0

I am using asp.net. I have a public form that users can create new accounts on, that sends out a verification text message to the user's phone when they hit submit. I don't want spam bots sending out these text messages that cost me money by posing as users.

It is my "guess" that a spam bot or script has to screen scrape the html from the page and find the javascript function that will send this info out via ajax to an asp.net page that sends text messages out. It can't just call and execute the javascript in place and on my server like my javascript does with real users and button clicks, so instead it will execute on whatever server or computer their script is running on and insert the values it got from screen scraping and make a get request or post to the correct url, and that computer or server ip address that the script is running on should show up as the http referrer.

Is that true?

If so, then can I check the http referrer variable when my asp.net page that will send the text message out gets invoked? I'm thinking that if spam bots work the way I think, and they are actually executing a script that mimics the javascript calls on the page but they are not due to user clicks, the script would have to be executing on another server or domain.

Is that true?

And can a script spoof the http referrer variable?

Bobh
  • 321
  • 1
  • 14
  • You can add captcha there, you can verify captcha then only send verification message. you can use google [recaptcha](https://www.google.com/recaptcha/intro/) . If you want to block particular IP address, you can do like [this](https://serverfault.com/questions/86747/how-do-i-block-specific-ips-and-ip-ranges-in-iis7) – jagad89 Jul 18 '17 at 21:00
  • I like nocaptcha from google, and it seems as though you have to send it your auth key in your js, and you can configure your developers account to only accept requests from your ip. This is where I am getting my idea above from thsat somehow the spam bot's ip address will not be mine. – Bobh Jul 18 '17 at 21:03
  • So it must be running it's bogus script on another ip address – Bobh Jul 18 '17 at 21:05
  • if you really want to stop bots, I suggest go with the captcha solution. Sending request form different IPs is not a big deal. Blocking IP will not help you to stop bots if they frequently changing their IPs. – jagad89 Jul 18 '17 at 21:07
  • what if the http referrer address can only be mine and not blank or another address? Can the http referrer address be spoofed by a script to make it mine? – Bobh Jul 18 '17 at 21:10
  • In that case, I think it should work perfectly. as per the [answer](https://serverfault.com/questions/381393/can-the-ip-address-for-an-http-request-be-spoofed) it can't be spoofed. – jagad89 Jul 18 '17 at 21:13
  • That could be the answer if you want to enter it. I'll wait to see what others say as well. Thx. – Bobh Jul 18 '17 at 21:19
  • [referer can easily be spoofed](https://stackoverflow.com/questions/3104647/how-to-spoof-http-referer) – James Jul 18 '17 at 21:42

1 Answers1

0

The Referer header should not be used for anything whatsoever. Not only can it be spoofed by scripts (or any custom clients) as well as browsers (using browser extensions), but relying on it can also break your site for legitimate users using browsers. Some users use browser extensions to deliberately suppress the Referer header for privacy reasons, and even some proxies strip referer for security reasons.

See also In what cases will HTTP_REFERER be empty

Florian Winter
  • 4,750
  • 1
  • 44
  • 69
  • Is it that the referer will show a proxy address if using one or no referer address if it chooses, or is it that a script or fake browser can literally enter anything they want for http referer and there is no way to check if it really came from that address? If it comes back as anything other than my domain, it gets rejected. – Bobh Jul 19 '17 at 15:06
  • Not really focused on user experience, more focused on whether it could theoretically work sufficiently and be spoof proof – Bobh Jul 19 '17 at 15:08
  • A client can send anything in the Referer header and even no Referer header at all. This is also true for browsers (with extensions) and proxies (which browsers may be behind of). – Florian Winter Jul 19 '17 at 15:09
  • ok, so if someone wanted to target a specific domain, they can set the http referer to the targeted address and my code will have to think it came from my domain. Thank you. I marked your answer as accepted. – Bobh Jul 20 '17 at 15:45