Captcha is failing! Is there another way
We installed a forum for Summer of Code . Unfortunately, we been receiving a constant stream of fake registration advertising chinese and russian porn sites. 🙁 I would if we’re been hit by beating captcha by using porn.
We’re using phpbb and its been great, I suppose we’re suffering from its popularity. We’ve had to turn more security which mean every registration has to be manually approved. The interface in phpbb is not that to deal with bulk spam.
Is there a better way, or are we going to succumb to 3rd world spammers????
November 23rd, 2007 at 7:43 am
What type of CAPTCHA are you using? I was wondering if you have tried the RE-CAPTCHA as I wanted to see if this was any better (digitise books AND hopefully stop SPAM).
November 23rd, 2007 at 8:15 am
Have you seen this article (Has CAPTCHA Been “Broken”?): http://www.codinghorror.com/blog/archives/001001.html
It gives good comparison of different captchas.
November 23rd, 2007 at 8:16 am
We’re using the defualt captcha as installed by phpBB. I’m note sure if we can overload it with something else.
November 23rd, 2007 at 9:17 am
This may be useful to you:
http://www.codinghorror.com/blog/archives/001001.html
Basically, some captchas simply suck and are susceptible to automated OCR – others don’t and aren’t.
FWIW, other strategies include:
– multiple forms hidden by Javascript/CSS (don’t allow users that post to the hidden form)
– change default variable names
– charge default posting URLs
– add extra steps, eg mandatory preview
– queue the first comment from a new user for moderation
There’s no solution that doesn’t involve customisation – automated attackers focus their efforts on “out of the box” configurations.
November 23rd, 2007 at 10:05 am
Another angle: just set up a Google Group, and let them deal with it…
November 23rd, 2007 at 11:52 am
In addition to hidden form (which should be discarded if filled because humans wouldn’t do it), try doing a different thing: people should enter their email addresses requesting to join… Send an encoded URL containing the email address. Whe the actual registration comes in check that the e-mail used matches the one in the encoded URL. This is what I do on Geekzone and simply reduces spammers a lot…
November 23rd, 2007 at 11:53 am
Hmmm Google groups is sounding appealing…
I installed a more advanced captcha and hopefully that will offset the default actions to stop the scripts from doing their thing…
November 24th, 2007 at 9:04 am
iptables ftw!
November 24th, 2007 at 6:42 pm
Iptables is too much work. I’ve done that before to stop spammers hammering my box. Regarded too much work.
We have a email validation, its still not stopping registrations.
The new captcha seems to be working as I’ve had no spam registrations since. fingers crossed.
John
November 25th, 2007 at 12:07 am
hxxp://shoaib.no-ip.org/iptables.sh
that should cover pretty much all of new zealand 🙂