Captchas and Human Readability - Discussion

Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here.
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
Post Reply
User avatar
Techie-Micheal
Registered User
Posts: 566
Joined: Sun Oct 14, 2001 12:11 am

Re: Captchas and Human Readability

Post by Techie-Micheal »

Nicholas the Italian wrote:
funtlack wrote: Surely there is a more simplistic and user-pleasuring alternation.

Yes, it is "print the agreement, sign it and fax it along with your ID card to the admin".
That's great. :mrgreen: :mrgreen: :mrgreen: :mrgreen: :mrgreen: :mrgreen:
User avatar
jumborex
Registered User
Posts: 84
Joined: Wed Nov 08, 2006 12:33 pm
Location: Milano
Contact:

Re: Captchas and Human Readability - Discussion

Post by jumborex »

This that has been a hard discussion in the past, and it possibly will be in the future, has been solved (for my needs) with a clever MOD called Anti Bot Question. It is sophisticate enough, but I use it asking questions to which is applying for registration: this is what I need, and this reduces every spam to zero.
Why this feature was not included in the development of V3. It can be used apart from captchas, for example.
I have not failed. I've just found 10,000 ways that won't work.
(Thomas Alva Edison)
User avatar
Acyd Burn
Posts: 1838
Joined: Tue Oct 08, 2002 5:18 pm
Location: Behind You
Contact:

Re: Captchas and Human Readability - Discussion

Post by Acyd Burn »

Why this feature was not included in the development of V3.


Because - as is the case with every single feature - once used by every installation and enabled by default it is no more unique (which is the reason it is working for you); once it is no more unique to some installations it can be broken into/cracked/abused/whatever. For example questions... if you compile a list of questions those spammers will instantly have something ready having the correct answer for every possible question - because they are the same on all installations (even if only slight alterations are there). The most efficient anti-spam technique is still to use/enable something unique, such as a custom profile field, a required other field to be filled out, a different captcha, a different url for registration... all things making sure it goes away from the default setup.

Image
PMM
Registered User
Posts: 4
Joined: Sat Jan 06, 2007 9:14 pm

Re: Captchas and Human Readability - Discussion

Post by PMM »

I think peoples ideas of captchas being an area of concern needs altering
and more concerns in way's of registration implimentation and how the commits
are made to the database to validate such registrations.

I know in the vbulletin BB the methods used is by-passing the captcha alltogether
and a brute force method is used to inject the registrations the same bots I see
on in VB I see in phpBB doing the same.

When there's programs like Curl that with the use of suitable scripts can forcefully
post direct post requests captcha's are not really worth focusing on.

I post a modified(Read that as nobbled) example below of part of a script used to inject registrations into VB.

Code: Select all

curl_setopt($ch , CURLOPT_POSTFIELDS , 'Iagree=1&s=&do=adduser&url=index.php&password_md4=&passwordconfirm_md4
=&day=0&month=0&year=0&username=somebody'.$i.'&password=hacker&passwordcon
firm=soebody&email=somebody'.$i.'@amail.com&emailconfirm=somebody'.$i.'@am
ail.com&referrername=&timezoneoffset=(GMT -14:00) london, kent&dst=DST corrections always on&options[showemail]=1');
I believe some people have implimeted an in-between stage to break that code and
in essence put in what has been discribed before hand of a question and answer field
that if you do not answer the question correctly it abort the process.

But I think people here in the know will understand what the bots are doing from the code snippet above and in general captcha are irrelvant to how bots work.

Im sure with time these bots will still progess to a point where even multistage registrations forms are handled answering the questions and then sending the forced attack.
User avatar
pc-tutorials
Posts: 27
Joined: Mon Aug 14, 2006 6:47 am
Location: Steenbergen, The Netherlands
Contact:

Re: Captchas and Human Readability - Discussion

Post by pc-tutorials »

Acyd Burn wrote: The most efficient anti-spam technique is still to use/enable something unique, such as a custom profile field, a required other field to be filled out, a different captcha, a different url for registration... all things making sure it goes away from the default setup.


Is it an idea to start an category in the MOD database with much different CAPTCHA's? And then implement a system to switch to another CAPTCHA easy. It is not unique then, but as far as I know (or: as far as I hope) most spambots just focus on one kind of CAPTCHA, so it should reduce the amount of spam. And probably much strong CAPTCHA's are better than one that's very strong, but still breakable. ;)

Or am I wrong?
for($i=1;$i>0;$i++){
echo "Bug detected, fix in progress";
}
----------------
Sorry for bad English, I'm not native :)
PMM
Registered User
Posts: 4
Joined: Sat Jan 06, 2007 9:14 pm

Re: Captchas and Human Readability - Discussion

Post by PMM »

Our admin has implimented something quite interesting on our VBulletin board
as of last night.

Quite an interesting concept for blocking the auto bots.

Different pages of the registration process time logged.

The AutoBots do the registrations apprarently on VB in under 5 seconds which is impossible for a human to do the same.

Therefore 2 timing points have been setup and a block imposed if a registration is under that time limit.

Early indications show its working well.
User avatar
Acyd Burn
Posts: 1838
Joined: Tue Oct 08, 2002 5:18 pm
Location: Behind You
Contact:

Re: Captchas and Human Readability - Discussion

Post by Acyd Burn »

Interesting approach for sure.

Image
Klors
Registered User
Posts: 95
Joined: Fri Sep 19, 2003 2:08 pm

Re: Captchas and Human Readability - Discussion

Post by Klors »

but again, if it was standard on every board, very easy to work around with a delay in the bot script
Cap'n Refsmmat
Registered User
Posts: 219
Joined: Tue Jan 25, 2005 11:31 pm

Re: Captchas and Human Readability - Discussion

Post by Cap'n Refsmmat »

sleep(10);

That does it.
PMM
Registered User
Posts: 4
Joined: Sat Jan 06, 2007 9:14 pm

Re: Captchas and Human Readability - Discussion

Post by PMM »

Klors wrote: but again, if it was standard on every board, very easy to work around with a delay in the bot script


True, but one could also say that mean's a slowing of the bot as well, and when such bots are attempting to floodspam 10 of thousands of forums/messageboards or any where there spam will show up slowing there script down 15 seconds per board/flood attempt is counter productive.

Also you tend to find the registration on the autobots are done several day's before or even a week before the actual spam is placed on the forum normally from a secondary IP to that used when registering and alot will attempt to populate every available field therefore even a must be left blank field would be enough to stop many of the bots.

There's no fool proof method for sure never will be, where-ever there is the will there is a way but there's no harm in slowing them down ;)

/edit... something also occured after thinking about what I wrote, nothing stopping the implimentation of a random generated delay or combo of random & user defined invisible to the autobot but factored in to timing points and trip a bot up that way.
Post Reply