dcsimg
www.webdeveloper.com
Page 1 of 2 12 LastLast
Results 1 to 15 of 17

Thread: Spam Protection: Recaptcha

  1. #1
    Join Date
    Feb 2011
    Posts
    4

    Smile Spam Protection: Recaptcha

    Hello guys,

    Iím currently building Open source PHP forum software, now due to allot of spam on the net now days there will be spam protection on the registration form and just about anything that accepts input.

    Iíve always been suspicious about the login form, Can bots login? Some say no, but I have used security software in the past that can authenticate itself automatically on websites to check the security ECT.
    So, can bots login to your application and spam your board automatically?

    Iím looking forward to hearing your replies.


    Edit by admin: no contact info permitted on the forum, thank you
    - Shaun

  2. #2
    Join Date
    May 2004
    Location
    Manhattan NY
    Posts
    6,028
    They most certainly can, and you'll find all forms of CAPTCHA are now useless.

  3. #3
    Join Date
    Feb 2011
    Posts
    4
    Quote Originally Posted by JPnyc View Post
    They most certainly can, and you'll find all forms of CAPTCHA are now useless.
    Your definatly right, Googles Recaptcha seems to be bullet proof so far, Im not laying any odds on it though.

  4. #4
    Join Date
    May 2004
    Location
    Manhattan NY
    Posts
    6,028

  5. #5
    Join Date
    Mar 2010
    Posts
    2,803
    CAPTCHAs are still a useful tool in keeping out hackers and bots, provided the captcha is sufficiently robust. There are many captchas out there that are very week, technically, and a very easy to break if someone who knew what they were doing wanted to break it. Basically, if an image captcha can be reduced to 2 colours, black characters on white background using thresholds, then it is essentially broken because finding the black characters programatically is relatively easy.

    One criteria of a strong image captcha is that as the background "noise" is being removed, so too should the characters be. If the characters aren't being removed as well, then the captcha is very weak and vulnerable to being easily broken.

    I built my own captcha after reading this very good article on what makes a strong captcha and haven't had any problems with bots or hackers since.
    Last edited by tirna; 02-06-2011 at 03:38 PM.

  6. #6
    Join Date
    Feb 2011
    Posts
    4
    Yh, I had noticed this already i did a search on "recaptcha cracked" and to my suprise..

    There is no bullet proof way to protect spam is there.

  7. #7
    Join Date
    Mar 2010
    Posts
    2,803
    Quote Originally Posted by sdchilderley View Post
    There is no bullet proof way to protect spam is there.
    Probably not 100% protection, but after reading the article in the link I posted earlier you should be able to get very close to 100% protection from bots.

  8. #8
    Join Date
    Feb 2011
    Posts
    4
    Quote Originally Posted by tirna View Post
    Probably not 100% protection, but after reading the article in the link I posted earlier you should be able to get very close to 100% protection from bots.
    Ive just read that artical and yes you can create a good captcha, but its also led me to believe that we are fighting against humans aswell.

    There must be a more rebust way of having a spam protection to fight against both bots and users...

  9. #9
    Join Date
    Mar 2010
    Posts
    2,803
    Quote Originally Posted by sdchilderley View Post
    Ive just read that artical and yes you can create a good captcha, but its also led me to believe that we are fighting against humans aswell.
    To some extent yes you are "fighting humans" as well because you have to balance robustness against readability for humans. But with careful design it's not difficult to build a robust captcha that is still fairly easy to read. In any case, you should give the user a button to generate a new image if the default one is difficult for them to read for some reason. Not all users will see a given image as difficult to read. If you want to be even more flexible you can have audio captchas as well.

  10. #10
    Join Date
    May 2004
    Location
    Manhattan NY
    Posts
    6,028
    A question and answer approach is better than any CAPTCHA. They were starting to reach the point where they were more difficult for humans to get past than robots. The issue with question and answer verification is that the question you ask is extremely important. You don't use mathematics or anything where the answer can easily be found on the web. You must also change the question periodically, maybe once or twice a year. The thing to keep in mind is, robots can't follow what would be, for humans, simple directions. They also can't deal with color, provided you don't put its name anywhere in the code.

    That's for dealing with robotic spam. There is no shortage of human spammers. To deal with human spam, that's more difficult. You could block all of Asia if you don't mind losing the traffic. That's where 95% of human generated spam comes from.

  11. #11
    Join Date
    Mar 2010
    Posts
    2,803
    A question/answer type captcha is a weak captcha imo because all a hacker has to do is repeatedly load the page to get most, if not all, of the questions and then associate the correct answer with the question. He/she then builds a bot to provide the correct answer to the question it is given.

  12. #12
    Join Date
    May 2004
    Location
    Manhattan NY
    Posts
    6,028
    I think if that were the case, they'd be doing that. In which case we would then be seeing automated registrations. We're not.

  13. #13
    Join Date
    Mar 2010
    Posts
    2,803
    Quote Originally Posted by JPnyc View Post
    I think if that were the case, they'd be doing that.
    They are doing that. Hackers break captchas, hack into websites etc etc mainly to gain bragging rights and notoriety among their peers on the Internet.

    Just because a captcha on a particluar site is technically weak doesn't mean it will necessarily be broken by a hacker. A hacker is much more likely to try to break a captcha of a high profile site which would give them much more kudos amongst his/her peers. Over at sitepoint registrations bypassing the captcha is a much bigger problem and the mods there are cleaning up after the spammers on a daily basis.
    Last edited by tirna; 02-08-2011 at 05:05 PM.

  14. #14
    Join Date
    May 2004
    Location
    Manhattan NY
    Posts
    6,028
    I'm talking about bot registrations. When the HV doesn't work, we get 'em.

  15. #15
    Join Date
    Mar 2010
    Posts
    2,803
    So am I. Why take the time to build a bot to break into a low profile site?

    All I am saying is that a question/answer type captcha is weak and much easier to break for the reasons I posted earlier.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles