wild - or perhaps you have attracted a
>> > professional - someone whose script finds the captcha url and grabs
>> > the image sending it off to one of his/her sites which is heavily
>> > used, the captcha is then presented to a real likfe person on /that/
>> > site and the answer sent back through to your site - harder.
>>
>> > Perhaps you can just make it harder for the script by
>> > (there are accessiblity problems with the following)
>> > * randomising the names of the input fields, and image url
>> > * time the solving time.
>> > *have the posts build up (if you are getting loads of them) dump
>> > collections of them based on IP and other data colected (see below) or
>> > have them emailed to you first, with a validation link at the top,
>> > then have the emails go through a Bayseian antispam filter like
>> > spamassasin or spampal, which learns adaptively, so you only get to
>> > see stuff considered ok.
>> > * have the image dynamically inserted into the DOM using a separate
>> > XHR call
>> > * require that the IP that makes the request for the page be the same
>> > that makes the request for the image
>> > * require that the page must be part of a "flow" that is don't allow
>> > post from someone who requests the html and no css/script/images,
>> > track their requests to ensure the browser they claim to be using
>> > matches the requests made. This is like using referer but is not so
>> > easily spoofed as each page takes a "breadcrumb" and stored it to
>> > track the user, award point to users who continue on round your site,
>> > or come from somewhere within. Using a session i nice here.
>> > * in a similar way require javascript to ask questions of the
>> > capability of the user, if it's a script the js will fail, so require
>> > js if you need to, if they are automating firefox, download some auto
>> > stuff like chicken foot/solvent etc.. and see what it takes to fuzz
>> > their script. Have a fake input hidden above the real one etc...?
>> > * require validation of an email address, preventing mytrashmail
>> > etc...
>> > * prevent the script from accepting posts if at certain times.
>> > * google for latest techniques in revealing true IP, often script
>> > kiddies use tor/privoxy which by itself isn't enough, ask the user-
>> > agent what time they have, screen res, use google analytics for this,
>> > etc..
>> > * try to tag you user with persistent data objects (eg flash),
>> > cookies.
>> > * download a list of know proxies at start of play, and check the
>> > poster's IP. (including those associated with tor)
>>
>> > there are loads more of course, but I think you are now thinking - man
>> > it's not worth it, I'll just delete them, so write a routine that
>> > gathers info on the poster, and store it in the db table or wherever
>> > and use that in a where clause, you will find they come from a
>> > selection of IPs which repeat, so store them.
>>
>> > finally, have some fun, if you suspect its an autobrowser, send a
>> > bunch of CPU chewing code to gobble up their memory using javascript,
>> > or maybe if you get a request from a known proxy send it
>>
>> > I get this kind of spam from one of my sites, they have similarites,
>> > so get killed. I find it amusing how persistent, relentless and futile
>> > it all is, I havent taken any of the above steps to prevent it, just
>> > to see if it will ever stop of it's own accord!
>>
>> Hi Shimmy
>>
>> Thanks for all your help, you were the only one that didn't seem to go
>> off on one. I didn't want to post up loads of code as I have been told
>> off for doing that before, but as it's been asked for please see below.
>>
>> The random image thing, I don't know if there is a official name.for it,
>> but I'm talking about sites that when you go to fill in a form if asks
>> you
>> to type in the number in the image, this image is randomly generated
>> number
>>
>> Below I have put both blocks of code, 1 generates the random
>> image and sets the session ID, that other processes the form, what I
>> would like to know is how secure are they, can somebody hack it and
>> send out spam via my site?
>> Lastly can they auto submit to the process script via their own script or
>> are the problems I am having being done by a human testing the scripts
>> security?
>> I was under the impression because the way the random image works they
>> would have to be viewing the site in a browser to see the image to know
>> what
>> to past over?
>>
>> Thanks
>>
>> Brian
>>
>> PS Steve, thanks for the English lesson, always very helpful to have
>> somebody
>> take the piss out of my Dyslexia and underline the fact that I do have a
>> problem,
>> it makes me feel great, thank you so much
>>
>> MAKE IMAGE
>>
>> <?php
>>
>> include_once("mailer_conf.php"); # Import all configuration files
>> $randAlpha = str_shuffle( substr(str_shuffle($listAlpha),0,$numAlpha));
>> $bgNum = rand(1, $Numbgimages);
>> $image = imagecreatetruecolor($image_width,$image_height);
>> if ($UseBG == true) {
>> $fullimage = imagecreatefromjpeg($BGPath."/background$bgNum.jpg");
>> imagecopyresized($image, $fullimage, 0, 0, 0, 0, $image_width,
>> $image_height, $image_width, $image_height);
>> } else {
>> $image_BGColour = imagecolorallocate($image, $BGColourR, $BGColourG,
>> $BGColourB);
>> imagefill($image, 0, 0, $image_BGColour);
>> }
>>
>> $textColour = array();
>> $colours = array();
>> $charPos = 3;
>> $charSpacing = round($image_width / ($numAlpha + 1));
>> $colours[0] = imagecolorallocate ($image, 255,0,0); // Red
>> $colours[1] = imagecolorallocate ($image, 0,355,0); // Green
>> $colours[2] = imagecolorallocate ($image, 0,0,245); // Blue
>> $colours[3] = imagecolorallocate ($image, 255,0,255); // Magenta
>> $colours[4] = imagecolorallocate ($image, 0,0,0); // Black
>>
>> for($i=0; $i<$numAlpha; $i++) {
>> $cnum = rand(0, 4);
>> $textColour[$i] = $colours[$cnum];
>> imagestring($image, $font, $charPos, rand(2,11), $randAlpha{$i},
>> $textColour[$i]);
>> $charPos = $charPos + $charSpacing;
>> }
>> session_start();
>>
>> $_SESSION['image_random_value'] = md5($randAlpha);
>>
>> header("Expires: Sat, 01 Jan 2000 05:00:00 GMT");
>> header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
>> header("Cache-Control: no-store, no-cache, must-revalidate");
>> header("Cache-Control: post-check=0, pre-check=0", false);
>> header("Pragma: no-cache");
>> header('Content-type: image/jpeg');
>>
>> imagejpeg($image);
>> imagedestroy($fullimage);
>> imagedestroy($image);
>>
>> unset($randAlpha, $bgNum, $newheight, $newwidth, $image, $fullimage,
>> $cnum, $colours);
>>
>> ?>
>>
>> PROCESS SCRIPT
>>
>> <?php
>>
>> function checkaddaddress($email) {
>> // First, we check that there's one [at] symbol, and that the lengths are
>> right
>> if (!ereg("^[^ [at] ]{1,64} [at] [^ [at] ]{1,255}$", $email)) {
>> // Email invalid because wrong number of characters in one
>> section,
>> or wrong number of [at] symbols.
>> return false;
>> }
>> // Split it into sections to make life easier
>> $email_array = explode(" [at] ", $email);
>> $local_array = explode(".", $email_array[0]);
>> for ($i = 0; $i <sizeof($local_array); $i++) {
>> if
>> (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/ =?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$",
>> $local_array[$i])) {
>> return false;
>> }
>> }
>> if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if
>> domain
>> is IP. If not, it should be valid domain name
>> $domain_array = explode(".", $email_array[1]);
>> if (sizeof($domain_array) <2) {
>> return false; // Not enough parts to domain
>> }
>> for ($i = 0; $i <sizeof($domain_array); $i++) {
>> if
>> (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za- z0-9]+))$",
>> $domain_array[$i])) {
>> return false;
>> }
>> }
>> }
>> return true;
>> }
>>
>> session_start();
>>
>> include("mailer_conf.php"); # Import configuration files
>>
>> $error_msg = '';
>> $_POST['image_code'] = trim($_POST['image_code']);
>>
>> // check for header injection from _POST
>> $header_injections = array("Content-Type:", "MIME-Version:",
>> "Content-Transfer-Encoding:", "bcc:", "cc:");
>> foreach($_POST as $k => $v){
>> $v = strtolower($v);
>> foreach($header_injections as $v2){
>> $v2 = strtolower($v2);
>> if(strpos($_POST[$v], $v2) !== false){
>> $error_msg .= $header_injection_msg."<br>";
>> }
>> }
>> }
>> // Check posted code is same as session ID
>> if(($_SESSION['image_random_value'] != md5($_POST['image_code']) ||
>> ($_POST['image_code'] == ""))) {
>> $error_msg .= $incorrect_code_msg."<br>";
>> }
>> // Check email address
>> if (!checkaddaddress($Email)) {
>> $error_msg .= $invalid_email_msg."<br>";
>> }
>> // check required fields
>> foreach($required_fields as $r){
>> if ($_POST[$r] == '' ) {
>> $missing_field .= '<li>'.$r.'</li>';
>> }
>> }
>> // make missing field error rmessage
>> if ($missing_field <> '') {
>> $error_msg .= $blank_field_msg."<br>The following fields are
>> missing<br><ul>".$missing_field."</ul>";
>> }
>> // create set of VARs from $_POST
>> foreach($_POST as $k => $v){
>> $$k = str_replace("\n", "<br>", $v);
>> }
>> // check for header injection in the above VARs
>> foreach($_POST as $k => $v){
>> foreach($header_injections as $replace){
>> $$k = str_replace("$replace", "HEADER INJECTION", $v);
>> }
>> }
>> // make note of users deatils
>> $timedate = date("G:i:s, D F j, Y");
>> $sender_info = "$timedate Sent from: " . $_SERVER['HTTP_HOST'] . "
>> Remote IP: ".$_SERVER['REMOTE_ADDR'] . " Remote Host: " .
>> $_SERVER['REMOTE_HOST'] . " PHP Auth User: " .
>> $_SERVER['PHP_AUTH_USER'];
>>
>> include("mailer_conf.php"); # Call again to make sure the Email body
>> has
>> the right info in it
>>
>> if ($error_msg == '' ) {
>> $to = strtolower("$to_name <$to_email>\n");
>> $from = strtolower("From: $from_name <$from_email>");
>> $headers = "MIME-Version: 1.0\n";
>> $headers .= "Content-type: text/html; charset=iso-8859-1\n";
>> $headers .= $from."\n";
>> if ($cc_email <> '') {
>> $headers .= strtolower("cc: $cc_name <$cc_email>\n");
>> }
>>
>> mail($to, $form_subject, $email_body, $headers);
>> echo $message_sent_msg;
>> } else {
>> echo $error_msg;
>> }
>> session_unset();
>> session_destroy();
>> ?>
>>
>> ------------------------------------------------------------ --------------------
>> I am using the free version of SPAMfighter for private users.
>> It has removed 1384 spam emails to date.
>> Paying users do not have this message in their emails.
>> Try SPAMfighter for free now!
>
>
>
> I understand re going off on one but im not immune, I was doing that
> yesterday and got in trouble.
> The reason I asked for a URL rather than code, is that it's what the
> attacker is seeing, and only then can I say.
> Ive glanced at the code, although all of it's not there, there are
> background images, conf files, and so on, and I cant see the markup,
> etc... it looks needlessly complex re email validation reg exp)and
> header injection, but as I say I cant tell how the mailer script works
> or whether its vulnerable or whether its the correct way to be doing
> it, or what your functionality is for the user etc.. so I cant make
> any definitive statements.
> however the main part of the problem will not be this processing code
> but the code that /prints the markup/, and shows the form, that's the /
> front/ end, and where the problems start, if you can send me the URL I
> will be happy to take a look.
>

Hi shimmyshack

Once again thanks for your replay, just in case there is a problem
I have set up a version of the scrip on a domain I don't really use,
this way I can shut is down quickly :) All this domain has on it is
the scripts

http://www.harhill.co.uk/

Please let me know what you find, once aging thank you

Brian



------------------------------------------------------------ --------------------
I am using the free version of SPAMfighter for private users.
It has removed 1395 spam emails to date.
Paying users do not have this message in their emails.
Try SPAMfighter for free now!

Brian wrote:

> I have set up a version of the scrip on a domain I don't really use,
> this way I can shut is down quickly :) All this domain has on it is
> the scripts
>
> http://www.harhill.co.uk/
>
> Please let me know what you find, once aging thank you

The image is all too clear, it's no problem to convert the image into a
string. I would suggest you look into blurring the characters and add a
background that isn't single colored.


--

//Aho

> Brian wrote:
>
>> I have set up a version of the scrip on a domain I don't really use,
>> this way I can shut is down quickly :) All this domain has on it is
>> the scripts
>>
>> http://www.harhill.co.uk/
>>
>> Please let me know what you find, once aging thank you
>
> J.O. Aho" wrote

> The image is all too clear, it's no problem to convert the image into a
> string. I would suggest you look into blurring the characters and add a
> background that isn't single colored.

Oops i didn't have the background images turned on, what about now?

Brian




------------------------------------------------------------ --------------------
I am using the free version of SPAMfighter for private users.
It has removed 1395 spam emails to date.
Paying users do not have this message in their emails.
Try SPAMfighter for free now!

Brian wrote:
>> Brian wrote:
>>
>>> I have set up a version of the scrip on a domain I don't really use,
>>> this way I can shut is down quickly :) All this domain has on it is
>>> the scripts
>>>
>>> http://www.harhill.co.uk/
>>>
>>> Please let me know what you find, once aging thank you
>> J.O. Aho" wrote
>
>> The image is all too clear, it's no problem to convert the image into a
>> string. I would suggest you look into blurring the characters and add a
>> background that isn't single colored.
>
> Oops i didn't have the background images turned on, what about now?

It's better, but take something that is closer in color/hue to the characters,
the point is to make the text hard to read for OCR-programs, if you then blur
the text you make it a bit harder.

--

//Aho

Steve wrote:
> | * inccorect use of word - 1
> hmmm...where?

I vote for "effect" instead of "affect".

Greetings,

Dennis