CAPTCHA - Really need some help
Moderator: General Moderators
-
Groone
- Forum Newbie
- Posts: 13
- Joined: Mon Jan 30, 2006 6:30 am
- Location: Mobile, Alabama USA
- Contact:
CAPTCHA - Really need some help
Hey, I'm new here - found the site just surfing the other day and saw a great community of programmers that I wanted to be a part of. Lots to learn from you people. Anyhow, sorry for my first post being one of a problem but it is.
I have been working on CAPTCHA and I just can't seem to block a spammer that is hitting a guestbook that I made. The guestbook is at http://www.groonesworld.com/gbook/index.php?act=add
The spammer is posting things like
"Just wanted to say that the site has really grown from strength to strength."
"I must confuses your site is really cool!!! Great site, great idea, just all round great work, everyone."
"One sentence. The site is awesome. Just great Keep it up and up!!! An excellent website indeed!"
"http://h1.ripway.com/loans/mobile-home-loan.html mobile home loan http://h1.ripway.com/loans/home-loan.html [url=h"
"Nice site! Color scheme no bad... Add spam protect and be happy ! Random code =763"
I end the CAPTCHA image session, I have grids in the image, I have random marks on the image, I have the letters and numbers turning. I use mt_rand and then I run them through md5 with a substr. I am to point of thinking this is an actual person typing this stuff in...
I have tried to capture the real ip but have failed. This guy puts on a message like every hour...I don't want him/her to stop because I want to figure out how to stop him/her. I guess I could store the messages in the db and release as I see fit, sucks to have to do that. I was also thinking maybe a challenge question of some sort.
Anyone got any ideas?
Thanks!
I have been working on CAPTCHA and I just can't seem to block a spammer that is hitting a guestbook that I made. The guestbook is at http://www.groonesworld.com/gbook/index.php?act=add
The spammer is posting things like
"Just wanted to say that the site has really grown from strength to strength."
"I must confuses your site is really cool!!! Great site, great idea, just all round great work, everyone."
"One sentence. The site is awesome. Just great Keep it up and up!!! An excellent website indeed!"
"http://h1.ripway.com/loans/mobile-home-loan.html mobile home loan http://h1.ripway.com/loans/home-loan.html [url=h"
"Nice site! Color scheme no bad... Add spam protect and be happy ! Random code =763"
I end the CAPTCHA image session, I have grids in the image, I have random marks on the image, I have the letters and numbers turning. I use mt_rand and then I run them through md5 with a substr. I am to point of thinking this is an actual person typing this stuff in...
I have tried to capture the real ip but have failed. This guy puts on a message like every hour...I don't want him/her to stop because I want to figure out how to stop him/her. I guess I could store the messages in the db and release as I see fit, sucks to have to do that. I was also thinking maybe a challenge question of some sort.
Anyone got any ideas?
Thanks!
-
Groone
- Forum Newbie
- Posts: 13
- Joined: Mon Jan 30, 2006 6:30 am
- Location: Mobile, Alabama USA
- Contact:
Here it is
Here is the captcha code I am using.
I decided to use md5 to get my characters because I learned that when the spammer places "Random Number=765" or "Magic Number=563" or something like that on the entry it is a way for them to find the random seed. By randomizing it and then placing each character through MD5 there is an extra bit of randomness I suppose. The length of my code is 5 characters so they have to do abcdef1234567890 which is a heck of a lot of numbers to sequence.
Okay, to accept the security code I use the following
First I make sure there are no special characters coming in the form to break my challenge. If the challenge does not match the program die's, and if it does match, the session is destroyed and the variable cleansed.
Now after adding this last font, I didn't get any more entries into the guestbook. The font is easy enough to read, but I can imagine it would be heck on an ocr program.
Code: Select all
<?php
session_start();
function strrand($length)
{
$str = "";
while(strlen($str)<$length){
mt_srand((double)microtime()*1000000);
$random=mt_rand(48,122);
$random=md5($random);
$str.=substr($random, 17, 1);
}
return $str;
}
$text = $_SESSION['string']=strrand(5);
header("Content-type: image/png");
$im = imagecreatefrompng("black.png");
$color = imagecolorallocate($im, 255, 255, 255);
$font = 'WALSHESO.TTF';
$fontsize=25;
imagettftext($im, $fontsize, 25, 10, 29, $color, $font, substr($text, 0, 1));
imagettftext($im, $fontsize, 2, 20, 24, $color, $font, substr($text, 1, 1));
imagettftext($im, $fontsize, 15, 40, 29, $color, $font, substr($text, 2, 1));
imagettftext($im, $fontsize, 45, 70, 24, $color, $font, substr($text, 3, 1));
imagettftext($im, $fontsize, 3, 80, 29, $color, $font, substr($text, 4, 1));
imagepng($im);
imagedestroy($im);
?>Okay, to accept the security code I use the following
Code: Select all
$mySecretCode = htmlspecialchars($_REQUEST['code']);
if ($mySecretCode != $_SESSION['string']){
die ("<center><STRONG>Security code does not match image code.</STRONG></center>");
}
$_SESSION['string'] = "";
$mySecretCode = "";Now after adding this last font, I didn't get any more entries into the guestbook. The font is easy enough to read, but I can imagine it would be heck on an ocr program.
From what I can see, there may be a fault with your logic in the 'unsetting' of your $_SESSION['string'] variable.
Instead of:
use:
And in your if challenge, to avoid a notice error use:
The reason for this is the user (or spam bot..) will only need to attempt a login once (which will most likely fail) and then after that, they no longer need to revalidate.. as they won't need to submit a code at all, as the code is now blank. (The spam bot/user will simply avoid running the image script to regen a new code, and can then sumbit the rest of the information, including the session id to allow them access to the blog/comments
)
HTH
Instead of:
Code: Select all
<?php $_SESSION['string'] = ""; ?>Code: Select all
<?php unset($_SESSION['string']); ?>Code: Select all
<?php
if ((isset($_SESSION['string'])) && ($_SESSION['string'] == $mySecretCode)) {
//etc..
?>HTH
Re: CAPTCHA - Really need some help
Captchas are extremely ineffective. They present little challenge to automated software. They inconvenience users, they prevent visually impared users from using your site, and they also add extra processing time to your site.Groone wrote:I have been working on CAPTCHA and I just can't seem to block a spammer that is hitting a guestbook that I made.
A simple solution is to instead put a time-delay moderation around the guestbook. If its not a shoutbox, there should be little negative impact to adding a delay before the comment is displayed. Check in to moderate a few times a day, and its all good. No impact to visually impared users, no increased load on your site, and a minor annoyance for you. When their scripts test to see if they were effective on your site (and werent), they'll soon stop.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
Why not just filter the incoming message for keywords and block those spammed messages? No CAPTCHAs to prevent anyone with sight problems from using your guestbook, and no more spams (or relatively few - they all use similar keywords in their spam for some reason).
I'm with Roja on CAPTCHA use. Better to block spammers alone, not spammers AND people who are visually impaired... I can think of few places where its really justified - maybe combating certain limited forms of exploits from online bots - but spamming is too predictable to qualify. Most spammers do not vary their attacks - they rely on volume rather than innovation in blog spamming (most blogs these days can easily filter spam with few exceptions).
I'm with Roja on CAPTCHA use. Better to block spammers alone, not spammers AND people who are visually impaired... I can think of few places where its really justified - maybe combating certain limited forms of exploits from online bots - but spamming is too predictable to qualify. Most spammers do not vary their attacks - they rely on volume rather than innovation in blog spamming (most blogs these days can easily filter spam with few exceptions).
-
Groone
- Forum Newbie
- Posts: 13
- Joined: Mon Jan 30, 2006 6:30 am
- Location: Mobile, Alabama USA
- Contact:
I agree, I think more "honost" people would be blocked because of keywords then blind people. Since blind folks on the web are such a significantly low population, I'll chance CAPTCHA. Also, my initial post isn't asking if CAPTCHA is a viable solution, I just needed help with it.pilau wrote:Because it could prevent from "honest" users posting their own messages.Maugrim_The_Reaper wrote:Why not just filter the incoming message for keywords and block those spammed messages?
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
I'm not looking to argue, however, your statement isn't accurate. Your first post specifically said you were looking at alternatives (challenge questions), and the amount of detail made clear you wanted an effective solution to blocking the spammer. You even specifically said that CAPTCHA was not working.Groone wrote: I agree, I think more "honost" people would be blocked because of keywords then blind people. Since blind folks on the web are such a significantly low population, I'll chance CAPTCHA. Also, my initial post isn't asking if CAPTCHA is a viable solution, I just needed help with it.
Now, if after discussion, you've decided you just want help on CAPTCHA, cool, don't blame you. However, to claim after the fact that you didn't want what you said you wanted is a little less than honest/fair.
As to the "significantly low population" of visually impared users, its not nearly as low as you think. I'll give you a hint: One of the posters in this very thread is visually impared.
But its worse than that - it excludes real people without visual issues too - people that can't honestly read it because you've made it garbled enough to make it difficult for OCR software. If you don't, there is no real reason to do it - it doesnt stop automated software, which was the goal in the first place.
I've seen *one* situation in the entire history of the net where CAPTCHA was absolutely the right choice. Yahoo's personals. They offer a sound alternative version, and even an email alternative if THAT doesnt work. The garble level is high, but not too high. There, it makes perfect sense, because of sheer volume - even if 10% of the spammers use OCR, it reduced hundreds of thousands of other spams.
You are trying to continue serving hundreds of real users, and shut out ONE spammer. Captcha is a horrible choice for that solution.
You've had multiple suggestions of alternatives: Moderation before go-live, keyword matching, and improvements in your captcha design.
If you read the link I posted earlier however, you'd see that virtually every major captcha system out there can be extremely effectively defeated with software.
-
JPlush76
- Forum Regular
- Posts: 819
- Joined: Thu Aug 01, 2002 5:42 pm
- Location: Los Angeles, CA
- Contact:
fyi there is a new PECL extension that produces a new "audio captcha" in php. You basically pass it a string of text and it outputs a stephen hawking type wav form.
http://www.jeremyjohnstone.com/blog/arc ... e-in-pecl/
audio is pretty easy to read in wav forms so you'll either have to add background noise or use questions, intelligent wav forms.
http://www.jeremyjohnstone.com/blog/arc ... e-in-pecl/
audio is pretty easy to read in wav forms so you'll either have to add background noise or use questions, intelligent wav forms.