Hello guys,

I’m currently building Open source PHP forum software, now due to allot of spam on the net now days there will be spam protection on the registration form and just about anything that accepts input.

I’ve always been suspicious about the login form, Can bots login? Some say no, but I have used security software in the past that can authenticate itself automatically on websites to check the security ECT.
So, can bots login to your application and spam your board automatically?

I’m looking forward to hearing your replies.


Edit by admin: no contact info permitted on the forum, thank you
- Shaun

They most certainly can, and you'll find all forms of CAPTCHA are now useless.

They most certainly can, and you'll find all forms of CAPTCHA are now useless.

Your definatly right, Googles Recaptcha seems to be bullet proof so far, Im not laying any odds on it though.

http://www.google.com/search?q=Recaptcha+#hl=en&newwindow=1&safe=off&q=recaptcha+broken&revid=1053373889&sa=X&ei=zwNPTZDdBsiCgAe65vgW&ved=0CGoQ1QIoAg&fp=a02c97597e71f11

CAPTCHAs are still a useful tool in keeping out hackers and bots, provided the captcha is sufficiently robust. There are many captchas out there that are very week, technically, and a very easy to break if someone who knew what they were doing wanted to break it. Basically, if an image captcha can be reduced to 2 colours, black characters on white background using thresholds, then it is essentially broken because finding the black characters programatically is relatively easy.

One criteria of a strong image captcha is that as the background "noise" is being removed, so too should the characters be. If the characters aren't being removed as well, then the captcha is very weak and vulnerable to being easily broken.

I built my own captcha after reading this very good article on what makes a strong captcha (http://homepages.cs.ncl.ac.uk/jeff.yan/msn_draft.pdf) and haven't had any problems with bots or hackers since.

http://www.google.com/search?q=Recaptcha+#hl=en&newwindow=1&safe=off&q=recaptcha+broken&revid=1053373889&sa=X&ei=zwNPTZDdBsiCgAe65vgW&ved=0CGoQ1QIoAg&fp=a02c97597e71f11

Yh, I had noticed this already i did a search on "recaptcha cracked" and to my suprise..

There is no bullet proof way to protect spam is there.

There is no bullet proof way to protect spam is there.

Probably not 100% protection, but after reading the article in the link I posted earlier you should be able to get very close to 100% protection from bots.

Probably not 100% protection, but after reading the article in the link I posted earlier you should be able to get very close to 100% protection from bots.

Ive just read that artical and yes you can create a good captcha, but its also led me to believe that we are fighting against humans aswell.

There must be a more rebust way of having a spam protection to fight against both bots and users...

Ive just read that artical and yes you can create a good captcha, but its also led me to believe that we are fighting against humans aswell.


To some extent yes you are "fighting humans" as well because you have to balance robustness against readability for humans. But with careful design it's not difficult to build a robust captcha that is still fairly easy to read. In any case, you should give the user a button to generate a new image if the default one is difficult for them to read for some reason. Not all users will see a given image as difficult to read. If you want to be even more flexible you can have audio captchas as well.

A question and answer approach is better than any CAPTCHA. They were starting to reach the point where they were more difficult for humans to get past than robots. The issue with question and answer verification is that the question you ask is extremely important. You don't use mathematics or anything where the answer can easily be found on the web. You must also change the question periodically, maybe once or twice a year. The thing to keep in mind is, robots can't follow what would be, for humans, simple directions. They also can't deal with color, provided you don't put its name anywhere in the code.

That's for dealing with robotic spam. There is no shortage of human spammers. To deal with human spam, that's more difficult. You could block all of Asia if you don't mind losing the traffic. That's where 95% of human generated spam comes from.

A question/answer type captcha is a weak captcha imo because all a hacker has to do is repeatedly load the page to get most, if not all, of the questions and then associate the correct answer with the question. He/she then builds a bot to provide the correct answer to the question it is given.

I think if that were the case, they'd be doing that. In which case we would then be seeing automated registrations. We're not.

I think if that were the case, they'd be doing that.

They are doing that. Hackers break captchas, hack into websites etc etc mainly to gain bragging rights and notoriety among their peers on the Internet.

Just because a captcha on a particluar site is technically weak doesn't mean it will necessarily be broken by a hacker. A hacker is much more likely to try to break a captcha of a high profile site which would give them much more kudos amongst his/her peers. Over at sitepoint registrations bypassing the captcha is a much bigger problem and the mods there are cleaning up after the spammers on a daily basis.

I'm talking about bot registrations. When the HV doesn't work, we get 'em.

So am I. Why take the time to build a bot to break into a low profile site?

All I am saying is that a question/answer type captcha is weak and much easier to break for the reasons I posted earlier.

But apparently with CAPTCHA they don't even need to do that. It isn't keeping anybody out. They just roll right past.

I'm not sure what the "It" is you are referring to.

But I can say that I built my own image captcha application (using PHP and GD library), based on the information in the article at the other end of the link I posted earlier and some other research, and I have not had any problems with spammers or hackers since. I won't use or recommend a question/answer type captcha because they are relatively much easier to break.