Undefeatable Captchas and security measures

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
xptoast
Registered User
Posts: 66
Joined: Fri Apr 20, 2012 8:39 pm

Undefeatable Captchas and security measures

Post by xptoast »

I have been getting hit hard by russian spammers. I did a bunch of research here on phpbb and found that even blocking the entire of the russian federation won't help me as they will just use proxies. I currently have the newest board and am using the anti spam mod that is all pimped out with blacklists and the timezone trick etc. I also have it setup to use captchas and an email activation. I am still getting a ton of spam on a low traffic forum.

After this research I have come to a few conclusions. We need a better setup for our captchas on our phpbb boards. I have seen various kinds here as well. Even the game ones get defeated by programs designed for them. Spammers are super smart. So I found a couple that may do the trick.

1. Dracon Flash CAPTCHA: This captcha is designed to be OCR proof and is very securely encrypted. It is also free unless you want the tiny little link to their site taken off. For that unbranding it only costs 10 bucks. It can be found here: http://www.dracon.biz/captcha.php

2. NuCaptcha - They are a company that designs a special captcha that they continually update to thrwart spammers. Currently they are using moving letters on a video stream. It also learns in order to mess with the spammers. It is very easy to read as well for a human but I can see how it would work against spammers. A video of it can be found here: http://www.nucaptcha.com/
The only problem I have with NuCaptcha is that you have to pay for it on a usage basic instead of a straight up license. I can understand why but it still isn't much fun to pay for things :lol:

3. I have an idea myself for a captcha but I am not a programmer. It basically is that you ask people super simple questions that would be very much a frustration for a bot to figure out. Things like, "What is furry, has four legs, and poops in a litter box?", "What is furry, has four legs, and you take on walks?", "What has a hard shell, swims in the ocean, and can pull into its shell?". You could also set it up so you could make it ask things like: "Which of the following phrases is racist: A: Indians came from India B: Mexicans are people too C: Asians are good at math" Both methods would work well with the visually impared people that have to hear the questions or statements.

Now that I talked about a few captcha ideas that should be put into mods I will talk about placments.

I use a website called reddit. They are pretty spam free and I am not really ever hassled upon registering, etc. They have a few measures that seem to work very well that we could utilize in a mod.

Unless you have an email registration you are severely limited to how often you get to post. After you are email registered you are hindered to posting only every 9 minutes. This also includes a captcha every time you try to post. After about 30-50 posts you are pretty free to post. It cuts your posting times down to about 10 seconds between comment replies on each thread.

I have read somewhere on this website that using captchas on posts isn't helpful because people rarely get through. I am sorry to say I have been experiencing just the opposite. I am getting a ton of OCR capable spammers that are just hopping right through the gates.

If we could minimize posting times and use captchas until they are fully vetted users it would be super helpful.

So utilizing the unbeatable captchas I listed above with the posting limitations we could have a very powerful anti spam tool to utilize.

PS... there are other really good captchas coming out that Yahoo are even using that move that screw with the OCR spam tools.

Let's chat about this. Maybe someone here is up for the task of building this really awesome tool to use. IP ban lists and regular Captchas just aren't cutting it and the alternatives I have been seeing aren't visually impared helpful either.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 70218
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Undefeatable Captchas and security measures

Post by KevC »

xptoast wrote:It basically is that you ask people super simple questions that would be very much a frustration for a bot to figure out.
That one's been known about for a long time. It's even built in.
http://www.phpbb.com/community/viewtopi ... &t=2122696
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"
xptoast
Registered User
Posts: 66
Joined: Fri Apr 20, 2012 8:39 pm

Re: Undefeatable Captchas and security measures

Post by xptoast »

Kevin Clark wrote:
xptoast wrote:It basically is that you ask people super simple questions that would be very much a frustration for a bot to figure out.
That one's been known about for a long time. It's even built in.
http://www.phpbb.com/community/viewtopi ... &t=2122696
Fantastic. So all three solutions are viable.
User avatar
Lumpy Burgertushie
Registered User
Posts: 68173
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Undefeatable Captchas and security measures

Post by Lumpy Burgertushie »

1. nonsense, all the other image based captchas were promised to be OCR proof and every one of them has been beaten.

2. costs money. simply will not be adopted by very meany free open source type things like phpbb

3. as kevin said, that is already part of phpbb3 and has been for several versions now. it is the recommended solution and has yet to be beaten by the spam bots.
if you are using it then your questions are not good.

the questions you suggest would probably be easy for a spam bot to google the answers for.

Here is how to stop the spammers in your board:

1. a good , non googleable Q&A

2. do NOT let guests post.

3. if human spammers, use the registered users group and require one post be approved before allowing to post.

most people that have used this have eliminated their spam problems.

robert
xptoast
Registered User
Posts: 66
Joined: Fri Apr 20, 2012 8:39 pm

Re: Undefeatable Captchas and security measures

Post by xptoast »

Lumpy Burgertushie wrote:1. nonsense, all the other image based captchas were promised to be OCR proof and every one of them has been beaten.

2. costs money. simply will not be adopted by very meany free open source type things like phpbb

3. as kevin said, that is already part of phpbb3 and has been for several versions now. it is the recommended solution and has yet to be beaten by the spam bots.
if you are using it then your questions are not good.

the questions you suggest would probably be easy for a spam bot to google the answers for.

Here is how to stop the spammers in your board:

1. a good , non googleable Q&A

2. do NOT let guests post.

3. if human spammers, use the registered users group and require one post be approved before allowing to post.

most people that have used this have eliminated their spam problems.

robert
1. Did you look at the OCR proof one? I really don't think an OCR could get through that because of the objects floating by it as well as fading in and out.

2. I looked into costs and it says it is free up to like 10000 captchas or something. But yea, unless you are raking in the dough I doubt people would pay for it unless it was super cheap. I'll try to get better numbers.

3. What do you mean the bot could google the answers? I am super interested in this actually. If it is true that a bot can answer questions that easy then we should be on our way to AI soon enough.

I understand I could do admin approval but that tends to dissuade people from even using the service. Starting a community off is already tough without purposely making it hard on people to even use the community. It is hard even getting people to use a community.

Guest posting sounds like a terrible idea unless you had unbeatable captchas.
User avatar
Lumpy Burgertushie
Registered User
Posts: 68173
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Undefeatable Captchas and security measures

Post by Lumpy Burgertushie »

no, I didn't look at the "OCR proof" one. I didn't have to. my statement still stands.

yes, the spammer bots copy the questions and put them in a google search and then cull the results for the answer. they are bots, they can be programmed to do just about anything.

the point is to make the question something like: type in the uppercase letters of rgYUhzD45
answer: YUD

can't possibly google for the answer to that.

or, if you are running a private board you simply send your prospective members a code that they have to enter in for the answer.

or, make the answer something that only a human could figure out about your site etc.
what is the third letter of the fourth word in the second paragraph of the site description...


I agree that admin approval for registration is not good.
however that is not what I mentioned, I mentioined using a post approval of the first post. that is fairly common around the net and it shouldn't run off too many people that really want to be a member of your board. once you or a moderator have approved their first post, they will be removed from the newly registered users group and will be able to post without approval etc.

personally, with the spam problems today, I think that if someone is not willing to spend just a few extra seconds to sign up for your board that you probably don't want them as a member anyway.

luck,
robert
User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: Undefeatable Captchas and security measures

Post by Erik Frèrejean »

xptoast wrote:1. Did you look at the OCR proof one? I really don't think an OCR could get through that because of the objects floating by it as well as fading in and out.
As with all captcha's, as soon they get popular enough they will be cracked. Bots can be programmed to solve captcha's a human won't be able to solve (reCaptcha used to be "unbreakable" ;)).
Once a software package the size of phpBB starts shipping a captcha it suddenly becomes worth for them to figure out a way to crack it and it is a matter of time before that is done. It is far better to create a plugin for such a captcha and redistribute it yourself.

That said, the "Dracon Flash CAPTCHA" is so annoying that I most likely wouldn't bother to register on a site using that. Anti-spam measures that are annoying to solve for a human will only scare away users.
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)
xptoast
Registered User
Posts: 66
Joined: Fri Apr 20, 2012 8:39 pm

Re: Undefeatable Captchas and security measures

Post by xptoast »

Erik Frèrejean wrote:
xptoast wrote:That said, the "Dracon Flash CAPTCHA" is so annoying that I most likely wouldn't bother to register on a site using that. Anti-spam measures that are annoying to solve for a human will only scare away users.
It is one of the least annoying captchas I have ever seen. The breakability factor comes with ability to compute complex things. OCR is only able to compute so much. Both moving captchas I listed are developed in a way that it makes OCR not so usable for cracking. Both have been tested against OCR attacks.
User avatar
Cpt. Blackbeard
Registered User
Posts: 443
Joined: Sat Oct 31, 2009 4:39 am
Location: USA
Contact:

Re: Undefeatable Captchas and security measures

Post by Cpt. Blackbeard »

The built in Q&A CAPTCHA here is the least annoying and most effective, I used to get hammered by Russian spammers but one little question has stopped them completely, nothing else is needed.
xptoast
Registered User
Posts: 66
Joined: Fri Apr 20, 2012 8:39 pm

Re: Undefeatable Captchas and security measures

Post by xptoast »

Cpt. Blackbeard wrote:The built in Q&A CAPTCHA here is the least annoying and most effective, I used to get hammered by Russian spammers but one little question has stopped them completely, nothing else is needed.
I'm definitely going to be trying it.
jasonling
Registered User
Posts: 1
Joined: Mon Jul 16, 2012 6:46 am

Re: Undefeatable Captchas and security measures

Post by jasonling »

No such thing as undefeatable captchas unfortunately. You can just pay people a few cents to bypass each one...

But this one is pretty interesting and being used by Mediawiki:

http://research.microsoft.com/en-us/um/ ... ts/asirra/

Uses petfinder photos and asks the user to choose those of cats only.
User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Re: Undefeatable Captchas and security measures

Post by EXreaction »

Captchas that rely on Flash should not be used. It requires third party software to work that the user may or may not have installed or enabled (there are good reasons to not install flash). There are also quite a few people who browse the web using tools that do not support Flash in any form.
User avatar
T0ny
Registered User
Posts: 1383
Joined: Sun Jan 29, 2006 8:42 pm
Location: Lancashire
Name: Tony

Re: Undefeatable Captchas and security measures

Post by T0ny »

xptoast wrote:The breakability factor comes with ability to compute complex things. OCR is only able to compute so much. Both moving captchas I listed are developed in a way that it makes OCR not so usable for cracking. Both have been tested against OCR attacks.
The dracon one doesn't require OCR. The 5 character code is passed to the SWF file in the HTML. Admittedly its encrypted, but the decryption key is contained in the SWF file (in the free version its the same key for everyone)
User avatar
EXreaction
Former Team Member
Posts: 5666
Joined: Sun Aug 21, 2005 9:31 pm
Location: Wisconsin, U.S.
Name: Nathan

Re: Undefeatable Captchas and security measures

Post by EXreaction »

Also, moving captchas are not really much more difficult to compute using an OCR than a static image. All you would need to do is take multiple still frames from the output and run them all through an OCR to try and get a string that works on all the stills (I would actually think that you could get higher accuracy matching the original string with an OCR from having multiple frames like this)
mroyer
Registered User
Posts: 0
Joined: Sat Aug 04, 2012 5:00 pm

Re: Undefeatable Captchas and security measures

Post by mroyer »

Lumpy Burgertushie wrote: 1. a good , non googleable Q&A ...
robert
So, is a question like this a "good" question? ... or will the spambots figure out somehow which word to use.

Type (or copy-n-paste) this word in the entry box to the right: arbitraryword

-Mark R.
Post Reply

Return to “General Discussion”