[RFC] stop distributing worthless CAPTCHAS in 3.1

Note: We are moving the topics of this forum and it will be deleted at some point

Publish your own request for comments/change or patches for the next version of phpBB. Discuss the contributions and proposals of others. Upcoming releases are 3.2/Rhea and 3.3.
Post Reply
User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: Remove broken captcha options...

Post by EXreaction » Tue Dec 31, 2013 4:14 am

Yes, useless options should be removed. Which options are the useless ones is the question. Also any data to backup which are useless would be nice (e.g. what percentage of times does a spambot guess it correctly?).

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: Remove broken captcha options...

Post by Master_Cylinder » Tue Dec 31, 2013 4:16 am

I have no stats but it's KNOWN that spambots have broken many of the captchas. I'm not a dev, so it's not for me to do that research on percentages, etc.. Google might help... ;)
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

User avatar
Jacob
Registered User
Posts: 100
Joined: Wed Jan 04, 2012 1:41 pm

Re: Remove broken captcha options...

Post by Jacob » Tue Dec 31, 2013 10:02 am

Master_Cylinder wrote:I have no stats but it's KNOWN that spambots have broken many of the captchas. I'm not a dev, so it's not for me to do that research on percentages, etc.. Google might help... ;)
Very helpful.

User avatar
Mess
Registered User
Posts: 198
Joined: Wed Jun 13, 2012 10:14 am

Re: Remove broken captcha options...

Post by Mess » Tue Dec 31, 2013 10:08 am

Jacob wrote:Very helpful.
True, true. Thankfully his words of wisdom are in almost every thread on this forum.

User avatar
emosbat
Registered User
Posts: 43
Joined: Fri Aug 24, 2012 8:49 am

Re: Remove broken captcha options...

Post by emosbat » Tue Dec 31, 2013 11:52 am

I recently had a spam attack for around 3 days... 8~12 new registration per minutes!
tried GD image, Simple image and GD 3D image. none of them stop it.

I am sure there is a bug in plugin and it is not an AI behind these attacks. it should be a bug that spambots find the answer (for example from session values etc.) and can register up to 12 per minutes! even humans can not read that numbers at this speed! they do not read captcha values they use bugs

User avatar
imkingdavid
Registered User
Posts: 1050
Joined: Thu Jul 30, 2009 12:06 pm

Re: Remove broken captcha options...

Post by imkingdavid » Tue Dec 31, 2013 12:36 pm

It's not a bug, in the sense that the captcha is not working properly. For instance, a bug would be if typing the wrong letters would yield a positive result. Computers are able to perform character recognition, and are able to do so at a very high rate of speed. Most CAPTCHA plugins attempt to simply distort the text or make it otherwise difficult to read. A human is still able to figure out what letters and numbers are shown, but a bot (at the time) had problems. That's the basic premise of the CAPTCHA concept. However, bots have gotten "smarter", that is, they are able to correctly read letters despite certain types and amounts of distortion, such as the ones used by reCAPTCHA, GD Image, and especially Simple Image (for example).

I don't have any data to back this up, but from what I've seen the only really secure captcha is the Q&A one, and that is only secure if a good question/answer pair is used (i.e. one that cannot be simply googled and one that is probably not already stored in a database for a quick lookup).

Then again, some of the JavaScript-enabled CAPTCHAs are probably fairly secure as well, since I don't think bots are able to see JavaScript. For instance, the jQuery sortables CAPTCHA requires you to put specific items into a certain category using drag and drop, and it fails if any incorrect items are in a wrong category. There are some that are even more complex than that, but are still fairly simple for a real person to complete without too much inconvenience.

A major issue with using a JavaScript-enabled CAPTCHA (and one reason we don't package one by default) is because anyone that has disabled JavaScript will be unable to submit the form. Our goal is to make a software the functions properly whether or not JavaScript is enabled (though without it, functionality will not be as pretty or snappy, but that's to be expected), so including a CAPTCHA that requires JavaScript in the core package would go against that goal.

So as I said, at the point, I recommend you use the Q&A CAPTCHA and use a good question/answer pair.
I do custom MODs. PM for a quote!
View My: MODs | Portfolio
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

User avatar
Pete77s
Registered User
Posts: 43
Joined: Mon Feb 07, 2005 4:55 am

Re: Remove broken captcha options...

Post by Pete77s » Tue Dec 31, 2013 12:49 pm

There is an very old phpbb2 captcha in ACP options and it's 2014 tomorrow, so I mean +1 for the idea but good luck convincing to remove the Recapctha, Q&A(rip soon) etc.

User avatar
emosbat
Registered User
Posts: 43
Joined: Fri Aug 24, 2012 8:49 am

Re: Remove broken captcha options...

Post by emosbat » Tue Dec 31, 2013 1:07 pm

imkingdavid wrote:It's not a bug, in the sense that the captcha is not working properly. For instance, a bug would be if typing the wrong letters would yield a positive result. Computers are able to perform character recognition, and are able to do so at a very high rate of speed. Most CAPTCHA plugins attempt to simply distort the text or make it otherwise difficult to read. A human is still able to figure out what letters and numbers are shown, but a bot (at the time) had problems. That's the basic premise of the CAPTCHA concept. However, bots have gotten "smarter", that is, they are able to correctly read letters despite certain types and amounts of distortion, such as the ones used by reCAPTCHA, GD Image, and especially Simple Image (for example).

I don't have any data to back this up, but from what I've seen the only really secure captcha is the Q&A one, and that is only secure if a good question/answer pair is used (i.e. one that cannot be simply googled and one that is probably not already stored in a database for a quick lookup).

Then again, some of the JavaScript-enabled CAPTCHAs are probably fairly secure as well, since I don't think bots are able to see JavaScript. For instance, the jQuery sortables CAPTCHA requires you to put specific items into a certain category using drag and drop, and it fails if any incorrect items are in a wrong category. There are some that are even more complex than that, but are still fairly simple for a real person to complete without too much inconvenience.

A major issue with using a JavaScript-enabled CAPTCHA (and one reason we don't package one by default) is because anyone that has disabled JavaScript will be unable to submit the form. Our goal is to make a software the functions properly whether or not JavaScript is enabled (though without it, functionality will not be as pretty or snappy, but that's to be expected), so including a CAPTCHA that requires JavaScript in the core package would go against that goal.

So as I said, at the point, I recommend you use the Q&A CAPTCHA and use a good question/answer pair.
but I still think that it is more from bugs than AI.
I do not say all spam cause from bugs but majority of them are from bugs and exploits.
there are lot of high-tech OCR and AI software that simply detect these easy to read captcha but it is not a cheap technology. show me some ready to use script that do this on phpbb. I can not easily find a ready script that do this on phpbb in internet. most of phpbb forum spammers are poor people, pay-per-post workers that post advertise for drugs like Viagra and get few cents for each post. they can not use expensive software, so they do in other way and use exploits and bugs :)

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: Remove broken captcha options...

Post by Master_Cylinder » Tue Dec 31, 2013 8:21 pm

Jacob wrote:
Master_Cylinder wrote:I have no stats but it's KNOWN that spambots have broken many of the captchas. I'm not a dev, so it's not for me to do that research on percentages, etc.. Google might help... ;)
Very helpful.
More helpful than demanding stats... :roll:
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: Remove broken captcha options...

Post by Master_Cylinder » Tue Dec 31, 2013 8:36 pm

imkingdavid wrote:It's not a bug, in the sense that the captcha is not working properly.

So as I said, at the point, I recommend you use the Q&A CAPTCHA and use a good question/answer pair.
Right, it's not a bug, it's just that bots have figured out how to read them. There are plenty of articles about how spambots have beaten captcha and it's not all that recent.

There is also a russian spambot loser writer (the name I won't post here) that lets spammers pay a monthly fee to basically rent/lease his bots and he claims that it beats almost ALL spam protection. It uses a new email for every forum reg, it beats captcha, changes proxies constantly and some other stuff designed to allow it to spam. I ran across one of these in one of my forums before I added blacklists but it only registered, I saw it, as it registered, so I disabled and banned it before it actually posted.

Q&A might be the only one that works, I don't know, it's the only one I use. If you don't write good Q&A pairs some bots can still beat Q&A too. Google supposedly rewrote recaptcha a while back but I don't know if bots have beaten the upgrade.
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

Post Reply