[support] Many false applications for accounts

Jamie Holly hovercrafter at earthlink.net
Tue Apr 8 02:32:10 UTC 2014 

BINGO!

Just remember, spam accounts is a problem that even Google, Facebook, 
Yahoo, Hotmail, etc. even face. Of all that man power and money, they 
can't stop it, simply because it can't be stopped. Sure you can make the 
spammers have to jump through hoops to register, but at the same time 
your regular users are going to have to do the same thing. People 
already balk at having to register, so making it even harder is just 
going to kill off our website.

The only real prevention is coming up with a system to raise flags of 
suspicious account registrations and then have a person actually manage 
them. Outside of that, there isn't much more. That and making automation 
tools is a lot simpler today. Process a web page and CSS to make sure 
something is hidden or not? That used to require a ton of work a couple 
of years ago. Now you can do it in less than 100 lines of code in 
Node.js and PhantomJS. You can even easily trigger key events in order 
on the form to make it look like a human is typing things in.

It's just become a fact of life and something we all have to learn to 
deal with. I really think the next generation of spam combating modules 
that will provide the best level of defense are going to be more geared 
towards raising warning flags than prevention (3 registrations from the 
same IP in an hour? Require admin authorization on any further ones.), 
because prevention is so easy for these guys to get around now.

Jamie Holly
http://hollyit.net

On 4/7/2014 10:09 PM, Walt Daniels wrote:
> Correct! There is no possible fix for hiring real humans to register 
> unless you have an out of bounds way of telling your friends a secret 
> that they can supply when asked. It can't be something that the bad 
> guys can find with an internet search such as the price of gold on Feb 
> 3, 2010. It needs to something as hard as a hard password. At which 
> point you may as well just register them yourself and let them recover 
> their password to set it to something they know.
>
>
> On Mon, Apr 7, 2014 at 9:43 PM, MBR <mbr at arlsoft.com 
> <mailto:mbr at arlsoft.com>> wrote:
>
>     CAPTCHA = "_*C*_ompletely _*A*_utomated _*P*_ublic _*T*_uring test
>     to tell _*C*_omputers and _*H*_umans _*A*_part"
>
>     CAPTCHA doesn't necessarily imply sending a distorted image.  It's
>     any test that can distinguish between computers and humans.  So,
>     if the bad guys are able to hire humans on the cheap, then CAPTCHA
>     has been broken in a way that can't be fixed.
>
>         Mark
>
>     On 4/7/14 7:28 AM, Philip_Wetzel at nhd.uscourts.gov
>     <mailto:Philip_Wetzel at nhd.uscourts.gov> wrote:
>>     The CAPTCHA code has been broken a number of times and they've
>>     re-engineered it.    If it's not currently effective, they'll probably come
>>     up
>>     with a fix.  The game goes on.
>>
>>
>>
>>     From:	MBR<mbr at arlsoft.com>  <mailto:mbr at arlsoft.com>
>>     To:	support at drupal.org  <mailto:support at drupal.org>,wdlists at gmail.com  <mailto:wdlists at gmail.com>,
>>     Date:	04/05/2014 12:31 PM
>>     Subject:	Re: [support] Many false applications for accounts
>>     Sent by:	support-bounces at drupal.org  <mailto:support-bounces at drupal.org>
>>
>>
>>
>>     It's been reported that the bad guys have set up CAPTCHA-breaking networks
>>     that distribute the CAPTCHA to people in third-world countries who get paid
>>     a small amount for each CAPTCHA they solve. It's looking like CAPTCHA is no
>>     longer effective.
>>
>>     I had to solve this problem for a site that was getting hit by about 15
>>     bogus account-registrations per hour, even though CAPTCHA was enabled. The
>>     most effective approach I know of at present is to install a module that
>>     does reverse-CAPTCHA - i.e. instead of asking the human to prove he's
>>     human, it tricks the malware that's trying to pretend to be a human into
>>     demonstrating behavior that proves it's just a dumb piece of software. It
>>     does this by adding additional <input> tags to every <form> and making them
>>     invisible with CSS.  A human won't fill in these fields because they won't
>>     be displayed. But software that's just parsing HTML will find these fields
>>     and fill them in, thus allowing the code on your server to distinguish
>>     between responses from humans and responses from machines.
>>
>>     Among the modules that implement this approach are Honeypot, Botcha, and
>>     Spamicide. I tried Botcha, but I ran into installation problems.  I didn't
>>     try Spamicide because it had a critical bug report claiming that the
>>     installation erased the default/files directory.  Honeypot installed
>>     without problems and instantly cut the rate of bogus registrations
>>     dramatically.  It didn't cut it all the way to 0 as I'd hoped it would, but
>>     the rate dropped from about 15/hr. to about 3/day.
>>            Mark Rosenthal
>>            mbr at arlsoft.com  <mailto:mbr at arlsoft.com>
>>     On 4/5/14 8:51 AM, Walt Daniels wrote:
>>            I get them to, but it is not mollom's fault. They are actually
>>            registering and typing the captcha just like a legitimate user. In
>>            our case they even have to use a legitimate email as they cannot do
>>            anything more than an anonymous user until the verify their email. I
>>            don't see any pattern I could apply to the user names that would
>>            distinguish them from our valid users who have some pretty weird
>>            usernames. You could find or right a module that enforced using "real
>>            names", i.e. John Doe. But I even got some like that that turn out to
>>            be spammers.
>>
>>
>>            On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey<lromey at gmail.com>  <mailto:lromey at gmail.com>  wrote:
>>              I am having the same issue. Have you contacted Mollom? That's on my
>>              to-do list. I'm not sure of the value of the monthly fee if I still
>>              have to continually monitor my site and delete spam accounts
>>              manually.
>>
>>
>>              On Sat, Apr 5, 2014 at 8:09 AM, James Rome<jamesrome at gmail.com>  <mailto:jamesrome at gmail.com>
>>              wrote:
>>               I have Mollom installed, but yet a handful of account applications
>>               escape their captcha/analysis each day. The problem is that the
>>               only
>>               obviously wrong field is the username, which is not listed as a
>>               field in
>>               the Mollom configuration. I get names such as: qropspension_5362
>>
>>               Is there any other way to get rid of these would-be spammers?
>>
>>               --
>>               James A. Rome
>>
>>               http://jamesrome.net
>>
>>               --
>>               [ Drupal support list |http://lists.drupal.org/  ]
>>
>>
>>              --
>>              [ Drupal support list |http://lists.drupal.org/  ]
>>
>>
>>
>>     --
>>     [ Drupal support list |http://lists.drupal.org/  ]
>>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20140407/647bd06a/attachment-0001.html

More information about the support mailing list