Anti-Spam Thread!

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
Dave Bean
Registered User
Posts: 210
Joined: Thu Jul 12, 2001 4:55 am
Location: Denver, Colorado
Contact:

Post by Dave Bean »

One problem that I have with the "better captcha's" is that I have problems figuring them out (people have trouble reading them). Is there one that's hard to break, but easy for people to read?
Building Internet Communities
www.ColoradoHealth.info
User avatar
bonelifer
Community Team Member
Community Team Member
Posts: 3515
Joined: Wed Oct 27, 2004 11:35 pm
Name: William
Contact:

Post by bonelifer »

FreeCap Visual Confirmation works well for us and we have some pretty whinny types sign up and they haven't complained about it.
William Jacoby - Community Team
Knowledge Base | phpBB Board Rules | Search Customisation Database
Please don't contact me via PM or email for phpBB support .
User avatar
Dog Cow
Registered User
Posts: 2500
Joined: Fri Jan 28, 2005 12:14 am
Contact:

Post by Dog Cow »

I enjoyed this captcha for a period of time: http://phpbbhacks.com/download/6276

My site now no longer has any captchas at all, I have devised a much, much better way to ward off registration bots that is invisible to human users. For more info, please send me a PM or read this topic:Spam-Bot Surprise MOD.
Moof!
Mac GUI Vault: Retro Apple II & Macintosh computing archive.
Inside Allerton bookMac GUIMac 512K Blog
XaHyMaH
Registered User
Posts: 7
Joined: Thu Dec 08, 2005 6:42 pm

Post by XaHyMaH »

Here is some itelligence report from enemy's camp:
Image

Examples of visual confirmations that can be decoded.

Think we need some thing else than just plain picture.



EDIT: URL Changed. Posted Image.
CTCNetwork
User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Post by EXreaction »

Yautja_cetanu
Registered User
Posts: 72
Joined: Wed Nov 24, 2004 3:23 pm

Post by Yautja_cetanu »

We've found a really simple captcha that simply says:

"I am a:" human tiger elephant.

Where the user has to select that they are a human works well. The list of answers changes on every refresh (but the answer is always human). I think it mainly works because no one else has it. It would obviously be very easy to write a script for our captcha. We're happy with our captcha because we know how to change the question easily if bots start getting through. However if we released it, it would be useless because a script to crack it could be written within minutes, but that makes me think,

What about an ACP control panel that allows the admins to make their own required questions added to the profile? Some people could ask simply logic questions like:

Which one is not an elephant: An elephant, A Bear, An elephant

others maths questions:

2 + 2 = ? 6, 7, 4

There is one captcha that uses images and logic:
http://www.kittenauth.com/

The only issue with all of these are, How intuitive are they? Does it confuse the user if they have to answer a different question on every site they visit? But is this better then visual confirmation (which is getting harder and harder to read as they combat bots better).
olpa
Registered User
Posts: 255
Joined: Tue Jan 25, 2005 6:44 pm
Location: Saint-Petersburg, Russia
Contact:

Post by olpa »

What about an ACP control panel that allows the admins to make their own required questions added to the profile?

I've written such a MOD: Textual Confirmation (still waiting for approval for the MOD database).
The only issue with all of these are, How intuitive are they?

It depends. In my opinion, a good question is something like "What's the forum pass code (see <a href="faq.php">FAQ</a>)?"
alvo
Registered User
Posts: 713
Joined: Thu Jun 22, 2006 3:57 am

Post by alvo »

Yautja_cetanu wrote: We've found a really simple captcha that simply says:

"I am a:" human tiger elephant. ...


This is what the Anti Bot Question mod does, only the question/answer changes at random each time and admins write their own questions so they're unique to each site. Using question such as "What is the color of grass?" or "What is the opposite of up?" are much better at stopping bots than a standard "type the characters in this image" captchas that by showing the image are giving the answer. Asking questions that require abstract thinking (which bots can't do) not only is an effective bot stopper, it's also more accessible as blind and sight impaired people can easily use it as well.
User avatar
Jim_UK
Former Team Member
Posts: 18479
Joined: Tue Oct 12, 2004 5:36 pm
Location: Darwen N.West UK

Post by Jim_UK »

This type of anti bot question is fine if the respondent has to type an answer in. If there is a choice indicated by one of two radio buttons then some of the latest bots will get through as the programming must call for it to try all available options until of course it would hit the limit of failed attempts that you have set in Admin CP. With only say 3 options that is no barrier to the bot.

"Something like type the third word of this sentence backwards" or click this link to download the correct code would be a better option.
The answer is to have your option unique. I bet most of these bots are programmed by now to try "green" as a solution as folks simply copy the suggested question!

Jim
The truth is out there.
Unfortunately they will not let you anywhere near it!
alvo
Registered User
Posts: 713
Joined: Thu Jun 22, 2006 3:57 am

Post by alvo »

Jim_UK wrote: ... I bet most of these bots are programmed by now to try "green" as a solution as folks simply copy the suggested question! ...

Hence the need to write your own questions (although I usually offer differing sample question when I give examples) and have enough of them that getting a match with the question presented at random is slim. And if one notices bots getting through again they simply need to write some new questions. Since there are many forms the questions can take and endless things one can ask they won't be able to get the bots to answer correctly often enough to be effective.

Unfortunately there still is a way to get around it, and that has been used in the past with captchas, human engineering. Pull the question from the form and present it on a "Get free porn, answer this simple question" page and take the answer, entered by a real person, and submit it along with the spam.
User avatar
Jim_UK
Former Team Member
Posts: 18479
Joined: Tue Oct 12, 2004 5:36 pm
Location: Darwen N.West UK

Post by Jim_UK »

The VIP Mod is a better option.
Hard coded in is a VIP code something like BuE6Fg1A (make it what you want) and tell the person trying to register where to find the code on your site.
Bots don't read right well!
I have tested this against Xrummer and it does not get through.

Jim
The truth is out there.
Unfortunately they will not let you anywhere near it!
User avatar
Dogs and things
Registered User
Posts: 2114
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain
Contact:

Post by Dogs and things »

Ahum,

Just dropping in without having read what led to this point in the conversation.

I use Anti Bot Question MOD. And I believe combining pictures with questions that requiere abstract thinking are a perfect defense.

I use images that come standard with the MOD, but changed the standard questions that came along with them.

Plus I added new images with personally invented questions.

A picture with grass on it along with the question "Do you see an animal, an object or a plant on this picture?" and the need to handwrite the answer is allready enough to stop even let´s say IQ-wise limited humans from registering, not to mention bots.

Alltogether I´m using lik ten diferent pictures and with every picture come two, three or even four diferent and randomly picked questions.

Which works perfectly.

But I´m glad to read there are other well-working MODs out and in development.

Variation is the keyword, I believe, in making the bot-bizz suck.
For phpBB2 support visit phpBB2refugees.
rant boss
Registered User
Posts: 32
Joined: Sun Mar 12, 2006 11:45 pm

Post by rant boss »

With the "bad guys" seeminly always being able to get around new anti-spam/bot defenses, I suggest that perhaps a more radical approach to dealing with the problem is called for.

With all the tremendous knowledge and brain power on this site, there has to be a way to collectively target the actual websites that these idiots are trying to promote, and overwhelm them somehow to the point of destruction.

Forgive me if what I'm suggesting is illegal (and if so I withdraw the suggestion), but I'm venting after having to delete about a dozen of these nuisance lowlifes each day for the last month.

There has to be a way not only to prevent it, but to make it untenable for the idiots who keep doing it.
User avatar
Dogs and things
Registered User
Posts: 2114
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain
Contact:

Post by Dogs and things »

I understand you´re about ready to nuke the bastards. 8O

But I for myself speaking live a perfectly happy life without having to think about spam, spammers, spambots and how to destroy them simply by having my frontdoor locked with a good mod or two, three. And I´m quite confident that bots will always have their limitations, just like humans, but a bit more. That´s why they are bots, and we humans. :wink:
For phpBB2 support visit phpBB2refugees.
eccerr0r
Registered User
Posts: 20
Joined: Tue Nov 28, 2006 4:51 pm
Location: Colorado, USA
Contact:

Post by eccerr0r »

Curious if anyone tried to take data on how often captchas are being broken?

For some reason or another I usually get around 10 daily attempts to create an account and maybe one new (spam) user every few days. Not sure why there are so many failures despite them saying that they're like 96% successful decoding phpbb's stock captcha? (this is before confirmation -- none of the spam accounts made it past the email confirm, but they got their dirty load on the URL link so they don't care.)

Anyway, probably to the chagrin of large board owners, perhaps the best solution is for every small area to have their own, unique captchas that's impossible to write a decoder for every single one... seems right now the decoder is targeted to specific captchas?

Based on that fact I hacked my user_confirm.php my own way and hope nobody decides my phpbb's captcha is worth hacking and lay off of it... so far no spam accounts ever since I added it (and got rid of the renderring issues -- I don't know php 8)), and believe me, it was a very simple hack - just to be slightly different!
Locked

Return to “2.0.x Discussion”