Page 1 of 1

CAPTCHA - Really need some help

Posted: Tue Jan 31, 2006 10:15 pm
by Groone
Hey, I'm new here - found the site just surfing the other day and saw a great community of programmers that I wanted to be a part of. Lots to learn from you people. Anyhow, sorry for my first post being one of a problem but it is.

I have been working on CAPTCHA and I just can't seem to block a spammer that is hitting a guestbook that I made. The guestbook is at http://www.groonesworld.com/gbook/index.php?act=add

The spammer is posting things like

"Just wanted to say that the site has really grown from strength to strength."
"I must confuses your site is really cool!!! Great site, great idea, just all round great work, everyone."
"One sentence. The site is awesome. Just great Keep it up and up!!! An excellent website indeed!"
"http://h1.ripway.com/loans/mobile-home-loan.html mobile home loan http://h1.ripway.com/loans/home-loan.html [url=h"
"Nice site! Color scheme no bad... Add spam protect and be happy ! Random code =763"

I end the CAPTCHA image session, I have grids in the image, I have random marks on the image, I have the letters and numbers turning. I use mt_rand and then I run them through md5 with a substr. I am to point of thinking this is an actual person typing this stuff in...

I have tried to capture the real ip but have failed. This guy puts on a message like every hour...I don't want him/her to stop because I want to figure out how to stop him/her. I guess I could store the messages in the db and release as I see fit, sucks to have to do that. I was also thinking maybe a challenge question of some sort.

Anyone got any ideas?

Thanks!

Posted: Wed Feb 01, 2006 3:31 am
by Jenk
Whilst CAPTCHA's are not fool proof, often the fault is not the quality of the image, but a fault in the logic.

Please post your code (remember to edit any sensitvie info!) and I, and I am sure others, will try to assist best we can from there :)

Welcome to DN :)

Here it is

Posted: Wed Feb 01, 2006 6:14 am
by Groone
Here is the captcha code I am using.

Code: Select all

<?php
session_start();

function strrand($length)
{
	$str = "";
	
	while(strlen($str)<$length){
            mt_srand((double)microtime()*1000000);
	    $random=mt_rand(48,122);
            $random=md5($random);
            $str.=substr($random, 17, 1);
	}
		
	return $str;
}

$text = $_SESSION['string']=strrand(5);

header("Content-type: image/png");

$im = imagecreatefrompng("black.png");

$color = imagecolorallocate($im, 255, 255, 255);

$font = 'WALSHESO.TTF';
$fontsize=25;

imagettftext($im,  $fontsize, 25, 10, 29, $color, $font, substr($text, 0, 1));
imagettftext($im,  $fontsize, 2, 20, 24, $color, $font, substr($text, 1, 1));
imagettftext($im,  $fontsize, 15, 40, 29, $color, $font, substr($text, 2, 1));
imagettftext($im,  $fontsize, 45, 70, 24, $color, $font, substr($text, 3, 1));
imagettftext($im,  $fontsize, 3, 80, 29, $color, $font, substr($text, 4, 1));

imagepng($im);
imagedestroy($im);

?>
I decided to use md5 to get my characters because I learned that when the spammer places "Random Number=765" or "Magic Number=563" or something like that on the entry it is a way for them to find the random seed. By randomizing it and then placing each character through MD5 there is an extra bit of randomness I suppose. The length of my code is 5 characters so they have to do abcdef1234567890 which is a heck of a lot of numbers to sequence.

Okay, to accept the security code I use the following

Code: Select all

$mySecretCode = htmlspecialchars($_REQUEST['code']);

if ($mySecretCode != $_SESSION['string']){
       die ("<center><STRONG>Security code does not match image code.</STRONG></center>");
} 

$_SESSION['string'] = "";
$mySecretCode = "";
First I make sure there are no special characters coming in the form to break my challenge. If the challenge does not match the program die's, and if it does match, the session is destroyed and the variable cleansed.

Now after adding this last font, I didn't get any more entries into the guestbook. The font is easy enough to read, but I can imagine it would be heck on an ocr program.

Posted: Wed Feb 01, 2006 6:50 am
by Jenk
From what I can see, there may be a fault with your logic in the 'unsetting' of your $_SESSION['string'] variable.

Instead of:

Code: Select all

<?php $_SESSION['string'] = ""; ?>
use:

Code: Select all

<?php unset($_SESSION['string']); ?>
And in your if challenge, to avoid a notice error use:

Code: Select all

<?php

if ((isset($_SESSION['string'])) && ($_SESSION['string'] == $mySecretCode)) {
 //etc..

?>
The reason for this is the user (or spam bot..) will only need to attempt a login once (which will most likely fail) and then after that, they no longer need to revalidate.. as they won't need to submit a code at all, as the code is now blank. (The spam bot/user will simply avoid running the image script to regen a new code, and can then sumbit the rest of the information, including the session id to allow them access to the blog/comments :))

HTH :)

Re: CAPTCHA - Really need some help

Posted: Wed Feb 01, 2006 7:44 am
by Roja
Groone wrote:I have been working on CAPTCHA and I just can't seem to block a spammer that is hitting a guestbook that I made.
Captchas are extremely ineffective. They present little challenge to automated software. They inconvenience users, they prevent visually impared users from using your site, and they also add extra processing time to your site.

A simple solution is to instead put a time-delay moderation around the guestbook. If its not a shoutbox, there should be little negative impact to adding a delay before the comment is displayed. Check in to moderate a few times a day, and its all good. No impact to visually impared users, no increased load on your site, and a minor annoyance for you. When their scripts test to see if they were effective on your site (and werent), they'll soon stop.

Posted: Wed Feb 01, 2006 8:53 am
by Groone
Thanks Jenk, I appreciate the help. That is a much better means for challenging the response and ensuring it is entered.

Posted: Wed Feb 01, 2006 10:36 am
by Maugrim_The_Reaper
Why not just filter the incoming message for keywords and block those spammed messages? No CAPTCHAs to prevent anyone with sight problems from using your guestbook, and no more spams (or relatively few - they all use similar keywords in their spam for some reason).

I'm with Roja on CAPTCHA use. Better to block spammers alone, not spammers AND people who are visually impaired... I can think of few places where its really justified - maybe combating certain limited forms of exploits from online bots - but spamming is too predictable to qualify. Most spammers do not vary their attacks - they rely on volume rather than innovation in blog spamming (most blogs these days can easily filter spam with few exceptions).

Posted: Wed Feb 01, 2006 10:49 am
by pilau
Maugrim_The_Reaper wrote:Why not just filter the incoming message for keywords and block those spammed messages?
Because it could prevent from "honest" users posting their own messages.

Posted: Wed Feb 01, 2006 1:11 pm
by Groone
pilau wrote:
Maugrim_The_Reaper wrote:Why not just filter the incoming message for keywords and block those spammed messages?
Because it could prevent from "honest" users posting their own messages.
I agree, I think more "honost" people would be blocked because of keywords then blind people. Since blind folks on the web are such a significantly low population, I'll chance CAPTCHA. Also, my initial post isn't asking if CAPTCHA is a viable solution, I just needed help with it.

Posted: Wed Feb 01, 2006 5:30 pm
by Maugrim_The_Reaper
And I was simply pointing out a viable alternative that did not effectively discriminate against a minority. If CAPTCHA is your goal than fine - the post wasn't intended as off-topic.

Posted: Wed Feb 01, 2006 5:44 pm
by Roja
Groone wrote: I agree, I think more "honost" people would be blocked because of keywords then blind people. Since blind folks on the web are such a significantly low population, I'll chance CAPTCHA. Also, my initial post isn't asking if CAPTCHA is a viable solution, I just needed help with it.
I'm not looking to argue, however, your statement isn't accurate. Your first post specifically said you were looking at alternatives (challenge questions), and the amount of detail made clear you wanted an effective solution to blocking the spammer. You even specifically said that CAPTCHA was not working.

Now, if after discussion, you've decided you just want help on CAPTCHA, cool, don't blame you. However, to claim after the fact that you didn't want what you said you wanted is a little less than honest/fair. :)

As to the "significantly low population" of visually impared users, its not nearly as low as you think. I'll give you a hint: One of the posters in this very thread is visually impared.

But its worse than that - it excludes real people without visual issues too - people that can't honestly read it because you've made it garbled enough to make it difficult for OCR software. If you don't, there is no real reason to do it - it doesnt stop automated software, which was the goal in the first place.

I've seen *one* situation in the entire history of the net where CAPTCHA was absolutely the right choice. Yahoo's personals. They offer a sound alternative version, and even an email alternative if THAT doesnt work. The garble level is high, but not too high. There, it makes perfect sense, because of sheer volume - even if 10% of the spammers use OCR, it reduced hundreds of thousands of other spams.

You are trying to continue serving hundreds of real users, and shut out ONE spammer. Captcha is a horrible choice for that solution.

You've had multiple suggestions of alternatives: Moderation before go-live, keyword matching, and improvements in your captcha design.

If you read the link I posted earlier however, you'd see that virtually every major captcha system out there can be extremely effectively defeated with software.

Posted: Wed Feb 01, 2006 11:22 pm
by JPlush76
fyi there is a new PECL extension that produces a new "audio captcha" in php. You basically pass it a string of text and it outputs a stephen hawking type wav form.

http://www.jeremyjohnstone.com/blog/arc ... e-in-pecl/

audio is pretty easy to read in wav forms so you'll either have to add background noise or use questions, intelligent wav forms.

Posted: Thu Feb 02, 2006 11:15 am
by Groone
Okay, got the CAPTCHA working fine, thanks for the help everyone. I am opening another thread to discuss another type of challenge that I a started thinking about. Alternating Sequential User Input Challenge - ASUIC and doesnt have anything to do with graphics.