3.0.2 captcha may have been broken

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
reptileguy
Registered User
Posts: 146
Joined: Thu Jan 31, 2008 3:54 pm
Location: The Netherlands
Contact:

3.0.2 captcha may have been broken

Post by reptileguy » Tue Sep 30, 2008 12:24 pm

Hi all,
My forum has a newly registered user that may be a spambot.
username: JellyDreamas
E-mail: marina.wonders@gmail.com
IP-address: 85.140.222.225
This is either a spambot that has broken the standard captcha, or a very social person who likes to be a member of thousands of forums. :D
I have deleted the account, and changed the captcha settings to make it harder.

User avatar
ric323
Former Team Member
Posts: 22909
Joined: Tue Feb 06, 2007 12:33 am
Location: Melbourne, Australia
Name: Ric
Contact:

Re: 3.0.2 captcha may have been broken

Post by ric323 » Tue Sep 30, 2008 12:26 pm

What settings were you using initially?
The Knowledge Base contains solutions to many common problems!
How to fix "Doesn't have a default value" and "Incorrect string value: xxx for column 'post_text' " errors.
How to do a clean re-install of the latest phpBB3 version.
Problems with permissions? Read phpBB3 Permissions

User avatar
reptileguy
Registered User
Posts: 146
Joined: Thu Jan 31, 2008 3:54 pm
Location: The Netherlands
Contact:

Re: 3.0.2 captcha may have been broken

Post by reptileguy » Tue Sep 30, 2008 12:33 pm

default settings:
GD captcha: yes
GD captcha foreground noise: no
GD CAPTCHA background noise x-axis: 25
GD CAPTCHA background noise y-axis: 25

User avatar
ChrisRLG
Former Team Member
Posts: 3420
Joined: Wed Nov 24, 2004 3:18 pm
Location: Essex, UK
Contact:

Re: 3.0.2 captcha may have been broken

Post by ChrisRLG » Tue Sep 30, 2008 12:48 pm

I would add a very simple custom profile field - with a default that is also not valid.

Such "2 + 4 =" with default of 5 and anything other than 6 rejected.

Try to make it unique to your forum. (like say how many legs does a turtle have) :)
phpBB: The All Important Rules - Bertie Bear 3.0 - No support via PM system - use the forums please.
phpBB v2: Retirement (1/1/2009) : phpBB v3: Read Me Topic - Custom BBCodes - Support Template
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."
My Links: MS MVP (Consumer Security) - Malware Removal:University - Own Forum: Custom BBCode testing

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3255
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: 3.0.2 captcha may have been broken

Post by thecoalman » Tue Sep 30, 2008 12:53 pm

reptileguy wrote: This is either a spambot that has broken the standard captcha, or a very social person who likes to be a member of thousands of forums. :D .
Or possibly a spambot that gained entry through a human breaking the capture.

http://www.pubcon.com/redirect.cgi?f=9& ... ty/?p=1835

User avatar
reptileguy
Registered User
Posts: 146
Joined: Thu Jan 31, 2008 3:54 pm
Location: The Netherlands
Contact:

Re: 3.0.2 captcha may have been broken

Post by reptileguy » Tue Sep 30, 2008 1:07 pm

Ouch! I didn't know that people were making a business out of reading captchas :x

Adding a custom profile field is a good idea. I'll do that if I get more spambot registrations.
Last edited by reptileguy on Tue Sep 30, 2008 3:21 pm, edited 1 time in total.

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51758
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: 3.0.2 captcha may have been broken

Post by Brf » Tue Sep 30, 2008 1:25 pm

reptileguy wrote: IP-address: 85.140.222.225
IIRC, that is one of the WOWspammer addresses.
I used a custom profile field. much like ChrisRLGs suggestion, to eliminate those completely on my forum.
In my case I used a dropdown-box with a required field, so choosing anything but the blank default is accepted.

Severus Snape
Registered User
Posts: 42
Joined: Fri Mar 07, 2008 2:23 am

Re: 3.0.2 captcha may have been broken

Post by Severus Snape » Tue Sep 30, 2008 2:22 pm

Brf wrote:I used a custom profile field. much like ChrisRLGs suggestion, to eliminate those completely on my forum.
In my case I used a dropdown-box with a required field, so choosing anything but the blank default is accepted.
Would you mind explaining, or directing me to some information that explains how to do that? I did search the support forums before asking, but didn't find the answer. This spam person joined and posted on my forum yesterday. I banned by IP.

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51758
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: 3.0.2 captcha may have been broken

Post by Brf » Tue Sep 30, 2008 2:37 pm

Go to Users&Groups / Custom profile Fileds
Create a new profile field of type "dropdown"
Set Display to No
Set required to Yes
In the Entries box make the first line "--" and put whatever you want as the other choices
Set default to "--"
"Option = to non-entered" to "--"

Save and you are done.

User avatar
ChrisRLG
Former Team Member
Posts: 3420
Joined: Wed Nov 24, 2004 3:18 pm
Location: Essex, UK
Contact:

Re: 3.0.2 captcha may have been broken

Post by ChrisRLG » Tue Sep 30, 2008 3:32 pm

Using the drop down box, you effectively have only two choices - one good and one rejected (which is the default).

If you use the numbers format for the custom field you can set lots of answers with just a single one valid

EG

1, 2, 3, 4, 5

pick the middle number - default to one of the others - say 5, and set the smallest and largest number valid numbers to both be 3.

Dont use that example - but use that method - make all forums different - such that it is not possible for BOT authors to code for it.
phpBB: The All Important Rules - Bertie Bear 3.0 - No support via PM system - use the forums please.
phpBB v2: Retirement (1/1/2009) : phpBB v3: Read Me Topic - Custom BBCodes - Support Template
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."
My Links: MS MVP (Consumer Security) - Malware Removal:University - Own Forum: Custom BBCode testing

Severus Snape
Registered User
Posts: 42
Joined: Fri Mar 07, 2008 2:23 am

Re: 3.0.2 captcha may have been broken

Post by Severus Snape » Tue Sep 30, 2008 10:32 pm

Thanks very much!

kipin
Registered User
Posts: 50
Joined: Tue Feb 12, 2008 9:14 pm
Contact:

Re: 3.0.2 captcha may have been broken

Post by kipin » Wed Oct 01, 2008 2:15 am

Captcha has definitely been broken... And if it hasn't been, it will be.

Google, yahoo, hotmail have all had their captcha system broken within the last few months, and the entire idea of using captcha to keep robots from signing up is invalidated. Now I'll admit that there is a lot more money in breaking the captcha system of one of the 3 major email providers, but it's only a matter of time until the entire captcha system as we know it is broken.

In the last couple of weeks I have noticed at least 3 spam bots that post a thread with links to some spam promotion in the highest volume forum.


Thanks for the custom profile suggestion, hopefully that can hold the bots back. ;)

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3255
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: 3.0.2 captcha may have been broken

Post by thecoalman » Wed Oct 01, 2008 2:34 am

reptileguy wrote:Ouch! I didn't know that people were making a business out of reading captchas :x.
It's not something completely new, some sites for example would offer "services" like free porn for breaking captcha's. the user wouldn't even be aware of it. The "bad site" would serve the captcha image to the user through their own pages. User enters captcha and gets download etc. If this grows as an industry many captchs's even the harder question captcha's are going to be vulnerable. It is on a whole other level as they have dedicated people doing it.

I'd also agree with the previous post about the image captcha being dead, some of them are completely illegible now. I might have to go through two or three before finding a suitable one I can solve... "Is that O or D ???" I saw some examples from a University here in the U.S. where the bot was having a 33% success rate on images that I was having trouble reading and that was a few years ago. That type of technology is most likely making it ways into the hands of the spammers now.

About the only step that is left that I can see to improve the image captcha is to combine different types, for example phpbb's is hard but they all the imges follow the same basic design. If you had a few different types intermingled it might slow them down some.

spearfish
Registered User
Posts: 93
Joined: Sun May 25, 2008 4:14 am
Location: New York, USA baby
Contact:

Re: 3.0.2 captcha may have been broken

Post by spearfish » Wed Oct 01, 2008 2:47 am

First, did nobody read the link thecoalman posted?

CAPTCHAs are simply cat-and-mouse. I mean, I image that there was a time when simply putting numbers into an image was good enough (something I could whip together in 5 minutes). Undoubtedly, the spammers will catch up to the CAPTCHA guys. Security professionals vs. hackers. Cryptologists vs. cryptanalysts. So it really goes without saying that "it will be" broken.

At the same time, this is a very strong CAPTCHA. By making the letters 3D, it almost completely counters bots that can only read 2D objects. Humans, however, can read 3D very easily. Just like the battle raged on the 2D plane, I suspect that 3D will become the new standard and that we'll fight on that for a bit.

But I also think that the days of CAPTCHAs are numbered. That is, the days of CAPTCHAs being the sole line of defense for forums. Eventually, the strongest possible CAPTCHA will be broken. Remember, humans must be able to understand the CAPTCHA too. If a bot can't read it, but neither can your users, it's worthless. And screen reading technology will eventually catch up to the human eye. Sorry, but we as a species aren't evolving as fast as our lovely creations.

Let me digress. Remember in elementary school, when somebody would encrypt a message by changing all of the "A"s to "B"s, and the "B"s to "C"s, etc.? This is called the "Caesar Shift", probably because a Roman Emperor came up with this idea. But let's say the United States needs to send a message to its troops in Iraq. Are we going to use the Caesar Shift to protect the data that's protecting our soldiers' lives? Probably not (and no, the Pigpen Cypher won't work either).

I consider the CAPTCHA to be the equivalent of the Caesar Shift. We're sort of at the, "Hey, what if I shift the letters forward by two or three instead of by one?" stage. The CAPTCHA will, eventually, be broken and will only be useful for stopping script kiddies, not anybody serious. So what is there to do? Make a defense system that evolves. And make it self evolving. The spammers will come out with their own self evolving script. Ours needs to be better. Then they improve theirs. Et cetera.

I predict that this will be in long-ish cycles. Security comes out with something great (the CAPTCHA? Or in encryption's sense, RSA), and spammers are silenced for awhile. Then they come out with something better. And they win for awhile (underpaid-overworked-professional CAPTCHA solvers? OCR?). Back and forth, back and forth.

I'm not saying that CAPTCHAs are worthless. I'm just saying that it's not a smart idea to place your entire stock in them. Simple Machines has three strong anti-bot mods available at the click of a button to its users. I think phpBB should pony up and do the same. Running a check with stopforumspam.com might be useful too. I'd also suggest placing minimum post limits (or, minimum verified post counts for posting a link. Or running the contents of a post up against a check for users not yet proven to be human. Whatever. Just don't rely completely on CAPTCHAs.

Just my opinion ;)
Image

User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Re: 3.0.2 captcha may have been broken

Post by Kellanved » Wed Oct 01, 2008 12:28 pm

Two of those MODs are actually very weak, one is a ported phpBB mod.

phpBB3 does a lot against spammers; we recently introduced the moderation queue for new users; custom profile fields and easy banning of users are other tools. We have a powerful CAPTCHA plugin system ready for 3.2 and and and ;)
Nocando is in Idontwanna county. No support via PM

Post Reply

Return to “phpBB Discussion”