CAPTCHA useless?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
Razyel
Registered User
Posts: 2
Joined: Sat Oct 11, 2008 10:29 am

CAPTCHA useless?

Post by Razyel » Sun Mar 15, 2009 10:42 pm

I hope i found the right forum.

It seems, that the CAPTCHA is total usless. The bots can read them or use a bug in the system (even the GD CAPTCHA). I have some registration in my forum by spam bots. Because I set the account activation by user (E-Mail) the spam accounts are not activ. But it seems that a new bot can do this too.

I install the mod "Anti-Bot Question", which solved my problem.

Maybe it is a good idea to change the CAPTCHA-Code to a new System.

(And sorry for my bad english)

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 50916
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: CAPTCHA useless?

Post by stevemaury » Sun Mar 15, 2009 10:46 pm

Yes, the GD CAPTCHA has been solved by some bots.
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: CAPTCHA useless?

Post by Techie-Micheal » Sun Mar 15, 2009 10:54 pm

I wouldn't call it useless though. There are some options you can change from the default to make it harder for bots, and 3.0.5 will see an option that will hopefully make it more difficult.
Proven Offensive Security Expertise. OSCP - GXPN

Kim_Possible
Registered User
Posts: 1343
Joined: Sun Sep 21, 2008 3:57 pm

Re: CAPTCHA useless?

Post by Kim_Possible » Sun Mar 15, 2009 11:31 pm

I agree. After making just a few tweaks to the CAPTCHA settings, the number of bots successfully registering dwindled to a handful a day (still feels like a lot). From the looks of it, GD CAPTCHA is still stopping about 85% of the automated registration attempts at the boards I help out with.

User avatar
Razyel
Registered User
Posts: 2
Joined: Sat Oct 11, 2008 10:29 am

Re: CAPTCHA useless?

Post by Razyel » Mon Mar 16, 2009 7:47 am

I think the numbers of this "advanced" spambots will increase very fast. When 3.0.5 will release, i think that the bot programmers will find ways to read the new captcha.

The problem is, that every phpbb3-board will use exact the same routines, so when a bot-programmer solved the captcha-system, it will work on every board.

Maybe it is a good idea to add a second system. The mod "Anti-Bot Question" has a good idea, because every administrator must set own question and anwsers. So a bot can not handle this thing.
The important thing is, that no default question and answers will be added with the release, only the possibilities to add some questions with multiply answert (for example, the question "How many person play in a soccer team?" has this answers on a german/english board: "11","twelve","elf"). Optional case-sesitive checks would be nice (Type "hello" with the L in upper case).

User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Re: CAPTCHA useless?

Post by Kellanved » Mon Mar 16, 2009 8:38 am

Question&Answer Captchas are very problematic for a number of reasons. They pose an issue to internationalization and are usually very easy for bots to answer by asking google - few questions meet the requirement of having exactly one correct answer.
The sad fact is: if we add Q&A as a mechanism, then it will become very hard for admins to come up with questions that work.

3.2 will have a VC plugin system that allows the easy addition of new approaches.
Nocando is in Idontwanna county. No support via PM

Kim_Possible
Registered User
Posts: 1343
Joined: Sun Sep 21, 2008 3:57 pm

Re: CAPTCHA useless?

Post by Kim_Possible » Mon Mar 16, 2009 12:40 pm

Razyel wrote:Maybe it is a good idea to add a second system.
As has been said many times before in topics like this . . . any anti-bot approach that is standard in phpBB won't last very long. The trick is (and always has been) to make your registration process as unique as possible (bot questions, visual CAPTHCA tweaks, changing the registration process to make it unique, etc.)

User avatar
Eelke
QA Team
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: CAPTCHA useless?

Post by Eelke » Tue Mar 17, 2009 9:18 am

It is a Catch 22. Whenever phpBB centrally does something to address the spam problem, the approach will be automatically be adopted by hundreds, if not thousands of boards, and it becomes extremely lucrative for spammers to figure out a way to crack the new approach. The only area where I think the phpBB project might be able to do something centrally is by opening up the CAPTCHA system with plugins, much like the control panel modules. That way, people will be able to more easily add their own mechanisms, which might result in such a wide spread spectrum of solutions, that no one specific approach is the prime contender for spammers to target their efforts on.

User avatar
Dog Cow
Registered User
Posts: 2495
Joined: Fri Jan 28, 2005 12:14 am
Contact:

Re: CAPTCHA useless?

Post by Dog Cow » Tue Mar 17, 2009 4:55 pm

Techie-Micheal wrote:There are some options you can change from the default to make it harder for bots, and 3.0.5 will see an option that will hopefully make it more difficult.
... difficult for blind people...
Kellanved wrote:Question&Answer Captchas are very problematic for a number of reasons. They pose an issue to internationalization and are usually very easy for bots to answer by asking google - few questions meet the requirement of having exactly one correct answer.
The sad fact is: if we add Q&A as a mechanism, then it will become very hard for admins to come up with questions that work.
And don't make them math questions, either. I see these on too many sites and they are far too easy to parse and evaluate. Don't forget that computers were invented to perform calculations. The fact that some people think that math equations will stump bots is just unbelievable. :roll:
Moof!
Mac GUI Vault: Retro Apple II & Macintosh computing archive.
Inside Allerton bookMac GUIMac 512K Blog

User avatar
rockeiro
Registered User
Posts: 3
Joined: Sat Oct 20, 2007 4:24 pm

Re: CAPTCHA useless?

Post by rockeiro » Tue Mar 17, 2009 6:40 pm

I couldn't agree more that a plug-in type captcha is the best solution for any number of reason already previously stated in this thread and to off-load the responsibility for maintaining a secure registration system to the user.

Version 2 phpBB:
So go to http://www.captcha.net/ and load in their plug-in so you can run captchas from their site: http://recaptcha.net/plugins/phpbb/ . Problem now solved.

Version 3 phpBB:
Here's a "BETA": http://startrekguide.com/community/view ... 127&t=9549

PS: also see: http://www.phpbb.com/community/viewtopi ... 6&t=588059
:? People are strange and so am I. :roll:

User avatar
Techie-Micheal
Security Consultant
Posts: 19511
Joined: Sun Oct 14, 2001 12:11 am
Location: In your servers

Re: CAPTCHA useless?

Post by Techie-Micheal » Tue Mar 17, 2009 8:09 pm

Dog Cow wrote:
Techie-Micheal wrote:There are some options you can change from the default to make it harder for bots, and 3.0.5 will see an option that will hopefully make it more difficult.
... difficult for blind people...
Yes, but that's always been the problem, so that's nothing new.
Kellanved wrote:Question&Answer Captchas are very problematic for a number of reasons. They pose an issue to internationalization and are usually very easy for bots to answer by asking google - few questions meet the requirement of having exactly one correct answer.
The sad fact is: if we add Q&A as a mechanism, then it will become very hard for admins to come up with questions that work.
And don't make them math questions, either. I see these on too many sites and they are far too easy to parse and evaluate. Don't forget that computers were invented to perform calculations. The fact that some people think that math equations will stump bots is just unbelievable. :roll:
The Q&A/math is just ridiculous, as I have shown in the past, bots can easily take the first answer from Google, put it in, and get by. Same with math, if the bot doesn't have math capabilities already ...
Proven Offensive Security Expertise. OSCP - GXPN

User avatar
Dogs and things
Registered User
Posts: 2114
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain
Contact:

Re: CAPTCHA useless?

Post by Dogs and things » Tue Mar 17, 2009 11:35 pm

Maybe it is a good idea to change the CAPTCHA-Code to a new System.
A custom question is enough, you don't need the captcha anymore, de-activate it and forget about it, nothing bad will happen.
For phpBB2 support visit phpBB2refugees.

User avatar
Eelke
QA Team
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: CAPTCHA useless?

Post by Eelke » Wed Mar 18, 2009 7:48 am

For individual boards, that would otherwise not be interesting enough to target specifically, yes. I am using it very effectively. For the phpBB project: no :) (I'm sure you meant that, just clearifying).

User avatar
Dogs and things
Registered User
Posts: 2114
Joined: Fri Sep 01, 2006 9:04 am
Location: Spain
Contact:

Re: CAPTCHA useless?

Post by Dogs and things » Wed Mar 18, 2009 8:36 am

Yes,

I was talking about individual boards, not the phpBB project as a whole.

Although I do have my doubts about the use of Captcha in general, so far it seems spambots are focussing on breaking Captchas, and succeeding. Even the more sophisticated Captchas seem to be broken sooner or later and I see that Captchas are getting more and more complicated for the human eye to read. I find myself with Captchas that require several tries (3, 4 or even 5 times) before I guess right.

I believe that a simple text field with an Admin configurable value is much easier for humans and much more difficult for bots whereas Captcha is exactly the other way round.
For phpBB2 support visit phpBB2refugees.

User avatar
Eelke
QA Team
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: CAPTCHA useless?

Post by Eelke » Wed Mar 18, 2009 9:57 am

I too think visual CAPTCHAs are ultimately a dead end. The human eye has its limitations, and I think ultimately, technology can exceed those limitations.

Post Reply

Return to “phpBB Discussion”