[support] Many false applications for accounts
Philip_Wetzel at nhd.uscourts.gov
Philip_Wetzel at nhd.uscourts.gov
Tue Apr 8 12:03:14 UTC 2014
That's true. What I meant is that they have succeeded in teaching
computers to hack
earlier versions of CAPTCHA. They've had to make the images more and more
complicated.
From: Walt Daniels <wdlists at gmail.com>
To: MBR <mbr at arlsoft.com>,
Cc: "support at drupal.org" <support at drupal.org>,
support-bounces at drupal.org
Date: 04/07/2014 10:10 PM
Subject: Re: [support] Many false applications for accounts
Sent by: support-bounces at drupal.org
Correct! There is no possible fix for hiring real humans to register unless
you have an out of bounds way of telling your friends a secret that they
can supply when asked. It can't be something that the bad guys can find
with an internet search such as the price of gold on Feb 3, 2010. It needs
to something as hard as a hard password. At which point you may as well
just register them yourself and let them recover their password to set it
to something they know.
On Mon, Apr 7, 2014 at 9:43 PM, MBR <mbr at arlsoft.com> wrote:
CAPTCHA = "Completely Automated Public Turing test to tell Computers and
Humans Apart"
CAPTCHA doesn't necessarily imply sending a distorted image. It's any
test that can distinguish between computers and humans. So, if the bad
guys are able to hire humans on the cheap, then CAPTCHA has been broken
in a way that can't be fixed.
Mark
On 4/7/14 7:28 AM, Philip_Wetzel at nhd.uscourts.gov wrote:
The CAPTCHA code has been broken a number of times and they've
re-engineered it. If it's not currently effective, they'll
probably come
up
with a fix. The game goes on.
From: MBR <mbr at arlsoft.com>
To: support at drupal.org, wdlists at gmail.com,
Date: 04/05/2014 12:31 PM
Subject: Re: [support] Many false applications for accounts
Sent by: support-bounces at drupal.org
It's been reported that the bad guys have set up CAPTCHA-breaking
networks
that distribute the CAPTCHA to people in third-world countries who
get paid
a small amount for each CAPTCHA they solve. It's looking like
CAPTCHA is no
longer effective.
I had to solve this problem for a site that was getting hit by
about 15
bogus account-registrations per hour, even though CAPTCHA was
enabled. The
most effective approach I know of at present is to install a module
that
does reverse-CAPTCHA - i.e. instead of asking the human to prove
he's
human, it tricks the malware that's trying to pretend to be a human
into
demonstrating behavior that proves it's just a dumb piece of
software. It
does this by adding additional <input> tags to every <form> and
making them
invisible with CSS. A human won't fill in these fields because
they won't
be displayed. But software that's just parsing HTML will find these
fields
and fill them in, thus allowing the code on your server to
distinguish
between responses from humans and responses from machines.
Among the modules that implement this approach are Honeypot,
Botcha, and
Spamicide. I tried Botcha, but I ran into installation problems. I
didn't
try Spamicide because it had a critical bug report claiming that
the
installation erased the default/files directory. Honeypot
installed
without problems and instantly cut the rate of bogus registrations
dramatically. It didn't cut it all the way to 0 as I'd hoped it
would, but
the rate dropped from about 15/hr. to about 3/day.
Mark Rosenthal
mbr at arlsoft.com
On 4/5/14 8:51 AM, Walt Daniels wrote:
I get them to, but it is not mollom's fault. They are
actually
registering and typing the captcha just like a legitimate
user. In
our case they even have to use a legitimate email as they
cannot do
anything more than an anonymous user until the verify their
email. I
don't see any pattern I could apply to the user names that
would
distinguish them from our valid users who have some pretty
weird
usernames. You could find or right a module that enforced
using "real
names", i.e. John Doe. But I even got some like that that
turn out to
be spammers.
On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey
<lromey at gmail.com> wrote:
I am having the same issue. Have you contacted Mollom?
That's on my
to-do list. I'm not sure of the value of the monthly fee if
I still
have to continually monitor my site and delete spam
accounts
manually.
On Sat, Apr 5, 2014 at 8:09 AM, James Rome
<jamesrome at gmail.com>
wrote:
I have Mollom installed, but yet a handful of account
applications
escape their captcha/analysis each day. The problem is
that the
only
obviously wrong field is the username, which is not listed
as a
field in
the Mollom configuration. I get names such as:
qropspension_5362
Is there any other way to get rid of these would-be
spammers?
--
James A. Rome
http://jamesrome.net
--
[ Drupal support list | http://lists.drupal.org/ ]
--
[ Drupal support list | http://lists.drupal.org/ ]
--
[ Drupal support list | http://lists.drupal.org/ ]
--
[ Drupal support list | http://lists.drupal.org/ ]
More information about the support
mailing list