How do i test my antispam code against bots? - security

I have some code and i wonder how it would stand up against bots. Is there a way i can either run a bot to check the strength of my site or to set real live spam bots on it in a prerelease test? (i can use something.noip.com as a dummy domain)

You could always just drop by some of the shadier channels on IRC, and brag about your super-secret new breakthrough in software that is able to stop 100% of all spam bots which will get you the hot babes. Be as irritating as possible, and keep poking around the area.... Eventually, you'll provoke SOMEBODY :)

You can improve the google ranking of your site to attract more bots and you can as Edouard wrote, install some bots and try to "break" your tests. Although I don't think that the "good" bots are downloadable for free.
I'd go for a higher google rank and placing your url in many places on the web to raise the chance that it gets picked up.
Place it in your footer in forums, etc. Use it in your footer in high traffic mailinglists.
But don't post there just to place your url, this will make people angry if they notice it (and justifiably so)

You answered your own question. Set up bots and run them against your site to see if it works well.
Over the time, as the popularity of your site rises, bots will spam you. You will need to keep the race going on as bots get better and better.

Just publish it and make the page available to search engine spiders and other traffic. They will eventually find you!

Related

How could I protect the users from my webpage from being tracked?

This is maybe quite a broad question and I tried to look for other stack exchanges where addressing my question would suit better – but in the end I decided that it might be still a question of a technical nature, and so I am posting it here:
I recently started to think more about privacy and security and I realized that I as a web user can only do so much about staying untracked. VPN, (slow) Tor, privacy helpers, add-blockers, Firefox are just a few tools to name, but still I realize that the information that I normally share (like installed add-ons, browser size, IP location etc.) can still very well be fingerprinted.
Normally as a web-developer I am told that we should add analytics, that we should find out more about the users to «make a better service», but I think I would like to do the opposite.
So:
Are there steps I could take, when building a website, that help the visitors to stay untracked? And I don't mean «not installing google analytics», I mean things like somehow actively messing with the statistics, so that my hosters server is incapable of tracking things correctly or similar things...
Right now I can't really think of anything, but I somehow believe that I as a person who builds bricks of the internet could and should be able to influence these kind of things directly...
For now I see the obvious things:
- not using statistic services
- use https
- not using any third party tools that might include tracking or open doors for other trackers
But still this seems to just omit the bad things, but I can't actually do active stuff...
So I would be very glad to hear your thoughts about this. (Or guide me to a place, where this discussion fits a better..)
Cheers
merc
As a web developer, you can only control your website.
Assuming you aren't caching any data or using cookies, then users shouldn't be tracked while using your website by tools like 3rd party cookies.
Here is a good article about online tracking and how it works.
As far as I know, there isn't an effective way to actively mess with tracking statistics. Your best bet is to avoid installing libraries or tools that track your users.

Intranet planning / what do i need

Ok so ive been tasked with doing "research" on building an intranet for a potential new client for my company and they want some kind of answer by Monday (like any company, they REALLY want this project).
That said, ive been doing "Reasearch" and have so many tabs/windows open that im going nuts and getting lost since my research doesn't have direction...taking in too much and need assistance.
i have 2 questions after a brief explanation.
Essentially, From my understanding, an Intranet is...well in plain
terms, a website that is offline? has a deeper framework because of
the documents that will be available(i think its for a school)and the
ppl who can access them but can also have access to the internet?
Since its for a school(not sure if its mainly for teachers or teachers
and students ) im assuming alot of documents either way.
aside form being private, throughout my research, ive read alot about file security, firewalls, and...and.. im starting to get overwhelmed.
Me myself, am a web designer/so-so developer. decent knowledge of js/jquery and php/mysql though i feel like im just getting started in the web-developer part. Good knowledge of standards HTML/css, designer tools etc...
That said, these are my questions.
1.What is actually involved in planning to create this? What tools( read CMS if possible ) can i use to create any of this. Like to make this happen what do i actually need, and need to know? what direction should i take. If you can direct me and help me close some of these 30+ links spread across my 3 monitors id owe ya lol.
i can build many things and dont mind giving it a HARD go but, this seems like a HUGE project and, im SURE that if my company takes this job, id be put on it. now i can do some of the parts of this project but not 100% sure im the right person for this. Theyre counting on me for a yes/no answer as to whether i can do it (they know its big and itll take time to accomplish) but so...with my skills posted above, am i the right person to do this? or is this more akin to an ACTUAL tried and true developer?
Thank you for your time and, any tips/links/cms info/ i mean ANYTHING that would make this easier PLEASE dont hesitate to share. i dont mind doing the research but i need direction.
i dont want to tell them "YES i can do it" and in a month or two im on pause stuck and the yes turns into a "no i cant do it"
If you have no experience in setting up networks, then you are probably not the man for the job (unless your client is willing to let you have a shot at it for the experience, on a no-win, no-fee basis). Certainly do not over-promise and under-deliver!
I deal with quite a lot of schools, and I know many of the smaller ones will use the secretary's computer as a server, with a simple Windows home network to place files in a shared directory. Its a cheap and cheerful alternative, within their own skillsets to manage.
You should also check with the govermental department with relevant oversight (Dept. of Education, I'd imagine) to see what guidlines, requirements, and grants, are available or required. There may be a specific recommended route to take here, with made to measure firewall protection provided to you.
Larger schools will have invested in proper servers, with automatic external backups in place. I'm not qualified to give advice on how to set those up however. Hopefully someone else here will :)
Best of luck!
CMS may be included as a Intranet website, but Intranet includes much more than CMS. Your best stragetic is tell your boss find a network system integrator to do this project collaboratively. Intranet involves more networking technology (L2, L3, switching, routing, firewall, wireless, etc etc) and physical instrument (ex. cabling).

Make your site anti-bot?

I remember a site closed due to misuse and i wonder if bots have a part of it. If the bot is POSTing something to my site what are ways i can combat it? I was thinking of setting some cookies and having the cookies changed via javascript + timestamp and sign (so yesterdays cookies cant be used today and next week).
I'm sure most people/bots would just use another site instead of enabling JS in their bot.
What else can i do? I'm thinking daily POST limit and a honeypot for generic bots who just randomly post spam
If you want to get fancy, you can combine a honeypot with IP bans. Anyone who posts to your honeypot gets their IP stuck in /etc/hosts.deny or similar for the next N days.
The most popular method to prevent abuse by bots currently is CAPTCHA. It tends to work pretty well for most bots, since computers can't read very well yet. A slight downside is that some people (myself included) don't like having to constantly prove they're not bots. But it's one of the very few common ways of preventing abuse that's not trivial to defeat, if implemented properly.
There are CAPTCHA plugins for most blog, wiki and e-commerce frameworks.
You could also look into akismet:
http://akismet.com/faq/
It offers spam detection services.

Is it possible for a 3rd party to reliably discern your CMS?

I don't know much about poking at servers, etc, but in light of the (relatively) recent Wordpress security issues, I'm wondering if it's possible to obscure which CMS you might be using to the outside world.
Obviously you can rename the default login page, error messages, the favicon (I see the joomla one everywhere) and use a non-default template, but the sorts of things I'm wondering about are watching redirects somehow and things like that. Do most CMS leave traces?
This is not to replace other forms of security, but more of a curious question.
Thanks for any insight!
Yes, many CMS leave traces like the forming of identifiers and hierarchy of elements that are a plain giveaway.
This is however not the point. What is the point, is that there are only few very popular CMS. It is not necessary to determine which one you use. It will suffice to methodically try attack techniques for the 5 to 10 biggest CMS in use on your site to get a pretty good probability of success.
In the general case, security by obscurity doesn't work. If you rely on the fact that someone doesn't know something, this means you're vulnerable to certain attacks since you blind yourself to them.
Therefore, it is dangerous to follow this path. Chose a successful CMS and then install all the available security patches right away. By using a famous CMS, you make sure that you'll get security fixes quickly. Your biggest enemy is time; attackers can find thousands of vulnerable sites with Google and attack them simultaneously using bot nets. This is a completely automated process today. Trying to hide what software you're using won't stop the bots from hacking your site since they don't check which vulnerability they might expect; they just try the top 10 of the currently most successful exploits.
[EDIT] Bot nets with 10'000 bots are not uncommon today. As long as installing security patches is so hard, people won't protect their computers and that means criminals will have lots of resources to attack. On top of that, there are sites which sell exploits as ready-to-use plugins for bots (or bots or rent whole bot nets).
So as long as the vulnerability is still there, camouflaging your site won't help.
A lot of CMS's have id, classnames and structure patterns that can identify them (Wordpress for example). URLs have specific patterns too. You just need someone experienced with the plataform or with just some browsing to identify which CMS it's using.
IMHO, you can try to change all this structure in your CMS, but if you are into all this effort, I think you should just create your own CMS.
It's more important to keep everything up to date in your plataform and follow some security measures than try to change everything that could reveal the CMS you're using.
Since this question is tagged "wordpress:" you can hide your wordpress version by putting this in your theme's functions.php file:
add_action('init', 'removeWPVersionInfo');
function removeWPVersionInfo() {
remove_action('wp_head', 'wp_generator');
}
But, you're still going to have the usual paths, i.e., wp-content/themes/ etc... and wp-content/plugins/ etc... in page source, unless you figure out a way to rewrite those with .htaccess.

How to collect customer feedback? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
What's the best way to close the loop and have a desktop app "call home" with customer feedback? Right now our code will login to our SMTP server and send me some email.
The site GetSatisfaction has been an increasingly popular way to get customer feedback.
http://getsatisfaction.com/
GetSatisfaction is a community based site that builds a community around your application. Users can post questions, comments, and feedback about and application and get answers to their questions either from other members or from members of the development team themselves.
They also have an API so you can incorporate GetSatifaction into your app, and/or your site.
I've been playing with it for a couple of weeks and it is pretty cool. Kind of like stackoverflow, but for customer feedback.
Feedback from users and programmers simply is one of the most important points of development in my opinion. The whole web2.0 - beta - concept more or less is build around this concept and therefore there should be absolutely no pain involved whatsoever for the user. What does it have to do with your question? I think quite a bit. If you provide a feedback option, make it visible in your application, but don't annoy the user (like MS sometimes does with there feedback thingy on there website above all elements!!). Place it somewhere directly! visible, but discreet. What about a separate menu entry? Some leftover space in the statusbar? Put it there so it is accessible all the time. Why? People really liking your product or who are REALLY annoyed about something will probably find your feedback option in any case, but you will miss the small things. Imagine a user unsure about the value of his input "should I really write him?". This one will probably will not make the afford in searching and in the end these small things make a really outstanding product, don't they? OK, the user found your feedback form, but how should it look and what's next? Keep it simple and don't ask him dozens questions and provoke him with check- and radioboxes. Give him two input fields, one for a title and one for a long description. Not more and not less. Maybe a small text shortly giving him some info what might be useful (OS, program version etc., maybe his email), but leave all this up to him. How to get the message to you and how to show the user that his input counts? In most cases this is simple. Like levand suggested use http and post the comment on a private area on your site and provide a link to his input. After revisiting his input, make it public and accessible for all (if possible). There he can see your response and that you really care etc.. Why not use the mail approach? What about a firewall preventing him to access your site? Duo to spam in quite some modern routers these ports are by default closed and you certainly will not get any response from workers in bigger companies, however port 80 or 443 is often open... (maybe you should check, if the current browser have a proxy installed and use this one..). Although I haven't used GetSatisfaction yet, I somewhat disagree with Nick Hadded, because you don't want third parties to have access to possible private and confidential data. Additionally you want "one face to the customer" and don't want to open up your customers base to someone else. There is SOO much more to tell, but I don't want to get banned for tattling .. haha! THX for caring about the user! :)
You might be interested in UseResponse, open-source (yet not free) hosted customer feedback / idea gathering solution that will be released in December, 2001.
It should run on majority of PHP hosting environments (including shared ones) and according to it's authors it's absorbed only the best features of it's competitors (mentioned in other answers) while will have little-to-none flaws of these.
You could also have the application send a POST http request directly to a URL on your server.
What my friend we are forgetting here is that, does having a mere form on your website enough to convince the users how much effort a Company puts in to act on that precious feedback.
A users' note to a company is a true image about the product or service that they offer. In Web 2.0 culture, people feel proud of being part of continuous development strategy always preached by almost all companies nowadays.
A community engagement platform is the need of the hour & an entry point on ur website that gains enuf traction from visitors to start talking what they feel will leave no stone unturned in getting those precious feedback. Thats where products like GetSatisfaction, UserRules or Zendesk comes in.
A company's active community that involves unimagined ideas, unresolved issues and ofcourse testimonials conveys the better development strategy of the product or service they offer.
Personally, I would also POST the information. However, I would send it to a PHP script that would then insert it into a mySQL database. This way, your data can be pre-sorted and pre-categorized for analysis later. It also gives you the potential to track multiple entries by single users.
There's quite a few options. This site makes the following suggestions
http://www.suggestionbox.com/
http://www.kampyle.com/
http://getsatisfaction.com/
http://www.feedbackify.com/
http://uservoice.com/
http://userecho.com/
http://www.opinionlab.com/content/
http://ideascale.com/
http://sparkbin.net/
http://www.gri.pe/
http://www.dialogcentral.com/
http://websitechat.net/en/
http://www.anymeeting.com/
http://www.facebook.com/
I would recommend just using pre built systems. Saves you the hassle.
Get an Insight is good: http://getaninsight.com/

Resources