Announcement

Collapse
No announcement yet.

Spam bots defeat Recaptcha.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Suri.CMS
    replied
    I have a couple of hidden fields on the reg. form and if they don't have the expected contents OR are not set, we have a bot
    Sorry for my ignorance, but what is 'hidden field' ?
    Is it a private 'User Profile Field' or something else ?
    Can you please tell in detail.


    I have one field that is filled by Javascript
    How do you do that ? You wrote a script or is there any setting in vB ?
    Last edited by Suri.CMS; Wed 18 Jun '08, 12:40pm.

    Leave a comment:


  • David Grove
    replied
    Originally posted by Christophe_O View Post
    How about posting your trap code here, SOCKWATER?
    A bot trap must be unique on every site, otherwise the spammers will code their bot to work with it.

    Leave a comment:


  • Christophe_O
    replied
    Originally posted by sockwater View Post
    Yes. I have a couple of hidden fields on the reg. form and if they don't have the expected contents OR are not set, we have a bot ... I get 10-30 tries a week, but none get by my trap

    Leave a comment:


  • David Grove
    replied
    Originally posted by sarahk View Post
    How are those "hidden" fields being filled? javascript?
    I have one field that is filled by Javascript, which allows me to detect if the user has JS enabled. (If not, it might be a bot, but there are a few users who have JS turned off by default).

    I have another field that's empty, and if there's something in it, then it was a bot that registered.

    Up to now I've had all the bots register that have been mentioned in this thread. Their registrations have all been submitted with my 2 fields not set, which means it was a bot that registered (directly submitting POST data), not even a human slave at a computer.

    For real registrations, both my fields will be set, and the first will have a certain hash in it, set by JS, and the second will be empty (but will be set).

    It's worked like a charm so far.

    Leave a comment:


  • sarahk
    replied
    How are those "hidden" fields being filled? javascript?

    Leave a comment:


  • David Grove
    replied
    Originally posted by skublum View Post
    has anyone found a way to beat this yet?
    Yes. I have a couple of hidden fields on the reg. form and if they don't have the expected contents OR are not set, we have a bot

    I get 10-30 tries a week, but none get by my trap

    Leave a comment:


  • skublum
    replied
    has anyone found a way to beat this yet?

    Leave a comment:


  • Glathannus
    replied
    Here is the second spamborg to register at my site in the past two weeks.

    Username: gprunescaper2
    Email: [email protected]
    IP: 218.106.154.107

    What's interesting is that earlier today, I saw the spambot's User Agent simultaneously "Registering" from a section of China I hadn't already blocked, and South Korea. I pre-emptively blocked those of course, otherwise I would've had 3 spambot registrations today. gprunescaper2 showed up while I was taking a nap, but he was banned and all his posts were rounded up, within 15 minutes.

    Leave a comment:


  • sarahk
    replied
    Back when captcha was in it's infancy there was a theory (personally I never tested or proved) that captcha could be defeated as follows
    • porn-user visits free porn site but is required to complete captcha before entering.
    • bot takes next queued forum to register at, tries to register, gets captcha image
    • bot gives porn-user the captcha image to answer
    • bot takes the answer and feeds it back to the registration script.
    • bot succeeds in getting a registration, porn-user gets required content

    With the bots obviously using Curl to process the registration this scenario remains plausible.

    ===============
    Other options could be for vB to have some sort of image replacement available for pages such as registration.

    As the template is processed the image source is altered to pass through a script which will tag the image and count how many were generated for the page/session combo. Then when someone submits the registration form vB will check that the user has generated the right number of images and reject/pass.

    If a user is using Curl they will then be obliged to parse the html to find the images and download them too. This will create a bandwidth overhead for them.

    If nothing else they may start to target their efforts to the busy forums or their own niche rather than the niche forums that have no interest in their "product".

    Leave a comment:


  • copiertalk
    replied
    beijmanli
    jklm292
    joshbob
    KaiyreBoy
    KevinFlys
    lovebeijgo
    lovemaryii
    Pereftiyo
    weiwei

    Those are the ones I have so for. I wonder why some are capital/lowercase while others are just lowercase?

    Leave a comment:


  • Christophe_O
    replied
    Please help: can a Q&A be made to trigger the forum rules 'rejection' page without a hack? (STANDARD_ERROR template.)
    1. I believe my own custom multi-choice Q&A, even if not encrypted, may stump the few robots that get through image verification, simply by being different.
    2. I believe non-robot spammers will be superstitious. Even if they don't know English, word will spread among them what the following means, making recruitment difficult.
    3. The following experiment is not multi-choice and does not do anything. My HTML 'forms' skills are nil.
    4. Can someone please tell me how to activate my extra input to trigger the 'rejection' page?
      ... Preferably using an existing 'action', thus not needing a hack.
      ... Preferably causing 1 (not 0) to trigger the rejection, thus tripping robots a bit better.
      ... Or multiple input 'values' so I can do multiple choice if necessary.
    5. My small new forum receives 1 spamborg weekly like clockwork. Let's see if this does anything!


    Style manager ... edit templates ... registration templates ... register rules ... deleted this:
    <div><label for="cb_rules_agree"><input type="checkbox" name="agree" id="cb_rules_agree" value="1" /><strong><phrase 1="$vboptions[bbtitle]">$vbphrase[read_agree_abide_by_rules]</phrase></strong></label></div>

    ... Replaced as follows ...

    <div><label for="cb_rules_agree">
    <b>Agreement verification.</b> Please check one:<br />
    <input type="radio" name="agree" value="1" id="cb_rules_agree" />
    I am over 13, I have read, and I agree to abide by, the above Forum Rules.<br />
    <input type="radio" name="agree" value="0" id="cb_rules_agree" checked="checked" />
    I have not read or do not agree to the rules.</label><br />

    <label for="cb_rules_agree">
    <b>Honesty verification.</b> Please check one:<br />
    <input type="radio" name="disgrace" value="0" />
    I agree to disgrace if I place advertising messages in non-advertising forums.<br />
    <input type="radio" name="disgrace" value="1" checked="checked" />
    I am not honest. I will disgrace my family.</label></div>
    Last edited by Christophe_O; Sun 15 Jun '08, 11:21am.

    Leave a comment:


  • rolloffhill
    replied
    I just went through all 12 pages here and was surprised I hadn't seen this site mentioned.

    http://www.stopforumspam.com/

    It is a pretty extensive database of common spammers, including IP's, emails and usernames. I stumbled upon it the other day when we got a bunch of new registrations and they all entered "1" in the required fields at registration. I had missed a few so when I searched the memberlist for "1" in one of the required fields and it pulled up about 5 that I missed.

    Leave a comment:


  • Indie2Industry
    replied
    Originally posted by Christophe_O View Post
    I believe these spamborgs are humans who do not speak English, acting like trained monkeys. I.e., one geek in China trains all his friends and relatives.



    Thank you all for the ideas.

    I am doubtful about blocking email domains. After all many legitimate forum members just like to use Hotmail or Yahoo. And of course any spammer can go there too. So I doubt if it's practical to sort them out by their email domain.

    I especially like the Enhanced Captcha Image Verification.
    • So simple, no messing with IP databases, etc.
    • Will stump illiterate spammers much better than character recognition.
    • Allows each forum to use different images, thus making it unfeasible to create a robot that can immediately enter all forums.
    • Much more friendly to the legitimate human visitor than ramping up the obscurity of character recognition.
    • I.e., basically less complex but more effective than Recaptcha, for the current wave of quasi-human spam.
    • With some modifications, I believe this method could be a serious improvement on Recaptcha. Currently, the multiple-choice challenge is only practical with about 15 images, and to be human-friendly must allow 3 tries. Thus, robots can get through 1/5 the time by guessing. However this could be overcome by using 2 or 3 questions, each with 10 possible images, thus increasing to 100 or 1,000 variations. Thus, I hope this type of image verification may someday be considered as a standard feature for Vbulletin.
    I believe it to be the most valuable mod I have. Mine has 10 images instead of 4, just to make it that more difficult for the bot.

    http://indie2industry.com/forum/register.php

    Leave a comment:


  • Christophe_O
    replied
    Thank you all for the suggestions especially ENHANCED RECAPTURE...

    Originally posted by LCPGUY View Post
    Yeah, that's entirely possible. But then, why would a real person always use the same registration data? Wouldn't they try and be more "stealthy" and "elusive"?
    I believe these spamborgs are humans who do not speak English, acting like trained monkeys. I.e., one geek in China trains all his friends and relatives.
    Originally posted by creativepart View Post
    ...We ban them permanently. We move their posts to a private forum. We review their IP addresses and ban the IP too. We shorten the IP for 2 octets and search to find others proactively and ban or delete them in advance.

    We also search the short octet (xxx.xxx.) to see if any non spammer members would be effected by a ban of that set of IPs and if not we ban the entire short set.

    This all works pretty effectively. I have a board with 1.3 million posts and 22,000 members so, it's a spam magnet. But with these methods we have reduced spammers to a minor problem.
    Originally posted by kursed View Post
    Here is the list of [email] domains, which're blocked on my website. It's helped me curtail spam on my website to a very large extent.
    Originally posted by rolloffhill View Post
    Originally posted by Indie2Industry View Post
    Enhanced Captcha Image Verification
    It works on my 3.7 board and I haven't gotten a single spambot since.
    Thank you all for the ideas.

    I am doubtful about blocking email domains. Many legitimate forum members just like to use Hotmail or Yahoo. And of course any spammer can go there too. So I doubt if it's practical to sort them out by their email domain. However, a current ban list of complete email addresses (available at http://stopforumspam.com/) might safely make your forum much more bothersome to spam, provided of course you have email verification.

    I especially like the Enhanced Capcha Image Verification.
    • So simple, no messing with IP databases, etc.
    • Will stump illiterate spammers much better than character recognition.
    • Allows each forum to use different images, thus making it quite unfeasible to create a program for joining all forums.
    • Much more friendly to the legitimate human visitor than ramping up the obscurity of character recognition.
    • I.e., basically less complex but more effective than Recaptcha, for the current wave of quasi-human spam.
    • With some modifications, I believe this method could be a serious improvement on Recapcha. Currently, the multiple-choice challenge is only practical with about 15 images, and to be human-friendly must allow 3 tries. Thus, robots can get through 1/5 the time by guessing. However this could be overcome by using 2 or 3 questions, each with 10 possible images, thus increasing to 100 or 1,000 variations. Thus, I hope this type of image verification may someday be considered as a standard feature for Vbulletin.


    P.S. I suppose that, without resorting to a hack, while also using the Recapcha or Image Verification, you can add your own multiple-choice Q&A to the "Forum Rules" agreement. I would suggest questions 1 and 2 be: 'Do you agree with the forum rules?' and 'Are you over 13?'. Then question 3 can be chosen randomly from a list, or perhaps it will be enough to change this manually once a month. If necessary, a fourth question can be added. The fact that you do this yourself will make your hurdles unique. It is not feasible to train either a robot or a lackey for one forum.
    Last edited by Christophe_O; Sun 15 Jun '08, 12:14am. Reason: p.s.

    Leave a comment:


  • Indie2Industry
    replied
    I hate spam

    I use this...


    http://www.vbulletin.org/forum/showthread.php?t=132482

    It works on my 3.7 board and I haven't gotten a single spambot since.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X