spamquestion 0.2

I released version 0.2 of the spamquestion plugin last night. It now conforms to the requirements for a PyBlosxom plugin. The code is much cleaner too. Available from the usual place.

Tags: ,
posted: Tue, 20 Nov 2007 15:53 | permalink | comments

Internet Explorer Ampersand Bug with prompt()

I just discovered an inconsistency in how Internet Explorer (6 and 7) handles ampersands with the prompt() built-in function.

Try the following in Firefox and then again in IE6 or IE7.

<html>
  <script>
    alert('-&-');
    alert('-\&-');
    alert('-&&-');
    prompt('-&-');
    prompt('-\&-');
    prompt('-&&-');
 </script>
</html>

FF and IE behave identically for alert() but for prompt() both IE6 and IE7 fail to show an ampersand unless "&&" is supplied. Very strange.

In case you're wondering, &amp; doesn't help either; it isn't translated for popups in any of the browsers.

Is this a known problem? I haven't been able to track down other reports of the issue.

Short of doing browser specific hacks, or just not using prompt(), I can't see a way of getting consistent behaviour across browsers. How craptastic. The joys of web development...

posted: Fri, 16 Nov 2007 16:09 | permalink | comments

Making Python Do the Hard Stuff

At work we use a Python decorator to restrict access to certain web controller methods based on the current user's permissions. This was done using by simplying ANDing the permissions together. For example:

@permissions('read', 'write')
def some_method(...):
	...
The above means that a user would need both the 'read' and 'write' permission in order to be able to call the method. The permissions decorator only adds an attribute to the function being decorated. The actual permission enforcement is done in the base controller class as the request comes in.

This approach worked well for a while but then requirements started appearing for more complex relationships between permissions. What if a method required that a user has "read" and "write" or just "admin"? What about negation?

Read more...

posted: Sun, 11 Nov 2007 13:21 | permalink | comments

Blog spam update

Well, two comment spams have made it past the spamquestion plugin. This makes me wonder if either the submissions were done manually or whether the software the spammers use is at least human assisted. I guess it's also possible that the spam software is so good that it can automatically work out my simpler arithmetic questions.

The web server logs give some clues. There's literally hundreds of obviously automated POST attempts to various pages on my blog. The requested related to the two comments that made it through however seem far more human however. Here's one example:

68.187.226.250 freshfoo.com - [03/Nov/2007:01:41:57 +0000] "GET /blog/Holland_photos_online.1024px HTTP/1.1" 200 11367 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
68.187.226.250 freshfoo.com - [03/Nov/2007:01:42:06 +0000] "POST /blog/Holland_photos_online#comment_anchor HTTP/1.1" 200 14928 "http://freshfoo.com/blog/Holland_photos_online.1024px" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)"

These are the only two HTTP requests made for the first spam that made it through; no dumb, repeated automatic requests like some of the other attempts in the logs. Notice how the parent page was visited first and then 9 seconds later the POST was made. That's pretty quick for someone to fill out the form manually but it's possible, especially if the spam body was ready in the clipboard. If their system is partially automated then the short delay is even more plausible.

To test whether some spambots are actually capable of doing simple arithmetic by themselves, I've removed all the addition and subtraction questions from my spamquestion configuration and have added more questions that are harder to answer programmatically. If the spam continues, then I'm going to conclude that there's definitely some human assistance going on. If it stops, then it's more likely that the spambot software was actually able to solve some of my arithmetic questions itself.

I also need to look at is short-term blocking of spamming IPs. When examining my logs I found there had been almost 500 comment spam attempts for just today! I'd rather not be dealing with that bandwidth on my server. Dropping all packets from a spammer's IP for a few hours would slow them right down.

Fun fun fun...

Tags: ,
posted: Mon, 05 Nov 2007 22:49 | permalink | comments