Firefox PHP

Spam Hurdles Module (CAPTCHA's and other anti-spam tools)

Posted by Maurice Makaay 
Re: Spam Hurdles Module (CAPTCHA's and other anti-spam tools)
September 05, 2006 10:26AM
Fo rthose that wonder why they still get spam... :)

[sam.zoy.org]

I haven't seen what kind of output this puts out, but hint's for making them better if needed can be found on above page.

---
-=[ Panu ]=-
Re: Spam Hurdles Module (CAPTCHA's and other anti-spam tools)
September 05, 2006 10:46AM
This site that you mention is all about image based captcha solving. For being one little step ahead of spammers that make use of captcha crackers that use this kind of software, I created the javascript based captcha. This captcha uses <div> generating javascript code to draw the captcha code in a bitmap based "image". No real images are used at all. You cannot cut and paste the code, you cannot download the visible images because there is none (a screenshot would be needed for that). Bots will not see this as a standard captcha which can be fed to some solving system.

Take a look at my development site for this special captcha type and let me know if you can break it using some sort of script. Try to find the captcha code in the HTML source and give it a go ;-) I know that eventually, a script can be written to solve this type of captcha (as it is the case for any captcha) too, but for the moment it's probably a pretty good captcha to use.

Spam Hurdles also implements a couple of non-interactive checks which will provide additional protection in case the captcha is cracked. I even think that only running the non-interactive checks might be enough protection for anonymous posting at this moment for blocking about all incoming spam. One of the checks is a javascript check. Most bots will trip over that one. If people care to try out this theory on their spam-loaded forum installs, it would be great (unfortunately, on my own site the first spam message still has to arrive because of required user registration and a custom registration process ;-).


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Spam Hurdles Module (CAPTCHA's and other anti-spam tools)
September 05, 2006 01:19PM
Submit your mod to the site maintainer...

---
-=[ Panu ]=-
Re: Spam Hurdles Module (CAPTCHA's and other anti-spam tools)
September 08, 2006 06:32AM
Hi,

Installed this module which works fine for my users with "code drown using javascript", but bots still post messages in a forum which is normally... masked from user ! The last spams I received are signed "military cash advance", "texas holdem" and "3d roulette" in a forum named "Livre d'or". Currieusely it is the only forum attacked and the only "masked" from users, also the only set as "moderated", so the domage is limited, but what if they one day attack my public forums ? For the moment, I suppose that they choose/found this forum because of its name.

By the occasion, I discovered that setting a forum to visible="no" this doesn't mean that the forum is no more accessible. If someone knows the forum #id, he can call directely the url and so the forum appears on. I think that setting a forum or a folder to "no" visible must also make it "no" accessible.

So, two problems
- "visible" versus "accessible", in phorum "global general" or particular "forum" settings
- CAPTCHA's problem who is working, but bypassed by spambots. I don't believe that bots resolve the CAPTCHA code, but they have probably found a door to pass through by using some code inf the form which autorizes them to validate the form withou having to check the CAPTCHA's code.

Any help is welcome.



Edited 1 time(s). Last edit at 09/08/2006 06:33AM by milos.
Re: Spam Hurdles Module (CAPTCHA's and other anti-spam tools)
September 08, 2006 06:43AM
> I think that setting a forum or a folder to "no" visible must also make it "no" accessible.

no, thats what permissions are for.
set the permissions accordingly. also this has nothing to do with that module.


Thomas Seifert
Re: Spam Hurdles Module (CAPTCHA's and other anti-spam tools)
September 08, 2006 06:48AM
Visible to "no" does exactly what it says. It makes a forum invisible. It would be bad to use that for making the forum inaccessible as well, since for that we have the forum permissions already. Letting two separate settings influence access control is only asking for problems. So if you need to restrict access to the forum, use the standard tools for that.

I really wonder if it were bots that bypassed the javascript captcha. I am not aware of any possibility to bypass the captcha and the other anti-spam checks. My best guess is that manual posting was done here (it's too bad, but not all spam is posted by bots). Checking out the access logs for the server could probably give information about the nature of the source. You have the IP-address for the spammer, so you could try to find out how the forum was used and whether that looks botty or human.

In the code, I thoroughly check if a captcha is entered and if its right. If a bot would simply leave out captcha related fields, then the mod would redirect it back to the posting form, where a new captcha is shown. A bot that would try to repost a previously correct captcha, would not bypass the system either. For each post, a unique posting session is setup with a unique key, which can only be used once for posting a message. Of course, software can have bugs and if there are any bypasses in my mod then I'd sure like to fix them. But for now I seriously doubt there's a bypass option.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Spam Hurdles Module (CAPTCHA's and other anti-spam tools)
September 08, 2006 07:37AM
Sorry for my precipitation about the first problem (visible vs accessible). I agree with you, as, when a forum permission is set to "write=no" for public users, then this forum becomes also "invisible/unlisted/inaccessible", but I didn't know that before. After some testing, this sort of setting satisfies me.

For the second one (captcha bypass ?), I'll have a look at the server's logfile to see where the posts are coming from, but the phorum recorded IP (DNS lookup stting is "yes") is different for each message, even if the messages are nearly the same and posted in less than 1 minute interval. On the other hand, even if I have "only" a dozen of spams per hour, it is difficult to imagine that a man is staying beside his screen just doing that, and continues doing it in a moderated+invisible forum where no one of his posts is published, but who knows...
Re: Spam Hurdles Module (CAPTCHA's and other anti-spam tools)
September 13, 2006 05:03PM
Is it possible to use this module without the use of caching?

My ISP has safe mode enabled, and I've tried to comment out everything that seemed related to caching. This got rid of all the error messages, but I'm unable to post any messages, as everything gets stopped as spam.
Re: Spam Hurdles Module (CAPTCHA's and other anti-spam tools)
September 13, 2006 05:33PM
You cannot comment that out in the code, because the module really needs to store that data server-side. If the data is not available, the module can not check your posting and will decide that it is spam at all times (like you already found out). That data is not really "cached" (which normally means that the data is redundant and will be rebuilt if missing), but it is "stored" (because the cache is the only and primary storage).

I guess one (nasty) solution could be to write a caching layer that stores cached data in the database. A better solution would be to find a provider that does know how to correctly host PHP applications.


Maurice Makaay
Phorum Development Team
my blog linkedin profile secret sauce
Re: Spam Hurdles Module (CAPTCHA's and other anti-spam tools)
September 16, 2006 02:37AM
Thanks for this. I was ready to abandon phorum because I wanted a no-register forum that was relatively spam-proof. I was getting, sometimes dozens of spam posts a day and had to turn on moderation, which meant nothing was ever getting posted (because I was too lazy to go in & approve or delete dozens of messages a day)

I have the simple text captcha (I tried the javascript one but found that even I couldn't distinguish between a 5, an S and a 9), and I really hope this means I can turn moderation off and possibly get an active forum.

THANKS!
Sorry, only registered users may post in this forum.

Click here to login