My blog software had one form bots figured out and
Sat Apr 03, 2021 2:20am

absolutely hammered. Other pages were untouched, but that one comments page was posted to something like 800 times by bots.

They haven't cared to register and comment, but I also turned off comments on posts older than a year (and all of them are now) so the page isn't seeing anything at all.

    • Building your own thing has it's benefits... - Retna, Fri Apr 02 2021 12:10pm
      I'm sure lots of bots are programmed to look for WordPress boilerplate and HTML structure. But how many surf the web looking for a form that has an field name "answer" and somehow know to fill out that field using the math question nearby? And to do that on a small website like this where there's ... more
      • Trying out generic WordPress, PHP vulnerabilities and HTML form/query string combinations. (Using A=whatever in the query string is a very common one for some reason.) I did end up using regular reCaptcha 2 on the create account, forgot password and subscription pages though. I originally didn... more
        • I wonder if banning form/query strings that don't return - Puckdropper, Sat Apr 03 2021 2:27am
          anything you want (like A=whatever) would be a good start. I remember seeing a technique published years ago where a form element was hidden (and thus the user would never see it) and its presence or absence was looked for when the form submitted. That only worked so long, though, as bots learned ... more
          • With the message board I'm using SpringMVC which... - Erik_, Tue Apr 06 2021 2:42pm
            I have to specify which query params I want to accept (if any) in the method's parameters. So, if a user enters "?howdy=yall" and I'm not set up to look for a query param named "howdy", it gets completely ignored which is nice. Example for the RSS controller's mapping to get the RSS feed of a m... more
  • Click here to receive daily updates
    "Forces act when not restrained" - Puckdropper