[RFC] stop distributing worthless CAPTCHAS in 3.1
- EXreaction
- Registered User
- Posts: 1555
- Joined: Sat Sep 10, 2005 2:15 am
Re: Remove broken captcha options...
Yes, useless options should be removed. Which options are the useless ones is the question. Also any data to backup which are useless would be nice (e.g. what percentage of times does a spambot guess it correctly?).
- Master_Cylinder
- Registered User
- Posts: 361
- Joined: Wed Jul 31, 2013 9:54 pm
Re: Remove broken captcha options...
I have no stats but it's KNOWN that spambots have broken many of the captchas. I'm not a dev, so it's not for me to do that research on percentages, etc.. Google might help...
These kids today...
Buy them books, send them to school and what do they do?
They eat the paste.
Buy them books, send them to school and what do they do?
They eat the paste.
Re: Remove broken captcha options...
Very helpful.Master_Cylinder wrote:I have no stats but it's KNOWN that spambots have broken many of the captchas. I'm not a dev, so it's not for me to do that research on percentages, etc.. Google might help...
Re: Remove broken captcha options...
True, true. Thankfully his words of wisdom are in almost every thread on this forum.Jacob wrote:Very helpful.
Re: Remove broken captcha options...
I recently had a spam attack for around 3 days... 8~12 new registration per minutes!
tried GD image, Simple image and GD 3D image. none of them stop it.
I am sure there is a bug in plugin and it is not an AI behind these attacks. it should be a bug that spambots find the answer (for example from session values etc.) and can register up to 12 per minutes! even humans can not read that numbers at this speed! they do not read captcha values they use bugs
tried GD image, Simple image and GD 3D image. none of them stop it.
I am sure there is a bug in plugin and it is not an AI behind these attacks. it should be a bug that spambots find the answer (for example from session values etc.) and can register up to 12 per minutes! even humans can not read that numbers at this speed! they do not read captcha values they use bugs
- imkingdavid
- Registered User
- Posts: 1050
- Joined: Thu Jul 30, 2009 12:06 pm
Re: Remove broken captcha options...
It's not a bug, in the sense that the captcha is not working properly. For instance, a bug would be if typing the wrong letters would yield a positive result. Computers are able to perform character recognition, and are able to do so at a very high rate of speed. Most CAPTCHA plugins attempt to simply distort the text or make it otherwise difficult to read. A human is still able to figure out what letters and numbers are shown, but a bot (at the time) had problems. That's the basic premise of the CAPTCHA concept. However, bots have gotten "smarter", that is, they are able to correctly read letters despite certain types and amounts of distortion, such as the ones used by reCAPTCHA, GD Image, and especially Simple Image (for example).
I don't have any data to back this up, but from what I've seen the only really secure captcha is the Q&A one, and that is only secure if a good question/answer pair is used (i.e. one that cannot be simply googled and one that is probably not already stored in a database for a quick lookup).
Then again, some of the JavaScript-enabled CAPTCHAs are probably fairly secure as well, since I don't think bots are able to see JavaScript. For instance, the jQuery sortables CAPTCHA requires you to put specific items into a certain category using drag and drop, and it fails if any incorrect items are in a wrong category. There are some that are even more complex than that, but are still fairly simple for a real person to complete without too much inconvenience.
A major issue with using a JavaScript-enabled CAPTCHA (and one reason we don't package one by default) is because anyone that has disabled JavaScript will be unable to submit the form. Our goal is to make a software the functions properly whether or not JavaScript is enabled (though without it, functionality will not be as pretty or snappy, but that's to be expected), so including a CAPTCHA that requires JavaScript in the core package would go against that goal.
So as I said, at the point, I recommend you use the Q&A CAPTCHA and use a good question/answer pair.
I don't have any data to back this up, but from what I've seen the only really secure captcha is the Q&A one, and that is only secure if a good question/answer pair is used (i.e. one that cannot be simply googled and one that is probably not already stored in a database for a quick lookup).
Then again, some of the JavaScript-enabled CAPTCHAs are probably fairly secure as well, since I don't think bots are able to see JavaScript. For instance, the jQuery sortables CAPTCHA requires you to put specific items into a certain category using drag and drop, and it fails if any incorrect items are in a wrong category. There are some that are even more complex than that, but are still fairly simple for a real person to complete without too much inconvenience.
A major issue with using a JavaScript-enabled CAPTCHA (and one reason we don't package one by default) is because anyone that has disabled JavaScript will be unable to submit the form. Our goal is to make a software the functions properly whether or not JavaScript is enabled (though without it, functionality will not be as pretty or snappy, but that's to be expected), so including a CAPTCHA that requires JavaScript in the core package would go against that goal.
So as I said, at the point, I recommend you use the Q&A CAPTCHA and use a good question/answer pair.
Re: Remove broken captcha options...
There is an very old phpbb2 captcha in ACP options and it's 2014 tomorrow, so I mean +1 for the idea but good luck convincing to remove the Recapctha, Q&A(rip soon) etc.
Re: Remove broken captcha options...
but I still think that it is more from bugs than AI.imkingdavid wrote:It's not a bug, in the sense that the captcha is not working properly. For instance, a bug would be if typing the wrong letters would yield a positive result. Computers are able to perform character recognition, and are able to do so at a very high rate of speed. Most CAPTCHA plugins attempt to simply distort the text or make it otherwise difficult to read. A human is still able to figure out what letters and numbers are shown, but a bot (at the time) had problems. That's the basic premise of the CAPTCHA concept. However, bots have gotten "smarter", that is, they are able to correctly read letters despite certain types and amounts of distortion, such as the ones used by reCAPTCHA, GD Image, and especially Simple Image (for example).
I don't have any data to back this up, but from what I've seen the only really secure captcha is the Q&A one, and that is only secure if a good question/answer pair is used (i.e. one that cannot be simply googled and one that is probably not already stored in a database for a quick lookup).
Then again, some of the JavaScript-enabled CAPTCHAs are probably fairly secure as well, since I don't think bots are able to see JavaScript. For instance, the jQuery sortables CAPTCHA requires you to put specific items into a certain category using drag and drop, and it fails if any incorrect items are in a wrong category. There are some that are even more complex than that, but are still fairly simple for a real person to complete without too much inconvenience.
A major issue with using a JavaScript-enabled CAPTCHA (and one reason we don't package one by default) is because anyone that has disabled JavaScript will be unable to submit the form. Our goal is to make a software the functions properly whether or not JavaScript is enabled (though without it, functionality will not be as pretty or snappy, but that's to be expected), so including a CAPTCHA that requires JavaScript in the core package would go against that goal.
So as I said, at the point, I recommend you use the Q&A CAPTCHA and use a good question/answer pair.
I do not say all spam cause from bugs but majority of them are from bugs and exploits.
there are lot of high-tech OCR and AI software that simply detect these easy to read captcha but it is not a cheap technology. show me some ready to use script that do this on phpbb. I can not easily find a ready script that do this on phpbb in internet. most of phpbb forum spammers are poor people, pay-per-post workers that post advertise for drugs like Viagra and get few cents for each post. they can not use expensive software, so they do in other way and use exploits and bugs
- Master_Cylinder
- Registered User
- Posts: 361
- Joined: Wed Jul 31, 2013 9:54 pm
Re: Remove broken captcha options...
More helpful than demanding stats...Jacob wrote:Very helpful.Master_Cylinder wrote:I have no stats but it's KNOWN that spambots have broken many of the captchas. I'm not a dev, so it's not for me to do that research on percentages, etc.. Google might help...
These kids today...
Buy them books, send them to school and what do they do?
They eat the paste.
Buy them books, send them to school and what do they do?
They eat the paste.
- Master_Cylinder
- Registered User
- Posts: 361
- Joined: Wed Jul 31, 2013 9:54 pm
Re: Remove broken captcha options...
Right, it's not a bug, it's just that bots have figured out how to read them. There are plenty of articles about how spambots have beaten captcha and it's not all that recent.imkingdavid wrote:It's not a bug, in the sense that the captcha is not working properly.
So as I said, at the point, I recommend you use the Q&A CAPTCHA and use a good question/answer pair.
There is also a russian spambot
Q&A might be the only one that works, I don't know, it's the only one I use. If you don't write good Q&A pairs some bots can still beat Q&A too. Google supposedly rewrote recaptcha a while back but I don't know if bots have beaten the upgrade.
These kids today...
Buy them books, send them to school and what do they do?
They eat the paste.
Buy them books, send them to school and what do they do?
They eat the paste.