Dynamic CAPTCHAs

Nao

  • Dadman with a boy
  • Posts: 16,061
Dynamic CAPTCHAs
« on May 6th, 2011, 07:31 PM »
Feature: Dynamic CAPTCHAs
Developer: Arantor
Target: users, admins
Status: 100% (complete; by its nature, more captchas will be added in the future as needed.)
Comment:

A captcha is a script that shows an image with usually some text in it, and asks you to confirm what the image says. It's a relatively effective measure taken against spam bots, but it only works as long as bots aren't updated to be able to decrypt the captcha. For that reason, new captchas need to be used as soon as one is found to be ineffective against non-human spam.
Wedge gets around this by implementing a more robust captcha system. It's built as a plug-in system that allows you to write your own captchas, or simply drop in new captchas written by others. One captcha = one file in the captcha folder. As simple as that. Wedge includes 10 new captchas, some of which use animated GIFs built dynamically.

Re: Dynamic CAPTCHAs
« Reply #1, on May 27th, 2011, 04:54 AM »
Not sure if this is the correct place, but.... :whistle:

While discussing the nightmare of trying to block spammers via IP once IPv6 is in full swing, I happened to think of this.

One way of stopping spam bots would be to let them ban themselves. No anti-spam database required.
All it would take is a javascript timer (with random wait times) on the registration page. The submit url could be seen by bots, thus they would fill in the info, crack the CAPTCHA and hit the submit url before the timer ran out. At which time they would be instantly banned/rejected.
This could also be added to the "New Member" group, which will catch any that do get past the registration page.

The main key here is, slowing down the time bots can join and post, without causing to much frustration/irritation for humans.
Using CAPTCHA is an annoyance. But waiting a few seconds for a submit/post button to become active... not so much.

Of course they can just figure out what the maximum wait time is and set the bot accordingly. But, if the max time is say 30 seconds... and they have a list of 50K sites to spam.....  :hmm:

Anyway, it was just a thought.

Re: Dynamic CAPTCHAs
« Reply #2, on May 27th, 2011, 08:22 AM »
Wedge's CAPTCHA is very easy to read. I have failed a lot of SMF CAPTCHAs, even those set to medium complexity, and for Wedge? Zero! Make of that what you will.

Re: Dynamic CAPTCHAs
« Reply #3, on May 27th, 2011, 09:24 AM »
Yeah, slowing them down doesn't make too much difference in the real world of things, actually - all it means is the difference between 1,000 and a couple of hundred spam messages - either way it's still a royal pain to deal with.

What is needed is more defence in depth; SMF (and to a lesser degree Wedge) are mostly hard-shell solutions, rather than defences that sit beyond just registration.

Re: Dynamic CAPTCHAs
« Reply #4, on May 27th, 2011, 10:56 AM »
We could however set a delay to a couple of seconds. I suppose some bots could fill in a form and crack the captcha instantly, while a human definitely can't...

Re: Dynamic CAPTCHAs
« Reply #5, on May 27th, 2011, 11:37 AM »
That's the thing though, most bots these days are actually getting smart enough that they know not to hit it straight away...

Re: Dynamic CAPTCHAs
« Reply #6, on May 27th, 2011, 04:31 PM »
From the bots hitting my traps, the majority will login, and post within 1 to 5 seconds. (the record is 8 join,posts a second)
But generally, humans cannot/don't login and post a 2600+ character message within 3 seconds.
Quote
Yeah, slowing them down doesn't make too much difference in the real world of things, actually - all it means is the difference between 1,000 and a couple of hundred spam messages - either way it's still a royal pain to deal with.
Slowing them down is only part of it. The other part of the variable timer thing is that they will hit the submit/post url before a human could.

Checking my traps logs I'd say the max time a bot will stay on a forum is 10 seconds. Seems the average is around 5, with 1 page hit per second. (roughly)

Re: Dynamic CAPTCHAs
« Reply #7, on May 27th, 2011, 04:48 PM »
Did you set the flood control in Admin > Posts and Topics > Post Settings? That would mitigate (not solve) posters posting more than once so quickly.

As for posting a 2600 character message within 3 seconds, what happens if I already prepared my message in another editor and simply copy/paste it?

Note that as soon as the bot authors realise what's going on, they will simply alter the code to pause, or set it to not come back quite so often. It still doesn't really solve the problem :(

Re: Dynamic CAPTCHAs
« Reply #8, on May 28th, 2011, 12:24 AM »
Quote from Arantor on May 27th, 2011, 04:48 PM
Did you set the flood control in Admin > Posts and Topics > Post Settings? That would mitigate (not solve) posters posting more than once so quickly.
One my good forums it's set. On the traps.. they have free reign. (as far as that goes)
Quote
As for posting a 2600 character message within 3 seconds, what happens if I already prepared my message in another editor and simply copy/paste it?
Once a person is a member.... well really, it wouldn't make any difference. The "Post" button would be grayed out until x seconds have passed. Once they have made xx number of posts, the timer or speed would not be a factor. Plus even if you did C&P a message, you couldn't submit until the timer ran out. Unless it was a bot.
Quote
Note that as soon as the bot authors realise what's going on, they will simply alter the code to pause, or set it to not come back quite so often. It still doesn't really solve the problem :(
This would be true, IF every forum was using the same timer. Also, it would be very rare that a spammer would slow his posting down to once every 30 seconds.
Going from 100 every 5 seconds to 100 every 30 seconds is a big deal when you have a list of 50K+ forums and 100 adds to blast.

Even if they set it not to come back as often, they would still have to wait xx seconds after hitting the new message page before submitting the post.

Look at from a humans point...
You hit the register page, the "Submit" button is grayed out with a timer counting down. It runs out and you join.
You go to post a message, same thing, the button is grayed out yada yada.. After x amount of posts, the timer is gone and you can post away.

Now,
From a spam bots point...
It hits the register page, it doesn't see the timer, but the url to submit. (Like it normally does)
It fills out the info, hits submit.. busted, rejected. xrumer shows a fail for that forum. (some will then remove the url others are to dumb)
IF it gets past the registration page, chances are, it will get nailed on the first post. Which will cause them to be suspended awaiting admin/mod approval, deletion or whatever. :)

A timer on the registration page is in use by some forums, and seems to work very well, from what I heard.
But keep in mind, a timer would not be common like CAPTCHA is, and therefore spammers are not going to bother adjusting the posting speed for just a few hundred forums. There are millions more they can post to. And I really don't think the authors would spend the time coding a parser either. At least not until it becomes as popular as CAPTCHA. But by then, we'll have something else to trow in their way. hehehe!

Please don't get me wrong! I'm defiantly NOT saying it's an end all be all solution! It's faaaar from that.
But, it is something that doesn't require checking internal or external anti-spam databases, keeping it updated, adding stuff to the htaccess etc...

Re: Dynamic CAPTCHAs
« Reply #9, on May 28th, 2011, 12:47 AM »
Quote
You hit the register page, the "Submit" button is grayed out with a timer counting down. It runs out and you join.
You go to post a message, same thing, the button is grayed out yada yada.. After x amount of posts, the timer is gone and you can post away.
Waste of time. All it does is actually inhibit genuine users, especially users who run with JS disabled (either because of security concerns, or simply they're using a screen reader).

That, and the fact that if you're relying on the browser to enforce something securely like that, you can take it out. Consider it: even on the user side, a significant minority have access to development tools either out of the box of with minimal effort (Firefox has Firebug, Chrome/Safari have the dev tools, Opera has Dragonfly) that can happily override this sort of thing.

A *human* spammer might see the form and be stopped by it, but a bot certainly won't be, it won't even see it.
Quote
It fills out the info, hits submit.. busted, rejected. xrumer shows a fail for that forum. (some will then remove the url others are to dumb)
So you implement that. And let's say for the sake of argument that we add this by default and that we become popular, at least that can be mentioned in the same sentence as other free forums without the phrase "unlike phpBB or MyBB" in there. As soon as it becomes even remotely commonplace, xrumer's devs will adapt.
Quote
But keep in mind, a timer would not be common like CAPTCHA is, and therefore spammers are not going to bother adjusting the posting speed for just a few hundred forums.
Yes, but if it proves successful it will be adopted by other systems. The security is, at best, through relative obscurity, not because it's actually secure by design.
Quote
But, it is something that doesn't require checking internal or external anti-spam databases, keeping it updated, adding stuff to the htaccess etc...
Adopt that mindset and you already lose the battle. It is an arms race, you must be vigilant and the only way to win in the long run is to be sufficiently unique that you're not worth the effort in breaking. Being adaptive means you are always mutating the methodology that has to be beaten.

You cannot create a single system that stands up long-term against malicious types, but you can make it harder; the CAPTCHA in Wedge is an order of magnitude better than SMF's - it's more readable whilst being deliberately difficult for bots. It's far from invulnerable, but it requires much more effort to do something with because instead of presenting multiple variations of a theme like the existing systems do, it presents multiple distinct styles, with inherited variations of those - you won't even guarantee that the next CAPTCHA you get will be in the same style as before...


I get what you're saying, but honestly, it is a mechanism that will cause more hassles than it will solve to implement. I've seen it done before, and it makes little or no difference in the long run.

Re: Dynamic CAPTCHAs
« Reply #10, on May 28th, 2011, 05:41 PM »
Quote
So you implement that. And let's say for the sake of argument that we add this by default and that we become popular, at least that can be mentioned in the same sentence as other free forums without the phrase "unlike phpBB or MyBB" in there. As soon as it becomes even remotely commonplace, xrumer's devs will adapt.
That is very true!
And the more "optional" security measures that are end user configurable the better. Doesn't mater if they are all used at once or only one, every one of them have to be detected and cracked. There comes a point when the cost of bypassing verses posting speed/processor load makes it a waste of time.
Take for example xrumers re-CAPTCHA auto solve feature. It puts a load on the processor slowing down posting to the point that some suggest not using it and using an external solving service, or just manually solve it.
I feel Wedges CAPTCHA will be the same way.  :niark:

But you are absolutely correct in being unique and changing. You have to be!!
Anyway, I'll stop pestering you! LOL!

Re: Dynamic CAPTCHAs
« Reply #11, on May 31st, 2011, 11:44 AM »
Anyway one thing is sure:
Quote
Anyone that fills out the registration form in 1 second is a bot. Period. No ifs, ands, or buts.
Of course they can change xrunner (or whatever similar program they use to spam) to adapt to that, but I don't think they will, because the main point in using this kind of spam programs is to register and post in thousands of forums as fast as possible.

They may find a lot easier to move to forums where they don't need to wait every time they register a new user to fill the registration form at "human" speed.

Anyway I don't like too much to talk about these things in public and would prefer to keep these conversations in our private places. The less ideas we give the enemy the better.  :eheh:

Re: Dynamic CAPTCHAs
« Reply #12, on May 31st, 2011, 12:11 PM »
They will if Wedge becomes popular, especially if it becomes popular in a way that makes it predictable.

That said, we can actually get a bit more creative there ;)

Re: Dynamic CAPTCHAs
« Reply #13, on February 27th, 2013, 11:48 PM »
Not to be up an old subject here, but I have used Keycaptcha on every site I have had and I never had a problem with spammers. Probably due to the fact you have to deal with images not numbers and letters and questions. Something like this would be great instead of your run of the mill captchas every other software uses.

Re: Dynamic CAPTCHAs
« Reply #14, on February 27th, 2013, 11:52 PM »
Firstly, other software has KeyCAPTCHA built in. Secondly, I don't like involving third parties in anything. Thirdly, it's so nice to feel like my work is appreciated.

Re: Dynamic CAPTCHAs
« Reply #15, on February 28th, 2013, 12:01 AM »
Quote from Arantor on February 27th, 2013, 11:52 PM
Firstly, other software has KeyCAPTCHA built in. Secondly, I don't like involving third parties in anything. Thirdly, it's so nice to feel like my work is appreciated.
Understandable and I agree about 3rd party software.I was just suggesting something along that line since I know it works to stop spammers.Your work is also appreciated , don't let anyone tell you it's not :P