https://github.com/akaihola/django-magicforms

Lightweight comment spam prevention for Django. See the Wiki for more information.
https://github.com/akaihola/django-magicforms

django forms spam

Last synced: 13 days ago
JSON representation

Lightweight comment spam prevention for Django. See the Wiki for more information.

• Host: GitHub
• URL: https://github.com/akaihola/django-magicforms
• Owner: akaihola
• Created: 2008-09-23T06:58:39.000Z (over 16 years ago)
• Default Branch: master
• Last Pushed: 2008-09-25T12:36:32.000Z (over 16 years ago)
• Last Synced: 2025-01-12T14:24:35.127Z (21 days ago)
• Topics: django, forms, spam
• Language: Python
• Homepage: https://web.archive.org/web/20120831121813/http://fi.am/entry/preventing-spam/
• Size: 202 KB
• Stars: 4
• Watchers: 3
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README

Awesome Lists containing this project

README

        
This is a fork of fíam's magicforms.py originally announced on

2008-05-13.

The reason for the fork is I needed a couple of slight modifications

in the code.

-- Antti Kaihola 

Here is fíam's original blog entry with comments as of 2008-09-23:

      http://fi.am/entry/preventing-spam/

      Preventing Spam

      Latelly I've been hammered with a lot of spam in this blog, so I

      decided to implement something to prevent it.

      As I've previously mentioned, I don't like Akismet because it's

      too simple. It only tells you if they think the comment is spam,

      so the best you can do is skip writing comments to the

      database. It would be nice if it returned a probability, so you

      could act accordingly. For example, consider the following:

          o If spam probability is 50% or below, accept the comment.

          o If it's between 50% and 80%, present some validation

            method to the user. It could be a CAPTCHA or even

            something more simple like a message telling the user to

            resubmit the form before 30 seconds, since most of the

            spam bots wouldn't get that right.

          o If it's more than 80%, discard the comment.

      But Akismet can't do that, so I will never use it. My initial

      idea was implementing my own spam detection system but, since

      developing ffloat.it keeps me busy enough, that's not something

      I can do for now. However, after reading the suggestion from

      Scott Lawton and reading the page he mentioned, I found I could

      write something to prevent most of the spam in less than an

      hour.

      My approach uses two form classes, which you must subclass in

      your application. And that's all you need! Your forms won't even

      have any visual impact, since those two classes only introduce

      two hidden fields and the correspondant validation methods. The

      process is a follows:

          o When you create the form (empty or with data) you need to

            pass two new variables to it: the remote address which is

            requesting the page and an identifier. For example, in

            Blango I use the primary key for the entry.  

	  o The form encrypts the requester IP, the identifier and the

 	    current time using a stream crypher and your

 	    settings.SECRET_KEY as key and puts it in a hidden field.

          o The form adds a textfield (author_bogus_name) with a

            maximum length of 0 without label and with style set to

            display:none. Users won't see it, but spam bots will try

            to put something there.

          o Upon form verification, the hidden field is decyphered and

            the requester address and the identifier are checked for

            equality. If they match, a time verification is performed:

            if the user took less than 5 seconds for posting it (wow,

            too fast typing, isn't it?) or more than an hour

            (preventing bots for reusing the token in the future), the

            form won't validate.

      I know this method is not perfect, since a spambot could be

      instructed to circunvent it. But the game consists on being

      ahead of the spammers, and currently this technique will get you

      there.

      As for the code, it's currently commited to the Blango tree, in

      the file magicforms.py, but for your convenience I've made it

      avaible here. Let's see an example from Blango itself:

      Before:

      class CommentForm(forms.ModelForm):

      ...

      ...

      comment_form = CommentForm()

      if request.method == 'POST' and entry.allow_comments:

          comment_form = CommentForm(request.POST)

      After:

      from magicforms import MagicModelForm

      class CommentForm(MagicModelForm):

      ...

      ...

      comment_form = CommentForm(request.META['REMOTE_ADDR'], entry.id)

      if request.method == 'POST' and entry.allow_comments:

          comment_form = CommentForm(request.META['REMOTE_ADDR'], entry.id, request.POST)

      Just remember to use MagicForm if your form inherits from

      forms.Form and MagicModelForm if your forms inherits from

      forms.ModelForm. Note also that this code depends on PyCrypto

      (python-crypto package in Debian and friends).

      Comments

      #1 by Simon 2008-05-13

      I like the idea of having a field that is hidden with css. I

      think that will trip most spambots especially if you apply the

      css to a surrounding element rather then the input field itself.

      It would be good to note that validating the REMOTE_ADDR could

      cause problems for some users. I believe that AOL users could

      have a different IP address on subsequent requests. Maybe a way

      around this would be to use the first two octets. Even without

      the REMOTE_ADDR element this method would work well.

      #2 by Nick 2008-05-13

      Firefox will try to autofill it (hidden field too I think) and

      fail. So it's not so good idea.

      Another idea is to add to every field name unique id - md5 hash

      of secret key+time+data. You will need to rewrite form class to

      support this.

      So every time every field would have new name which makes bots

      pre-collection of field names meaningless.

      #3 by Simon 2008-05-14

      It could be that Firefox doesn't send the field in the post

      data. I believe that the rfc (not sure which one anymore) says

      that it is up to the browser if it wants to send it or not. Not

      sure what spambots would do it it was filled with predetermined

      data. As it's not a hidden filed I suspect they would fill it

      with junk.

      #4 by Simon 2008-05-14

      Or Firefox is filling it with a password you have stored for the

      website.

      #5 by fiam 2008-05-22

      @Simon, @Nick

      Thanks for your comments. As far as I know, Firefox will try to

      fill the field only if it has recorded a value for a field with

      the same DOM id. DOM id for the hidden field in MagicForms is

      set to bogus_author_name, which IMHO is not a commonly used

      id. However, I like your idea about setting a random field id

      and I'll be implementing it.

      #6 by Antti Kaihola 2008-09-23

      Is there a particular reason why you're using ARC4 encryption

      instead of a salted MD5 or SHA1 hash?

      MD5 and SHA1 are available in the Python standard library, so

      the dependency on the PyCrypto library could be dropped.