Technocrat at large

The first time I wrote a full website, I made a lot of mistakes. A LOT.

Although not completely obvious from looking at it on the outside, H2H Security Group is built on a pretty shoddy content management system (CMS). There are bugs, there are incomplete sections of the site, and there is little administration that doesn’t require direct database access. I’ve stopped development on the current CMS and decided to go for a complete overhaul. That’s right: I’m completely re-building the system, H2H CMS, from the ground up.

Normally, this would be a preposterous idea, and perhaps it’s not the most efficient route for me to take, but I won’t be walking away from the CMS empty handed. It was an amazing experience working on it. Despite it being terribly designed, I’ve grown a lot as a programmer since I first started. I’ve learned about things like classes, hierarchies, debugging tools, exceptions, mysqli, more advanced MySQL statements, and caching. I’ve learned about the differences between versions of software such as PHP, which had monumental changes from PHP4 to PHP5. Most importantly, I learned proper software development in a university course. Looking back, every mistake I made during the design of the old CMS I have learned from, and I’m willing to make a mistake if it means that I learn from it.

Another big change I’m making is that I am going Open Source: letting anyone take a look at the source code. I’m sticking with a Creative Commons license, which allows anyone to take the code, modify it, and redistribute it for free, providing they give me credit for the original work. I think it’s the right choice to make, sticking with the hacker mentality and whatnot. With a goal of distributing knowledge and information to the masses, I think the open source route is a logical step to achieving that.

I started off the development of the new CMS quite differently than before; rather than jumping straight into the coding, I started off old-school: with a pen and paper. Design before development helped ensure everything stayed organized this time. Developing class-by-class, piece by piece allowed for logical places to start and stop work.

The part about this CMS that I am most proud of, however, is that security is added and implemented standard – not as an afterthought. Being interested in security, this seemed like a no-brainer, but it seemed to be either non-existant, poorly implemented, or at the expense of efficiency in other systems available. By considering both security and efficiency at the same time, I hope to develop a system that maintains both equally.

I always like to see people become involved in my projects. If someone is interested in helping with the development, let me know, and maybe something can be arranged.

Ohloh Page: http://ohloh.net/p/h2h-cms/

Project Trac Page: http://dj-bri-t.servehttp.com/projects/cms/

Over the past week or so, I’ve found that one of my other websites, H2H Security Group, has been getting a lot of spam. Unfortunately, it’s not just the random ads from bots. Bots I can deal with, and it’s unlikely that they’ll ever get past registration because there’s a reCAPTCHA in the registration. No, I have to deal with credit card spam.

Most people I know get spam in their email; it happens to almost all of us if we have a presence on the web with that email address. If any of you have read the spam before, usually it’s just a random string of words with a few links in them. Heck, some of them are just downright amusing. But credit card spam is more of a problem; not only is a nuisance, but it’s highly illegal. Not something that you want on a legitimate website.

The first problem was determining if the spam was automated (ie. from a bot), or a person who was posting the spam. The easiest way to do this was to install the reCAPTCHA system as I mentioned above. If you’ve signed up for any major service recently, chances are you’ve encountered a CAPTCHA of some sort. CAPTCHAs are the images with random numbers and letters which is supposed to be hard to read by an automated system, but fairly easy for a human. They are specifically designed to prevent bots from accessing the system. Although the reCAPTCHA system I installed stopped some of the spam, it didn’t stop all of it.

Stopping spam requires ruling your web site with an iron fist. Some automated scripts will help minimize it, but on a long enough timeline, spam will get through. It’s bound to happen. Currently the only way I’ve found to stop the spam is to start blocking IP addresses. In the case of this incident, I was forced to block an entire subnet of IP addresses. I found that ISP in Vietnam was producing a lot of the spam that I received. Despite numerous emails to their abuse department I found out that they deleted the emails without reading them, and made the decision to block the entire ISP from my web site.

Doing so is a bit of a double-edged knife. On one hand, the spam has stopped since I’ve done this (although I only did this two days ago – let’s see what happens!). On the other hand, I have pretty much cut off an entire country from visiting my site. Granted, the primary language there is not my primary target for my site, but still has the problem of cutting off legitimate users.

Of course, this is not a foolproof solution. There’s no reason that a person on that ISP couldn’t use a proxy to access my site and post more spam, but I’m taking a proactive approach to preventing this spam, and that’s about all one can do. Perhaps an interesting project would be to keep a central repository of known spamming IP addresses so that those IPs could be blocked by many websites around the world, and not just by a single server. Allowing a group of servers who pick up spam regularly to add IPs to the list for a number of days, and then many servers could download a list. It’s maybe something to consider to stop the spread of spam across the world.