Captchas and Human Readability - Discussion

[Techie-Micheal]

Surely there is a more simplistic and user-pleasuring alternation.

Yes, it is "print the agreement, sign it and fax it along with your ID card to the admin".

That's great.

[jumborex]

This that has been a hard discussion in the past, and it possibly will be in the future, has been solved (for my needs) with a clever MOD called Anti Bot Question. It is sophisticate enough, but I use it asking questions to which is applying for registration: this is what I need, and this reduces every spam to zero.
Why this feature was not included in the development of V3. It can be used apart from captchas, for example.

[Acyd Burn]

Why this feature was not included in the development of V3.

Because - as is the case with every single feature - once used by every installation and enabled by default it is no more unique (which is the reason it is working for you); once it is no more unique to some installations it can be broken into/cracked/abused/whatever. For example questions... if you compile a list of questions those spammers will instantly have something ready having the correct answer for every possible question - because they are the same on all installations (even if only slight alterations are there). The most efficient anti-spam technique is still to use/enable something unique, such as a custom profile field, a required other field to be filled out, a different captcha, a different url for registration... all things making sure it goes away from the default setup.

[PMM]

I think peoples ideas of captchas being an area of concern needs altering
and more concerns in way's of registration implimentation and how the commits
are made to the database to validate such registrations.

I know in the vbulletin BB the methods used is by-passing the captcha alltogether
and a brute force method is used to inject the registrations the same bots I see
on in VB I see in phpBB doing the same.

When there's programs like Curl that with the use of suitable scripts can forcefully
post direct post requests captcha's are not really worth focusing on.

I post a modified(Read that as nobbled) example below of part of a script used to inject registrations into VB.

Code: Select all

curl_setopt($ch , CURLOPT_POSTFIELDS , 'Iagree=1&s=&do=adduser&url=index.php&password_md4=&passwordconfirm_md4
=&day=0&month=0&year=0&username=somebody'.$i.'&password=hacker&passwordcon
firm=soebody&email=somebody'.$i.'@amail.com&emailconfirm=somebody'.$i.'@am
ail.com&referrername=&timezoneoffset=(GMT -14:00) london, kent&dst=DST corrections always on&options[showemail]=1');

I believe some people have implimeted an in-between stage to break that code and
in essence put in what has been discribed before hand of a question and answer field
that if you do not answer the question correctly it abort the process.

But I think people here in the know will understand what the bots are doing from the code snippet above and in general captcha are irrelvant to how bots work.

Im sure with time these bots will still progess to a point where even multistage registrations forms are handled answering the questions and then sending the forced attack.

[pc-tutorials]

The most efficient anti-spam technique is still to use/enable something unique, such as a custom profile field, a required other field to be filled out, a different captcha, a different url for registration... all things making sure it goes away from the default setup.

Is it an idea to start an category in the MOD database with much different CAPTCHA's? And then implement a system to switch to another CAPTCHA easy. It is not unique then, but as far as I know (or: as far as I hope) most spambots just focus on one kind of CAPTCHA, so it should reduce the amount of spam. And probably much strong CAPTCHA's are better than one that's very strong, but still breakable.

Or am I wrong?

[PMM]

Our admin has implimented something quite interesting on our VBulletin board
as of last night.

Quite an interesting concept for blocking the auto bots.

Different pages of the registration process time logged.

The AutoBots do the registrations apprarently on VB in under 5 seconds which is impossible for a human to do the same.

Therefore 2 timing points have been setup and a block imposed if a registration is under that time limit.

Early indications show its working well.

[Acyd Burn]

Interesting approach for sure.

[Klors]

but again, if it was standard on every board, very easy to work around with a delay in the bot script

[Cap'n Refsmmat]

sleep(10);

That does it.

[PMM]

but again, if it was standard on every board, very easy to work around with a delay in the bot script

True, but one could also say that mean's a slowing of the bot as well, and when such bots are attempting to floodspam 10 of thousands of forums/messageboards or any where there spam will show up slowing there script down 15 seconds per board/flood attempt is counter productive.

Also you tend to find the registration on the autobots are done several day's before or even a week before the actual spam is placed on the forum normally from a secondary IP to that used when registering and alot will attempt to populate every available field therefore even a must be left blank field would be enough to stop many of the bots.

There's no fool proof method for sure never will be, where-ever there is the will there is a way but there's no harm in slowing them down

/edit... something also occured after thinking about what I wrote, nothing stopping the implimentation of a random generated delay or combo of random & user defined invisible to the autobot but factored in to timing points and trip a bot up that way.