可以使用http Referrer或其他环境变量来阻止IIS上的垃圾邮件机器人吗?
[英]Can http referrer or other environment variable be used to stop spam bots on IIS?
问题描述
I am using asp.net. 
我正在使用asp.net。 I have a public form that users can create new accounts on, that sends out a verification text message to the user's phone when they hit submit. 我有一个公共表单,用户可以在上面创建新帐户,当他们单击“提交”时,会向用户的手机发送验证短信。 I don't want spam bots sending out these text messages that cost me money by posing as users. 我不希望垃圾邮件机器人通过冒充用户来发送这些花费我钱的短信。
It is my "guess" that a spam bot or script has to screen scrape the html from the page and find the javascript function that will send this info out via ajax to an asp.net page that sends text messages out. 我的“猜测”是,垃圾邮件机器人或脚本必须从页面上进行屏幕抓取,然后找到javascript函数,该函数将通过ajax将此信息发送到将文本消息发送出去的asp.net页面。 It can't just call and execute the javascript in place and on my server like my javascript does with real users and button clicks, so instead it will execute on whatever server or computer their script is running on and insert the values it got from screen scraping and make a get request or post to the correct url, and that computer or server ip address that the script is running on should show up as the http referrer. 它不能像在本地用户和按钮上那样对javascript进行调用并在我的服务器上执行javascript,因此它将在运行脚本的任何服务器或计算机上执行并插入从屏幕上获取的值抓取并发出get请求或将其发布到正确的url,并且运行脚本的计算机或服务器ip地址应显示为http引荐来源网址。
Is that true? 真的吗?
If so, then can I check the http referrer variable when my asp.net page that will send the text message out gets invoked? 如果是这样,那么当我将发送文本消息的asp.net页面被调用时,我可以检查http引用链接变量吗? I'm thinking that if spam bots work the way I think, and they are actually executing a script that mimics the javascript calls on the page but they are not due to user clicks, the script would have to be executing on another server or domain. 我在想,如果垃圾邮件机器人按我的方式工作,并且实际上正在执行模仿网页上JavaScript调用的脚本,但并非由于用户点击,该脚本就必须在另一台服务器或域上执行。
Is that true? 真的吗?
And can a script spoof the http referrer variable? 脚本可以欺骗http Referrer变量吗?
1 个解决方案
解决方案1
0 已采纳 2017-07-19 12:16:48
The Referer header should not be used for anything whatsoever. Referer标头不得用于任何内容。 Not only can it be spoofed by scripts (or any custom clients) as well as browsers (using browser extensions), but relying on it can also break your site for legitimate users using browsers. 不仅脚本(或任何自定义客户端)以及浏览器(使用浏览器扩展)会欺骗它,而且依靠它还会破坏使用浏览器的合法用户的站点。 Some users use browser extensions to deliberately suppress the Referer header for privacy reasons, and even some proxies strip referer for security reasons. 出于隐私原因,某些用户使用浏览器扩展故意隐瞒Referer标头,出于安全性原因,甚至某些代理都剥离Referer 。
See also In what cases will HTTP_REFERER be empty 另请参阅在什么情况下HTTP_REFERER为空
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.