News

I am proud to announce the release of Grayscale CMS Version 2.3. I have just completed numerous rounds of QA testing on this new version which contains numerous extensive changes to the administration area of the CMS. As the CMS continues to grow, the quality of the code which runs it continues to get better. All of these code quality improvements are applied to all existing code as well, ensuring better quality to not only new features, but pre-existing features as well.

Security Improvements

Among the areas which keeps getting better and better is the security improvements. As spammers get smarter, it is vitally important that we stay ahead of them. Blog spam, guestbook spam, contact form header injection, and general form abuse are an ongoing problem for any site which allows visitors to contribute or get in touch. This new version of Grayscale Content Management System offers several new features for fighting spam:

Confirmation is now required for all forms which display user input

• Blog comments
• Link Exchange
• Directory
• Classifieds
• Guestbook

E-mails are sent to people who submit content in these areas, requiring them to click a link to confirm their submission. While it is obvious that a spammer can confirm their spam submission, my experience has shown that spammers typically do not enter a real e-mail address in the e-mail field of these forms. Because of this, they will never receive our confirmation e-mail and because of that, the content will never be displayed on the site. To keep bogus submissions from clogging up the database, unconfirmed entries will be eliminated from the database every 3 days.

Abuse header added to all e-mails sent by the CMS

For the laypersons: every e-mail sent contains numerous "headers" - supplemental data placed at the beginning of an e-mail when it is transmitted, which contain information for the handling of the e-mail by the receiving system. I won't go into boring details except to say that the automated e-mails contain special headers to track abuse so that spam (in the off chance some does make it through) will contain helpful information for reporting the spammers to their ISP.

Automated Abuse Complaints

To further help squash spammers and others attempting to abuse the site's resources, Grayscale CMS now contains a feature which will automatically send an e-mail to an ISP's support contact after numerous attempts at abuse by a banned IP address. It accomplishes this task by performing a 'Whois' on the banned IP address, sending an e-mail to any valid e-mail which begins with "abuse@" found in the string returned by the Whois query. In practice, there are some instances where this address is not found, but I regard this as reliable enough to make this a welcome addition to the spamfighting features in Grayscale.

Modifications to Forms and Form Processing

All of the "e-mail" fields in the forms on Grayscale CMS have been modified to have nonsensical "name" attributes. Most form abuse these days is done through the use of automated crawlers which scour the web looking for forms to exploit. These automated crawlers use the "name" attribute as a clue to what sort of information to pass into it when automatically submitting the form. These crawlers have been programmed so that when it encounters an element with a name attribute which has a pretty obviously named value, it populates the field with information it thinks will pass validation. So, for an obviously named form called "email", these crawlers know to enter something formatted like an e-mail address in that field. The solution? Name the e-mail field something that really means nothing. This means the crawler doesn't know where to enter an e-mail address and doesn't do so - thus failing validation and keeping them unable to submit the forms. Spam received through my forms is now zero.

In addition, an extra validation type was added to validate the forms' referer (yes, that's mispelled on purpose). Since the referer can be faked or not sent by the visitor's browser, this is neither a strong nor reliable method, but does add an extra bit of security against spammers.

Special Lists Now Controlled In Admin

In the early days of Grayscale CMS, there were several special lists of items maintained via regular flat files:

• Allowed Tags - HTML elements which are allowed (or disallowed) from being entered into forms
• Common Words - The most common words in the English language, used to create the keywords for items entered into admin
• Swear Words - as the name suggests, bad words.
• MIME Types - file types allowed (or disallowed) from being uploaded into the forms (both in admin and public)
• Common Passwords - The most commonly used passwords

Each of these lists are now controlled via the admin area. In upcoming releases, they'll be configurable. For instance, in the Allowed Tags list, you'll be able to choose where to allow the tags.

Misc. New Features

• Bulk delete of mailinglist recipients. One problem of mailinglists is that subscribers typically do not notify sites when they've changed e-mail addresses. On sites with large subscriber lists this can be a real problem, as everytime you send a new mailing, you're hammered with bounced messages. Worse still, removing each of these bounced subscribers one-by-one is a real pain. Grayscale CMS now has the ability to remove subscribers in bulk.
• Validation change - no site members or admin users can have the same e-mail address.
• New feature - Private Messages - finished
• Affiliate Programs - new validation method to ensure the program's URL is unique