New CAPTCHA

Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here.
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
Post Reply
Parasyte
Registered User
Posts: 3
Joined: Wed Feb 28, 2007 2:15 pm

Re: New CAPTCHA

Post by Parasyte »

Here's a thought.

Pros: No font (very difficult to OCR), good level of entropy, strong against simple edge detection, uses only line primitives, high contrast for the visually impaired.
Cons: The amount of lines used should be tweaked for the best human readability/worst machine readability. (For example, one could possibly devise an algorithm to detect 'too many connecting angles' in the larger blocks of noise for easy removal.)
Attachments
CAPTCHA sample using line primitives.
CAPTCHA sample using line primitives.
captcha_primitives.png (91.33 KiB) Viewed 8611 times

Lieutenant Clone
Registered User
Posts: 161
Joined: Tue Feb 28, 2006 6:13 pm

Re: New CAPTCHA

Post by Lieutenant Clone »

Might just be me, but that looks pretty breakable...

The bot just has to look for the whitespace. And you would still need a font to do that... even if you didn't the bot could pick up those clear letters I would think...

Whats everyone else think?
Dennis Robinson
Image

User avatar
Handyman
Registered User
Posts: 522
Joined: Thu Feb 03, 2005 5:09 am
Location: Where no man has gone before!
Contact:

Re: New CAPTCHA

Post by Handyman »

I think Grandma would have a hard time reading that one.
I don't think more difficult captchas is the answer… I've never seen a secure site with as difficult of captchas as phpBB3 has by default.
My phpBB3 Mods || My Mod Queue
Search Engine Friendly (SEO) URLs || Profile link on Avatar and/or Username || AJAX Chat
Display Posts Anywhere || CashMod || AJAX Quick Edit || AJAX Quick Reply

Image

Lieutenant Clone
Registered User
Posts: 161
Joined: Tue Feb 28, 2006 6:13 pm

Re: New CAPTCHA

Post by Lieutenant Clone »

You know, I'm almost thinking that we should be spending less time trying to stop spam getting int, and spend more time creating clever ways of dealing with the spam once it does get in. Because lets face it, spam posts and accounts will get through, no matter what. Its how you deal with it that matters.
Dennis Robinson
Image

Parasyte
Registered User
Posts: 3
Joined: Wed Feb 28, 2007 2:15 pm

Re: New CAPTCHA

Post by Parasyte »

There are a number of good ways to deal with spam once an account registration is successful. On my phpBB 2, I have user confirmation enabled and the UserShield mod installed. There is still the chance that some registrations get through, which is where a few more mods come in handy to help validate the registration information. And with mods like that, stopping them at the source is far easier and far more effective than handling them after the fact.

As far as the primitives CAPTCHA sample goes, it does not require a font in the typical sense, because each character is to be composed of lines in real time. It could be modified to use curves or any other shapes, as well. The one thing it will need is a sort of translator to convert the text into the 'jittery' glyphs. For example, keeping an array of vectors: the letter 'A' is composed of three lines. When drawn, each line can be slightly moved/rotated/resized at random within reasonable limits. Once again, making it very difficult to OCR. (The OCR would have to make a best guess based on the shape; [is that an 'A' or an 'H'?] while it should remain clearly visible to most humans, including Grandma who's been around long enough to see more chicken scratch writing than most of us.)

Further more, reducing the amount of noise will increase the amount of white space, weakening the suggested attack severely. Also, letting a few lines make contact with the noise and glyphs will stop a simple 'color fill' attack (like using the paint bucket in photoshop).

Lieutenant Clone
Registered User
Posts: 161
Joined: Tue Feb 28, 2006 6:13 pm

Re: New CAPTCHA

Post by Lieutenant Clone »

I'm not convinced that dealing with spam after the fact is such a bad thing. Its pretty easy to pick out a bot or a spammer by what they do right after the register.

For example, a bot that registers with the intent to get a link-back, will immediately update their profile with a website, and put links in their signature. (and I mean immediately!). Some bots might go and make their first post, containing anywhere from 10 - 100 links. That should defiantly throw up some warning flags. Neither of these alone can define a spammer, a user could do both. But if implemented properly with other methods, they could work quite well.

I remember this one mod for phpBB 2.0.x, where it would remove the website field from the profile page until the user makes 10 posts. But since bots just submit a fake query, and don't actually visit the page, they would go ahead and try to update their website field. Then the account would be instantly deleted, and the IP banned. Pretty clever, although its one of those things where if it was part of phpBB right from the start, it wouldn't work.
Dennis Robinson
Image

Parasyte
Registered User
Posts: 3
Joined: Wed Feb 28, 2007 2:15 pm

Re: New CAPTCHA

Post by Parasyte »

Don't get me wrong; dealing with spam after the fact is a necessary evil. And I say evil because spam, being evil in and of itself, makes dealing with it inherently evil for making us waste our time with it.

User avatar
Highway of Life
Registered User
Posts: 1399
Joined: Tue Feb 08, 2005 10:18 pm
Location: I'd love to change the World, but they won't give me the Source Code
Contact:

Re: New CAPTCHA

Post by Highway of Life »

Lieutenant Clone wrote: I'm not convinced that dealing with spam after the fact is such a bad thing. Its pretty easy to pick out a bot or a spammer by what they do right after the register.
Yes, this is true... but we are trying to keep from having to deal with it after registration.
It’s always better, IMO to prevent the Bot registration in the first place, Then, it’s not a bad idea to have some other security measures in place to prevent successful bot registrations from posting.
Lieutenant Clone wrote: For example, a bot that registers with the intent to get a link-back, will immediately update their profile with a website, and put links in their signature. (and I mean immediately!). Some bots might go and make their first post, containing anywhere from 10 - 100 links. That should defiantly throw up some warning flags. Neither of these alone can define a spammer, a user could do both. But if implemented properly with other methods, they could work quite well.
This just made me think of another method to block spammers.
On STG, we’ve set up word filters for common spam terms, so we’ve seen a small handful of guest spambot posting that has turned out pretty comical with all the filters.
But the idea I had, was to make a MOD by which it would automatically block the user from posting again if there are a certain number of filters activated.
Another thing to do would be to cause posts that hit that many filters to go to moderation queue.
I think everyone here has seen how many spam posts area51 gets from Bots, so I think that method would work rather well in getting spambots after registration.
Lieutenant Clone wrote: I remember this one mod for phpBB 2.0.x, where it would remove the website field from the profile page until the user makes 10 posts. But since bots just submit a fake query, and don't actually visit the page, they would go ahead and try to update their website field. Then the account would be instantly deleted, and the IP banned. Pretty clever, although its one of those things where if it was part of phpBB right from the start, it wouldn't work.
Which is why I think what phpBB has right now will be fine, since everyone who can implement a different spamblocking feature/MOD, then it would make it very difficult for spambots to register on every phpBB3 board.

Now the only challenge would be to encourage all phpBB3 admins to install some kind of additional protection.
Just my thoughts typing out loud. :D
Image

Joebert
Registered User
Posts: 6
Joined: Tue Dec 07, 2004 7:47 am

Re: New CAPTCHA

Post by Joebert »

What about using audio captchas & a faux picture captcha ?
I've seen a few places that have "Click here for an audio version of this captcha if you can't read this".

The picture would have this phrase printed on it.
Please listen to the following audio to hear the secret phrase you need to enter into the box below.

Ban anything that submits that, or part of that phrase as the answer to the captcha.

I doubt spammers would get very far trying to crack audio captchas using current speech recognition technology, specially if it's Microsofts.

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: New CAPTCHA

Post by EXreaction »

I don't know about anyone else, but, unless the site has some very useful information I want to get to, I wouldn't register at a site that has an audio only captcha.

Besides, audio recognition is gaining quite rapidly, it wouldn't work for long.

Post Reply