Developer forum

Forum » CMS - Standard features » Antispam functionality

Antispam functionality

Lars Larsen
Lars Larsen
Reply

Hi

One of our customers want to know what have been changed in the Antispam functionality since DW v.9.3.4? They are asking because they are having problems with forms being catched by the anitspam functionality because of many email fields in a form. And sometimes their own ip gets blocked in the file "_BannedIps.txt" because many employees at the customer are using the same form many times resulting in manu submits of the same form from the same ip.
So the customer is considering an upgrade but only if changes to the Antispam functionality can prevent the problems mentioned above.

Replies

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Hi Lars

If the same value is in the form more than 3 times, it will ban i earlier versions. In later version you collect points for 'viloations' and if your score is high enough, you get banned. So if the only violation you have on a form is too many times the same value, you do not get banned in new versions.

In the version you already have you are able to increase the number of times the same IP can submit forms - simply change the value in settings, web&http, security - set it to i.e. 1000.

So it seems to be only the same value issue that would qualify for an upgrade - or maybe change the form to not collect i.e. the same mail address so many times - seems a little redundant anyways.

You can also disable ip-banning for SQL-injection - that will also prevent them from being banned - but they will still receive a 404 when submitting 'bad' forms...

BR Nicolai

 
Lars Larsen
Lars Larsen
Reply

Hi Nicolai

Thanks for clearifying. We had already increased the number of times a form can be submitted from the same ip. And removed "Repeat your e-mail" fields.

But what about an option for whitelistening ip's in order to avoid blocking?

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Yes, we could add a whitelist... But it is also a security breach in it self - since you can semi spoof bad requests by adding fake x-forwarded-for headers to requests. So enabling whitelists of IPs would potentially open a door for clever hackers... It could be implemented in a way though, that IP will not be banned, but the request would be stopped anyways.

Comments?

BR Nicolai

 
Lars Larsen
Lars Larsen
Reply

Hi Nicolai

If a whitelisted IP do not get banned but subsequent requests just blocked (resulting in an email notification), that would be an OK solution. Better than the way it works at the moment.

 
Mikkel Ulstrup
Reply

Hi,

 

Did this whitelist ever become a feature request, and if so, for what version?

 

Kind regards

Mikkel Ulstrup

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Not yet. But we are not really fans of that options - it is a security breach, it is a bad fix for something which is not right and it will be used by "security" companies to give us fail reports...

This should not happen for your users - if it does, it is because they do something they should not - or if you have a specific scenario where some 'bad' date is sent to DW by design. The latter can be handled by adding the name of that field/key/cookie to the list of ignored fields.

BR Nicolai

 
Mikkel Ulstrup
Reply

Understandably.

Maybe some additional information in the bannedIp log then. As it is, we can see that they got banned, and sometimes it shows the reason. Maybe we can get information about what was submitted in the form, which form it was etc.?

Our customers can't relate to "some security parameters were met, and so they got blocked". Specially if it is their customers (and sometimes known customers) getting blocked.

Might also help reporting to you, if some values get caught in the spam filter, that shouldn't have.

 

Kind regards

Mikkel Ulstrup

 
Nicolai Pedersen
Nicolai Pedersen
Reply

Yes - the eventviewer contains more information and in 9.7 it also have the URL. It is not just forms that causes this - it can be any request. The eventviewer contains information on the key (in request.form/querystring/header/cookie) and value that was blocked by what expression in injection checks.

You can setup Dynamciweb to receive an email when some IP is blocked and you can see exactly what was in the request and in what page.

 
Mikkel Ulstrup
Reply

Great, we will look into this. Thank you!

 

You must be logged in to post in the forum