Re: Preventing Request.Form abuse

I think I would redirect them to a large video file on one of the online
video places which may well crash their program with the size of the
response. That said, its not fair to send them to someone else server and
use their bandwidth, hence the suggestion of the fictitious URL.

On detecting an attempt to use a postback it would actually be quite easy to
also block their IP real time in the filter, so any future request from them
was always dropped or always resulted in a large video being sent as the
response. It would be a one hit system.

I've done most of what we're dicsussing in the past on net 1.1, but not for
this reason so the code should be very easy to put together.......I'm still
waiting for people to find holes in the suggestion though - Juans a likely
candidate for sinking my idea......lol

--
--
Regards

John Timney (MVP)
VISIT MY WEBSITE:
http://www.johntimney.com
http://www.johntimney.com/blog


"Mark Rae" <mark@xxxxxxxxxxxxxxxxx> wrote in message
news:edz$3M79GHA.3348@xxxxxxxxxxxxxxxxxxxxxxx
"John Timney (MVP)" <x_john@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:9cCdnSxkqMv0H6PYnZ2dnUVZ8qudnZ2d@xxxxxxxxxxxxxxxxx

John,

A list of forms that are only subject to postback on submission is easy
to create and could reside in web.config (or anywhere cachable) - crude,
but we can think of another way later. A begin request intercepted in an
ihttpmodule could verify the ispostback property of any request. If its
not a postback form, and is in the list of forms that require postback
then dump the request and return a redirect to some random fictitious
URL. It wont even touch the actual form being requested.

I like it!

If we were to use a real rather than a fictitious URL for the redirect, do
you think that would be a good thing or a bad thing? I guess it would be a
bad thing because (I suppose) it would look to the target URL that the
posting was coming from our IP address rather than the spammer's IP
address...

Being based in the UK, I think I would find it rather satisfying if the
spammers suddenly found themselves trying to post here:
http://www.met.police.uk/computercrime/

:-)



.

Relevant Pages

  • Re: Preventing Request.Form abuse
    ... ihttpmodule could verify the ispostback property of any request. ... not a postback form, and is in the list of forms that require postback ... then dump the request and return a redirect to some random fictitious URL. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Dead Night 5/10/09 Thunderbird Cafe playlist & commentary
    ... installment of Dead Night in Pittsburgh, and here's yer host, TD! ... Smarter, Terrapin Station> drums (another out-of left-field request, ... The second Star Trek episode has ended, ... View CA (video) ...
    (rec.music.gdead)
  • Dead Night 5/25/08 Thunderbird Cafe playlist and commentary
    ... highlighted the night and as usual, * = played by request. ... cause it's time for breakfast in bed with the Grateful Dead!" ... forgot that it was also in the Ratdog video) ...
    (rec.music.gdead)
  • Dead Night 12/14/08 Thunderbird Cafe playlist & commentary
    ... Holiday greetings to all Dear Readers! ... All the seasonal activities ... running the sound and video. ... Sugaree (first request, and have I got a wowser for you!) ...
    (rec.music.gdead)
  • Dead Night 2/15/09 Thunderbird Cafe plus DSO 2/24/09 report
    ... Meanwhile, I play a Rocky & Bullwinkle video for eye candy, ... U.S. Blues (first request of the night for was for Here Comes ... detective I'd make - just after starting the Hampton video, ...
    (rec.music.gdead)