On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Hi

    Recently I put a website online with a quip guestbook and articles with quip integration. Past few days I got some spam on the guestbook (5 messages in a few days). So I checked why those were getting through the anti-spam, thinking a hidden field with the name 'nospam' might be to obvious. But I thought of checking if it actually worked, so I used Firebug to set a value for nospam and posted a message. I was baffled when the comment was actually posted.

    So I checked the documentation, to see if maybe I set it up wrong, but there isn't really anything to setup about the anti spam method with an empty field. So I dug into the code and found the handlePost function in core/component/quip/controllers/web/ThreadReply.php. There is actually no mention of 'nospam' in that file, nor do I believe it is anywhere else.

    So I added the following line after the for each:
    if (!empty($fields['nospam'])) return;


    I know this will be deleted as soon as there will be an update, but is this a proper fix so long as it isn't fixed in quip itself?

    Erwin
    • Sounds like a good catch indeed smiley So we don't lose this in the forums, could you please add a bug report here: http://bugs.modx.com/projects/quip
        Garry Nutting
        Senior Developer
        MODX, LLC

        Email: support@modx.com
        Twitter: @garryn
        Web: modx.com
      • Based on my experience with SPForm, I question whether any modern bot is going to fill in a form field called 'nospam.'

        Since you're going to update it, I'd suggest that you consider calling it something like 'user__name' (with two underscores), though that might break existing installations where user have created their own Tpl chunks.

        Perhaps an even better option would be to make the field name configurable with a property that defaults to 'nospam', but suggest that people change it, so everyone has a different field name and you could change it again if bots start getting through.
          Did I help you? Buy me a beer
          Get my Book: MODX:The Official Guide
          MODX info for everyone: http://bobsguides.com/modx.html
          My MODX Extras
          Bob's Guides is now hosted at A2 MODX Hosting
        • I agree, it should be a configurable option to what the field is actually named as (i.e. snippet parameter/property).
            Garry Nutting
            Senior Developer
            MODX, LLC

            Email: support@modx.com
            Twitter: @garryn
            Web: modx.com
          • I filed a bug (http://bugs.modx.com/issues/10163)

            I agree the best solution would be a configurable field. Maybe you could go as far as faking an easy captcha. (Advanced) spambots will probably try to solve the (fake) captcha and the script will recognize it as a spam attempt.

            A configurable field is probably not even that complicated.. Might look into it and post a better fix later.

            Thanks for your reply's
            • SPForm has options for a mouse and keyboard timer, a blank spam field, Captcha, a wild-card ban list, and some other bells and whistles, but by far the most effective spam block it has is a simple Captcha math equation the user must solve -- the equation is an image. To my knowledge, no bot has ever gotten through that.

                Did I help you? Buy me a beer
                Get my Book: MODX:The Official Guide
                MODX info for everyone: http://bobsguides.com/modx.html
                My MODX Extras
                Bob's Guides is now hosted at A2 MODX Hosting
              • Quote from: might-e at Sep 02, 2013, 05:50 PM
                Hi

                Recently I put a website online with a quip guestbook and articles with quip integration. Past few days I got some spam on the guestbook (5 messages in a few days). So I checked why those were getting through the anti-spam, thinking a hidden field with the name 'nospam' might be to obvious. But I thought of checking if it actually worked, so I used Firebug to set a value for nospam and posted a message. I was baffled when the comment was actually posted.

                So I checked the documentation, to see if maybe I set it up wrong, but there isn't really anything to setup about the anti spam method with an empty field. So I dug into the code and found the handlePost function in core/component/quip/controllers/web/ThreadReply.php. There is actually no mention of 'nospam' in that file, nor do I believe it is anywhere else.

                So I added the following line after the for each:
                if (!empty($fields['nospam'])) return;


                I know this will be deleted as soon as there will be an update, but is this a proper fix so long as it isn't fixed in quip itself?

                Erwin

                Hi Erwin,

                Where in the ThreadReply.php file do you add the new line:

                if (!empty($fields['nospam'])) return;


                Cheers,
                • Quote from: dubbs at Feb 19, 2016, 03:15 PM

                  [...]

                  Hi Erwin,

                  Where in the ThreadReply.php file do you add the new line:

                  if (!empty($fields['nospam'])) return;


                  Cheers,

                  Hi Dubbs,

                  I am not able to check right now, but in the metioned file ("core/component/quip/controllers/web/ThreadReply.php") there sould be a bunch of "if" checks for checking form values etc. If you paste it somewhere you should be fine.

                  Let me know if it doesn't work.
                  • Quote from: might-e at Feb 22, 2016, 10:33 AM
                    Quote from: dubbs at Feb 19, 2016, 03:15 PM

                    [...]

                    Hi Erwin,

                    Where in the ThreadReply.php file do you add the new line:

                    if (!empty($fields['nospam'])) return;


                    Cheers,

                    Hi Dubbs,

                    I am not able to check right now, but in the metioned file ("core/component/quip/controllers/web/ThreadReply.php") there sould be a bunch of "if" checks for checking form values etc. If you paste it somewhere you should be fine.

                    Let me know if it doesn't work.

                    Thanks - have implemented that - works in the respect that if I force the noSpam hidden field to be in view with firebug and add a value the comment is not submitted - but still getting spam...
                    • Hi Dubbs,

                      Ah yes, the problem is that bots have become smart and you may need to include a CAPTCHA or another mechanism to prevent spam from getting through.

                      You could try SPForm as BobRay suggested earlier in this thread.

                      Kind regards,
                      Erwin