CAPTCHA useless?

[Razyel]

I hope i found the right forum.

It seems, that the CAPTCHA is total usless. The bots can read them or use a bug in the system (even the GD CAPTCHA). I have some registration in my forum by spam bots. Because I set the account activation by user (E-Mail) the spam accounts are not activ. But it seems that a new bot can do this too.

I install the mod "Anti-Bot Question", which solved my problem.

Maybe it is a good idea to change the CAPTCHA-Code to a new System.

(And sorry for my bad english)

[stevemaury]

Yes, the GD CAPTCHA has been solved by some bots.

[Techie-Micheal]

I wouldn't call it useless though. There are some options you can change from the default to make it harder for bots, and 3.0.5 will see an option that will hopefully make it more difficult.

[Kim_Possible]

I agree. After making just a few tweaks to the CAPTCHA settings, the number of bots successfully registering dwindled to a handful a day (still feels like a lot). From the looks of it, GD CAPTCHA is still stopping about 85% of the automated registration attempts at the boards I help out with.

[Razyel]

I think the numbers of this "advanced" spambots will increase very fast. When 3.0.5 will release, i think that the bot programmers will find ways to read the new captcha.

The problem is, that every phpbb3-board will use exact the same routines, so when a bot-programmer solved the captcha-system, it will work on every board.

Maybe it is a good idea to add a second system. The mod "Anti-Bot Question" has a good idea, because every administrator must set own question and anwsers. So a bot can not handle this thing.
The important thing is, that no default question and answers will be added with the release, only the possibilities to add some questions with multiply answert (for example, the question "How many person play in a soccer team?" has this answers on a german/english board: "11","twelve","elf"). Optional case-sesitive checks would be nice (Type "hello" with the L in upper case).

[Kellanved]

Question&Answer Captchas are very problematic for a number of reasons. They pose an issue to internationalization and are usually very easy for bots to answer by asking google - few questions meet the requirement of having exactly one correct answer.
The sad fact is: if we add Q&A as a mechanism, then it will become very hard for admins to come up with questions that work.

3.2 will have a VC plugin system that allows the easy addition of new approaches.

[Kim_Possible]

Maybe it is a good idea to add a second system.

As has been said many times before in topics like this . . . any anti-bot approach that is standard in phpBB won't last very long. The trick is (and always has been) to make your registration process as unique as possible (bot questions, visual CAPTHCA tweaks, changing the registration process to make it unique, etc.)

[Eelke]

It is a Catch 22. Whenever phpBB centrally does something to address the spam problem, the approach will be automatically be adopted by hundreds, if not thousands of boards, and it becomes extremely lucrative for spammers to figure out a way to crack the new approach. The only area where I think the phpBB project might be able to do something centrally is by opening up the CAPTCHA system with plugins, much like the control panel modules. That way, people will be able to more easily add their own mechanisms, which might result in such a wide spread spectrum of solutions, that no one specific approach is the prime contender for spammers to target their efforts on.

[Dog Cow]

There are some options you can change from the default to make it harder for bots, and 3.0.5 will see an option that will hopefully make it more difficult.

... difficult for blind people...

Question&Answer Captchas are very problematic for a number of reasons. They pose an issue to internationalization and are usually very easy for bots to answer by asking google - few questions meet the requirement of having exactly one correct answer.
The sad fact is: if we add Q&A as a mechanism, then it will become very hard for admins to come up with questions that work.

And don't make them math questions, either. I see these on too many sites and they are far too easy to parse and evaluate. Don't forget that computers were invented to perform calculations. The fact that some people think that math equations will stump bots is just unbelievable.

[rockeiro]

I couldn't agree more that a plug-in type captcha is the best solution for any number of reason already previously stated in this thread and to off-load the responsibility for maintaining a secure registration system to the user.

Version 2 phpBB:
So go to http://www.captcha.net/ and load in their plug-in so you can run captchas from their site: http://recaptcha.net/plugins/phpbb/ . Problem now solved.

Version 3 phpBB:
Here's a "BETA": http://startrekguide.com/community/view ... 127&t=9549

PS: also see: http://www.phpbb.com/community/viewtopi ... 6&t=588059

[Techie-Micheal]

There are some options you can change from the default to make it harder for bots, and 3.0.5 will see an option that will hopefully make it more difficult.

... difficult for blind people...

Yes, but that's always been the problem, so that's nothing new.

Question&Answer Captchas are very problematic for a number of reasons. They pose an issue to internationalization and are usually very easy for bots to answer by asking google - few questions meet the requirement of having exactly one correct answer.
The sad fact is: if we add Q&A as a mechanism, then it will become very hard for admins to come up with questions that work.

And don't make them math questions, either. I see these on too many sites and they are far too easy to parse and evaluate. Don't forget that computers were invented to perform calculations. The fact that some people think that math equations will stump bots is just unbelievable.

The Q&A/math is just ridiculous, as I have shown in the past, bots can easily take the first answer from Google, put it in, and get by. Same with math, if the bot doesn't have math capabilities already ...

[Dogs and things]

Maybe it is a good idea to change the CAPTCHA-Code to a new System.

A custom question is enough, you don't need the captcha anymore, de-activate it and forget about it, nothing bad will happen.

[Eelke]

For individual boards, that would otherwise not be interesting enough to target specifically, yes. I am using it very effectively. For the phpBB project: no (I'm sure you meant that, just clearifying).

[Dogs and things]

Yes,

I was talking about individual boards, not the phpBB project as a whole.

Although I do have my doubts about the use of Captcha in general, so far it seems spambots are focussing on breaking Captchas, and succeeding. Even the more sophisticated Captchas seem to be broken sooner or later and I see that Captchas are getting more and more complicated for the human eye to read. I find myself with Captchas that require several tries (3, 4 or even 5 times) before I guess right.

I believe that a simple text field with an Admin configurable value is much easier for humans and much more difficult for bots whereas Captcha is exactly the other way round.

[Eelke]

I too think visual CAPTCHAs are ultimately a dead end. The human eye has its limitations, and I think ultimately, technology can exceed those limitations.