Page 1 of 1

[BETA] Backscatter Captcha Mod

Posted: Sat Jun 07, 2008 1:00 pm
by zaphodb777
Due to phpbbmodders.net dropping my discussion there (they all but nuked their 2.0.x devs! :cry: ), I have decided to repost links to my project here. It is a modification to the captcha system that came with Ver. 2.0.22 . It is a simple one file drop-in replacement, and so far it has "bounced out" 100% of the robots that have attempted to register accounts. Here are the links to it...

http://zaphodb777.dyndns.org/backscatter.php This is the project page, download link and a brief description are to be found here.

http://zaphodb777.dyndns.org/blog/archi ... try_47.php This page is where I first wrote up about the concept when it was still in closed ALPHA, has some images and more of why it works. Due to some good response, I fast-tracked the project to BETA.

http://zaphodb777.dyndns.org/files/back ... CHA_mod.7z The actual downloadable project file link as per forum rules.

http://zaphodb777.dyndns.org/forum Please come visit the site, and try it out for yourself before deciding if you want to mess with it.

I can't wait to hear your responses, and I invite 3.X coders to impliment my mod in their system, as this is all V2 GPL just like from whence it came.

Thanks!
Zaphod

Re: [BETA] Backscatter Captcha Mod

Posted: Sun Jun 08, 2008 5:59 am
by momentum
I have this MOD (actually it's just a drop-in replacement usercp_confirm.php file) installed on two different boards for the last month and haven't yet seen a single spamBOT registration.

Both boards were previously overrun with spammer registrations and posts before being protected with the Registration Authorization Code MOD. I removed the RAC MOD in order to test the effectiveness of this modification. Not a single spammer in a month means it must be doing something right.

This has to be the easiest MOD I've ever added to phpBB2.

Craig.

Re: [BETA] Backscatter Captcha Mod

Posted: Wed Jun 18, 2008 9:34 pm
by zaphodb777
Has anyone else tried this yet, and if so, any complaints? Suggestions?

I'd love to hear from you. :D

Zap!

Re: [BETA] Backscatter Captcha Mod

Posted: Sun Jun 29, 2008 9:33 am
by momentum
Zaphod,

It's been quite some time since I installed this MOD and neither board has seen a spamBOT registration. Working well. :D

Craig.

Re: [BETA] Backscatter Captcha Mod

Posted: Sat Jul 05, 2008 5:38 pm
by zaphodb777
Well, I did kinda foul my own test, but just a little. Seems the spambotmasters at keyweb.de/keyweb.ru were trying actual URI hacking to get around my captcha, since OCR was failing. The IP range banning feature in phpBB wasn't working either... So, I decided to tell them "NO!" with this little ditty included at the beginning of all phpbb php pages.

This **NOT** a mod for phpBB... it is a mod for any page you wish to keep a hostname or ip block out of.
Released GPL V.2 of course!

<?php
function lrmatch($haystack, $pattern)
{
$length = strlen($pattern);
if ((substr($haystack,0,$length) == $pattern) or (substr($haystack,-$length) == $pattern))
return true;
return false;
}

$ax="0";
$hoster=strtolower($_SERVER['REMOTE_HOST']);
$address=strtolower($_SERVER['REMOTE_ADDR']);
$url="http://YOURWEBSITE.TLD/CURSEOUT-LOGGING-PAGE.php";
// Start Compare here
$ax = $ax + (lrmatch($hoster,"keyweb.de"));
$ax = $ax + (lrmatch($address,"87.118.68"));
$ax = $ax + (lrmatch($address,"87.118.69"));
$ax = $ax + (lrmatch($address,"87.118.70"));
$ax = $ax + (lrmatch($address,"87.118.71"));
// Finish Compare here
if($ax > "0"){
header('Location: '.$url);
echo('
<html>
<head>
<title>You\'re Banned!</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
BOOT TO THE HEAD!
</body>
</html>
');
die("BANNED!");
}
?>

save this as a seperate .php named whatever you like, I named mine bandersnatch.php, and replace "YOURWEBSITE.TLD/CURSEOUT-LOGGING-PAGE.php" with an appropriate value for a page you would like to send the spammers to... Haven't figured out how to send them to hades yet. Then simply "include('bandersnatch.php');" at the very top of your .php page, just inside the first <?php of course.

Oddly enough, this also stopped all hacking attempts on my board, just killing these 2048 IPs. Not sure if this will "stick" but for now, I'll take what I can. They had given up on OCRing though, so I am satisfied my auth mod is the tough nut to crack that I designed it to be. Now they are looking to hack straight through.

Good Luck!
Zap.

Re: [BETA] Backscatter Captcha Mod

Posted: Sat Jul 12, 2008 8:32 am
by deny
zaphodb777 wrote:Has anyone else tried this yet, and if so, any complaints? Suggestions?

I'd love to hear from you. :D

Zap!

It is very very difficult for human to see letters if he would to register:

Image

Re: [BETA] Backscatter Captcha Mod

Posted: Sat Jul 12, 2008 8:39 am
by zaphodb777
I admit, it is hard to see, but even harder for bots. But thanks for posting the image.

Edit: BTW, the code in the image is LK4DPX :D

Re: [BETA] Backscatter Captcha Mod

Posted: Sun Dec 28, 2008 5:19 am
by zaphodb777
Been awhile since I posted here, but that above code segment has been super-expanded and refined to become the first php/MySQL/phpbb/etc. protection script. (As far as I can tell, hotscripts revealed not much else along it's lines, if anything). It's GNU/GPL V2, so it's free.

You can snag it off my site at http://zaphodb777.dyndns.org/zbblockpage.php

Russian Business Network members like this hit...

@: Sat, 27 Dec 2008 14:53:07 -0700
Host: 77.51.20.37
IP: 77.51.20.37
Score: 1
Why blocked: Russian Attack Prone Netblock.
File: removed for security
Query:
Referer: http://www.phpbb.com/community/viewtopi ... it=CAPTCHA
Reconstructed URL: http://zaphodb777.dyndns.org/backscatter.php

Need not apply.
(That is actual output from ZB Block, catching an actual suspicious IP)

Laterz!
Zap :D

Re: [BETA] Backscatter Captcha Mod

Posted: Thu Jan 15, 2009 9:48 pm
by Dog Cow
I think I see (pun?) a way to beat this: all a script has to do is check for the normalized area where the characters are. In this case, the script is looking for 3 or more black pixels vertically, such as appear in most of the characters, and also alternating white/black pixels horizontally.

So basically, if this is the image, where 1 represents black, and a 0 represents white:

Code: Select all

111011010111000110101101010101010101110110100010101110110011
The left and right half are fairly random, even including repeating 1's or 0's. But in the middle of that string, there's an easily-detectable alternating 1010101 pattern. Now, this is just one line, but in the actual captcha, the script would find that at y values close in range, the 1 or 0 at the x value remains constant. As soon as it deviates, then that could signal the start of the random noise again. By "locking on" to this area, a script could potentially throw out all the random garbage and isolate the target characters.

Otherwise, it's an interesting idea. I read the description about the optical illusion. :D

Re: [BETA] Backscatter Captcha Mod

Posted: Sat Jan 17, 2009 2:23 pm
by zaphodb777
True. But so far, most skiddies can't code such an advanced routine. Also, as I said, I have other tricks up my sleeve in reserve, but haven't needed them yet.

But you have given me an idea to start injecting some random 101010101010s here and there in the image to throw your detection.

This isn't one of my ideas in reserve.

The ultimate CAPTCHA idea of mine is to use temporal dimensional scrambling, where analysis of any one grab is worthless, and since the flash generating it, is using Unix Epoch seeded pseudo-random directed temporal effects, it shouldn't be predictable. One added benefit to temporal domain obfuscation is that it is EASY for any sighted individual to read and enter the code. Still worried about what to do for blind friends though.

Zap

Re: [BETA] Backscatter Captcha Mod

Posted: Sat Jan 17, 2009 3:39 pm
by 3Di
Interested in to port this to phpBB3, may I contact you privately? In case, feel free to add myself to your MSN. :)

Regards.