Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
User avatar
COD3M4ST3R-X
Registered User
Posts: 2269
Joined: Sat Aug 02, 2008 5:47 am
Location: Lahore,Pakistan

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by COD3M4ST3R-X »

Eelke wrote:I personally doubt it would get used a lot. CAPTCHAs are a necessary evil and inherently user unfriendly. Why would you want to bother your users not once but twice? Concentrate on getting one good CAPTCHA, instead of several bad ones.
Yes they are unfriendly but my point was since the Q&A CAPTHCA is similar to what we recall as Custom Profile fields,so,it won,t be hard enough for the people to answer a simple question. :)
Edit: Unless people ask a really simple one :lol:
so,even they are able to broke the first one they are caught again on the second one.
“Need and struggle are what excite and inspire us.”

User avatar
Eelke
QA Team
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by Eelke »

Q&A is not about being hard to break on an individual forum. It is about being hard to break in a generic way for every forum that uses it. I currently use nothing but a Q&A CAPTCHA and I don't get any spam registrations.

Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by Pony99CA »

Eelke wrote:Q&A is not about being hard to break on an individual forum. It is about being hard to break in a generic way for every forum that uses it. I currently use nothing but a Q&A CAPTCHA and I don't get any spam registrations.
I use a Q&A custom profile field and no longer get any spam registrations. However, that would be pretty easy to break across forums -- just select the non-default option for any custom profile field.

That's one reason it would be nice to have a custom profile field where you could have mulitple bad answers and only one good one ("Are you a spammer?" "Yes", "Of course", "No", "You got me", etc.). Using multiple answers in the current system makes it easier to break. (I suppose this may be moot once the Q&A CAPTCHA is made into a plug-in.)

I assume the Q&A CAPTCHA is multiple choice to avoid this and the correct answer is positioned randomly. Plus, even if spammers break it for a popular forum, the admin can just change the questions.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by Kellanved »

Pony99CA wrote:
I assume the Q&A CAPTCHA is multiple choice to avoid this and the correct answer is positioned randomly. Plus, even if spammers break it for a popular forum, the admin can just change the questions.

Steve
No, it uses a text field. The problem with multiple choice is that the 25% random chance a four-answer select would yield is plenty for a brute force registration attempt; moreover the bots could build a database with the answers. Multiple Choice wouldn't work, were it part of the default package - as Q&A now is.

~H
Nocando is in Idontwanna county. No support via PM

User avatar
Eelke
QA Team
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by Eelke »

Indeed. I use free text (and I don't use a custom profile field, because I don't like the way this is presented to the user; I use a MOD currently, which allows me to properly explain to the user they are answering a question, what the point of it is and how they can find the answer if they don't know). For people interested in becoming a member, finding the answer is literally a matter of seconds (it helps that my site is in Dutch, while most spammers are international and wouldn't understand the instructions to find the answer, should they consider registering manually). The answer is processed in a case insensitive way and whitespace is trimmed, but other then that you have to give a single word with a specific spelling (the name of our club magazine - with a link provided to the membership benefits, where it is mentioned; it's not intended as some silly check to see if the person is a member).

Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by Pony99CA »

Kellanved wrote:
Pony99CA wrote:
I assume the Q&A CAPTCHA is multiple choice to avoid this and the correct answer is positioned randomly. Plus, even if spammers break it for a popular forum, the admin can just change the questions.
No, it uses a text field.
OK, so I assume there's a randomly generated question and some way to find the answer (if the answer isn't obvious, like "What is 5 times 4?").
Kellanved wrote:The problem with multiple choice is that the 25% random chance a four-answer select would yield is plenty for a brute force registration attempt; moreover the bots could build a database with the answers.
That all makes sense in some ways, but my experience is counter to that.

First, my custom profile question (basically, "Are you a spammer?") has stopped all spam registrations (and, yes, registration does work :)). That has a 50% chance if you guess and a 100% chance if you use the "Choose the non-default answer" strategy, but it works.

Second, how can bots build a database if the admin creates the questions and answers? Each board would have a different set of questions. Does the Q&A mod use some other way to generate the questions (random math problems, for example)? And, even if it does, if the answers are constrained to a small range (integers 1-100, say), that's basically multiple choice anyway. ;)

The key is to have the chance of success per guess and the number of registration attempts allowed be low enough to makes bot success unlikely (say 5% or less). Having a 1 in 50 chance (for example, "Lansing is the capital of what state?" for U.S. boards) with multiple choice and three registration attempts comes close to that goal (5.8808%).
Kellanved wrote:Multiple Choice wouldn't work, were it part of the default package - as Q&A now is.
I'm not sure what that means. Is Q&A part of phpBB already (or will it be in 3.0.6)?

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

User avatar
onehundredandtwo
Registered User
Posts: 1228
Joined: Fri Nov 14, 2008 8:07 am

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by onehundredandtwo »

Q&A is the same as Anti-Bot Question except that you can define a number of questions that will be randomly picked (yes, similar to vBulletin).

At the moment you can have Custom Profile Fields, but they don't allow validating of text fields, only radio and drop-down fields. So for the Are you a bot? question, you could use a drop-down or radio field, but in the Q&A CAPTCHA you will be able to type in Yes or No.
Need help preventing spam? Read Preventing spam in phpBB 3.0.6 and above

User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by Kellanved »

Pony99CA wrote: That all makes sense in some ways, but my experience is counter to that.

First, my custom profile question (basically, "Are you a spammer?") has stopped all spam registrations (and, yes, registration does work :)). That has a 50% chance if you guess and a 100% chance if you use the "Choose the non-default answer" strategy, but it works.
The experience made by individual board admins and board software vendors are naturally different. You can use a drop-down, it works purely because the bot software author never bothered with implementing a brute force attack using that field - why should he for just one board?
Second, how can bots build a database if the admin creates the questions and answers? Each board would have a different set of questions. Does the Q&A mod use some other way to generate the questions (random math problems, for example)? And, even if it does, if the answers are constrained to a small range (integers 1-100, say), that's basically multiple choice anyway. ;)
The number of questions and answers on any board is finite. Give the possible answer and the bot will weed the answer for every single question by brute force. After he has the answers, he will register dozens of sleeper accounts to keep your board spammed, even if you change the questions.
The key is to have the chance of success per guess and the number of registration attempts allowed be low enough to makes bot success unlikely (say 5% or less). Having a 1 in 50 chance (for example, "Lansing is the capital of what state?" for U.S. boards) with multiple choice and three registration attempts comes close to that goal (5.8808%).
If you have finite questions and given answers, the probability of a bot solving the question over time approaches 1. Brute force with a database.
Kellanved wrote:Multiple Choice wouldn't work, were it part of the default package - as Q&A now is.
I'm not sure what that means. Is Q&A part of phpBB already (or will it be in 3.0.6)?
There's a tour about the supplied plugins in the blog post ;)

Cheers,
~H
Nocando is in Idontwanna county. No support via PM

Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by Pony99CA »

Kellanved wrote:
Pony99CA wrote: That all makes sense in some ways, but my experience is counter to that.

First, my custom profile question (basically, "Are you a spammer?") has stopped all spam registrations (and, yes, registration does work :)). That has a 50% chance if you guess and a 100% chance if you use the "Choose the non-default answer" strategy, but it works.
The experience made by individual board admins and board software vendors are naturally different. You can use a drop-down, it works purely because the bot software author never bothered with implementing a brute force attack using that field - why should he for just one board?
Exactly, why would they for just one board.

However, the "select the non-default option" strategy would probably work across boards. To fix that, board admins would need at least two custom profile questions, one set to the wrong answer and one set to the right answer.
Kellanved wrote:
Second, how can bots build a database if the admin creates the questions and answers? Each board would have a different set of questions. Does the Q&A mod use some other way to generate the questions (random math problems, for example)? And, even if it does, if the answers are constrained to a small range (integers 1-100, say), that's basically multiple choice anyway. ;)
The number of questions and answers on any board is finite. Give the possible answer and the bot will weed the answer for every single question by brute force. After he has the answers, he will register dozens of sleeper accounts to keep your board spammed, even if you change the questions.
True, but that contradicts your first point. Why would a bot do this for just one board? Will the bot build a database of questions for every board on the Internet?

And while it's true that the number of questions a board can hold is obviously finite (because it's storage is finite), the number of questions across boards that a bot would need a database for can get very large.

That goes back to my previous comment that "time has no meaning" for a bot master. The question becomes how robust does somebody make a bot? Does he make a bot that will bother to brute force thousands of times, or does the bot master make the bots give up after a few times and move on to their next target? I think the whole point of CAPTCHAs is that most will do the latter.

As for registering sleeper accounts, I've seen what seems to be that behavior. However, if you keep on top of new registrations and check them for spamminess (what time zone are they from, does their E-mail address look real, is the E-mail domain registered to spammers, etc.), you can delete those.

Obviously, that's simple for a small forum like mine, but more difficult for a large, very popular forum. I once spent 2-3 months clearing out 600+ spam accounts on a board that I was an admin on after I hadn't been able to participate much for several months. (I think I might have been the only admin to worry about spam registrations.) That board had maybe 1200-2000 valid users.
Kellanved wrote:
The key is to have the chance of success per guess and the number of registration attempts allowed be low enough to makes bot success unlikely (say 5% or less). Having a 1 in 50 chance (for example, "Lansing is the capital of what state?" for U.S. boards) with multiple choice and three registration attempts comes close to that goal (5.8808%).
If you have finite questions and given answers, the probability of a bot solving the question over time approaches 1. Brute force with a database.
Again, how much time is a bot going to spend at a given board before it moves on to a new target?

Of course, even if a bot only has a 1% chance of getting a question right, just randomly guessing will probably get you in after 50-100 attempts no matter how big the database of questions is. There's probably no need to build a database of questions and tried answers.

The question is whether bots are smart enough to recognize that a board is using multiple choice or not. Given that my board has not gotten a spam registration in months, I'm guessing they aren't -- yet. (And, if you look at my list of banned domains, you'll see I was a target for bots in the past, so I assume that bots are still visiting. Most of those domains were from spam registrations on my board; a few were from spam registrations on the vBulletin board I helped to admin.)

By the way, checking up on what bots are trying to register is one reason I wish there was a guest log. ;)
Kellanved wrote:
Kellanved wrote:Multiple Choice wouldn't work, were it part of the default package - as Q&A now is.
I'm not sure what that means. Is Q&A part of phpBB already (or will it be in 3.0.6)?
There's a tour about the supplied plugins in the blog post ;)
So there isn't Q&A in 3.0.5 and I wasn't missing anything. Thanks for clarifying that.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by Kellanved »

Pony99CA wrote:
True, but that contradicts your first point. Why would a bot do this for just one board? Will the bot build a database of questions for every board on the Internet?
Not at all. Assume 10 questions, with - let's be generous - 10 options each. For the first question the bot has a 0.1 chance of getting the right answer. For the next attempt, he has a 0.1 chance to get the same question with 1/9 chance of solving that one (using the stored wrong answer from the step before) and a 0.1 chance for every other question. As you can see, the probability quickly shifts in the bot's favor.

Naturally, no bot author will implement such an attack for just one board. But if multiple choice were the standard anti-bot or even just used by a significant percentage of boards, you could rest assured that they would do it.
Nocando is in Idontwanna county. No support via PM

Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by Pony99CA »

Kellanved wrote:
Pony99CA wrote:
True, but that contradicts your first point. Why would a bot do this for just one board? Will the bot build a database of questions for every board on the Internet?
Not at all. Assume 10 questions, with - let's be generous - 10 options each. For the first question the bot has a 0.1 chance of getting the right answer. For the next attempt, he has a 0.1 chance to get the same question with 1/9 chance of solving that one (using the stored wrong answer from the step before) and a 0.1 chance for every other question. As you can see, the probability quickly shifts in the bot's favor.
I understand that, which is why I suggested 50 possible answers. :) Also, remember that there's the failed registration limit, which will lock the bot out for a while after enough failed registrations.

I also understand that, given enough time, a bot will break any multiple choice scheme, and even randomly generated questions with a fixed number of possible answers. Fortunately, that doesn't seem to be the case in practice yet.
Kellanved wrote:Naturally, no bot author will implement such an attack for just one board. But if multiple choice were the standard anti-bot or even just used by a significant percentage of boards, you could rest assured that they would do it.
Maybe, but I think you're missing my point. Aren't a lot of boards using custom profile questions now as anti-bot measures? As I mentioned, I have one and haven't seen a false registration in months. So why haven't bot masters programmed their bots to break custom profile fields yet?

Multiple choice Q&A would be harder to break than these simple custom profile fields, so maybe bot masters aren't too worried because there's lower hanging fruit. :)

Don't get me wrong. I think having multiple CAPTCHA possibilities is great, but if a simple custom profile field is keeping my board safe (which isn't a very popular board and yet still got lots of bot registrations in the past), I think multiple choice will be even safer. It's not perfect (what is?), but it may be good enough -- at least for a while.

As an experiment, I just turned visual confirmation off on my board for registrations but I'm leaving the custom profile question. I'll see if I start to get any bot registrations. If I do, that would prove that the combination was keeping me safe, not just the question. If i don't get any more, that will prove that a simple custom profile question is sufficient (for now) to avoid bots.

I'll post back in a week with the results. (I just wish there was a Guest Log to track these things. ;))

Steve
Last edited by Pony99CA on Thu Sep 03, 2009 12:40 pm, edited 1 time in total.
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

User avatar
onehundredandtwo
Registered User
Posts: 1228
Joined: Fri Nov 14, 2008 8:07 am

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by onehundredandtwo »

Pony99CA wrote:I'll post back in a week with the results. (I just wish there was a Guest Log to track these things. ;))
Paul wrote something like this - spam registration results. ;)
Need help preventing spam? Read Preventing spam in phpBB 3.0.6 and above

deepkar
Registered User
Posts: 41
Joined: Thu Nov 30, 2006 3:47 am

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by deepkar »

I was just wondering why not give a captcha system that uses custom fonts and admin can upload fonts of his/her own choice. To see what I am talking about, pls search for "peters custom anti spam" on google. That is an excellent plugin for wordpress. Sorry, I thought posting urls in this forum is against policy.

I am just a basic user of phpbb. Please enlighten me if you feel I am wrong somewhere in the way I think of captcha.

Thanks.

User avatar
Eelke
QA Team
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by Eelke »

I'm not sure what you are trying to say with your post...

Why hasn't it been done before? Because the developers have limited time (so they chose to do CAPTCHA methods that either took very little effort - porting the method from phpBB2 - or they felt were most robust and would take the longest to crack) and in the past it has been quite a pain to change the CAPTCHA method; you'd need a full blown MOD to do it.

Now, though, with the new CAPTCHA plugin system, anyone could create what you are suggesting.

User avatar
Erik Frèrejean
Former Team Member
Posts: 9899
Joined: Tue Oct 09, 2007 9:09 am
Location: The Netherlands, 3.0.x Support Forum
Name: Erik Frèrejean
Contact:

Re: Blog Post Discussion: 3.0.6 CAPTCHA plugins and you

Post by Erik Frèrejean »

deepkar wrote:I was just wondering why not give a captcha system that uses custom fonts and admin can upload fonts of his/her own choice.
The phpBB 3.0.x captcha doesn't rely on a "font" the characters are generated from bitmaps, converting that captcha to use actual fonts doesn't look like a trivial task to me (I don't know exactly how the captcha works internally), though I'm sure someone will write a plugin that does this or you can request one by the time 3.0.6 is release ;).
Support Toolkit | Support Request Template | Knowledge Base | phpBB 3.0.x documentation
I don't give support via PM or IM! (all unsolicited pms will be trashed!)

Post Reply

Return to “phpBB Discussion”