[support] Many false applications for accounts

Tue Apr 8 12:03:14 UTC 2014

That's true.  What I meant is that they have succeeded in teaching
computers to hack
earlier versions of CAPTCHA.  They've had to make the images more and more
complicated.

From:	Walt Daniels <wdlists at gmail.com>
To:	MBR <mbr at arlsoft.com>,
Cc:	"support at drupal.org" <support at drupal.org>,
            support-bounces at drupal.org
Date:	04/07/2014 10:10 PM
Subject:	Re: [support] Many false applications for accounts
Sent by:	support-bounces at drupal.org

Correct! There is no possible fix for hiring real humans to register unless
you have an out of bounds way of telling your friends a secret that they
can supply when asked. It can't be something that the bad guys can find
with an internet search such as the price of gold on Feb 3, 2010. It needs
to something as hard as a hard password. At which point you may as well
just register them yourself and let them recover their password to set it
to something they know.

On Mon, Apr 7, 2014 at 9:43 PM, MBR <mbr at arlsoft.com> wrote:
  CAPTCHA = "Completely Automated Public Turing test to tell Computers and
  Humans Apart"

  CAPTCHA doesn't necessarily imply sending a distorted image.  It's any
  test that can distinguish between computers and humans.  So, if the bad
  guys are able to hire humans on the cheap, then CAPTCHA has been broken
  in a way that can't be fixed.
        Mark
  On 4/7/14 7:28 AM, Philip_Wetzel at nhd.uscourts.gov wrote:
        The CAPTCHA code has been broken a number of times and they've
        re-engineered it.    If it's not currently effective, they'll
        probably come
        up
        with a fix.  The game goes on.

        From:		 MBR <mbr at arlsoft.com>
        To:		 support at drupal.org, wdlists at gmail.com,
        Date:		 04/05/2014 12:31 PM
        Subject:		 Re: [support] Many false applications for accounts
        Sent by:		 support-bounces at drupal.org

        It's been reported that the bad guys have set up CAPTCHA-breaking
        networks
        that distribute the CAPTCHA to people in third-world countries who
        get paid
        a small amount for each CAPTCHA they solve. It's looking like
        CAPTCHA is no
        longer effective.

        I had to solve this problem for a site that was getting hit by
        about 15
        bogus account-registrations per hour, even though CAPTCHA was
        enabled. The
        most effective approach I know of at present is to install a module
        that
        does reverse-CAPTCHA - i.e. instead of asking the human to prove
        he's
        human, it tricks the malware that's trying to pretend to be a human
        into
        demonstrating behavior that proves it's just a dumb piece of
        software. It
        does this by adding additional <input> tags to every <form> and
        making them
        invisible with CSS.  A human won't fill in these fields because
        they won't
        be displayed. But software that's just parsing HTML will find these
        fields
        and fill them in, thus allowing the code on your server to
        distinguish
        between responses from humans and responses from machines.

        Among the modules that implement this approach are Honeypot,
        Botcha, and
        Spamicide. I tried Botcha, but I ran into installation problems.  I
        didn't
        try Spamicide because it had a critical bug report claiming that
        the
        installation erased the default/files directory.  Honeypot
        installed
        without problems and instantly cut the rate of bogus registrations
        dramatically.  It didn't cut it all the way to 0 as I'd hoped it
        would, but
        the rate dropped from about 15/hr. to about 3/day.
              Mark Rosenthal
              mbr at arlsoft.com
        On 4/5/14 8:51 AM, Walt Daniels wrote:
              I get them to, but it is not mollom's fault. They are
        actually
              registering and typing the captcha just like a legitimate
        user. In
              our case they even have to use a legitimate email as they
        cannot do
              anything more than an anonymous user until the verify their
        email. I
              don't see any pattern I could apply to the user names that
        would
              distinguish them from our valid users who have some pretty
        weird
              usernames. You could find or right a module that enforced
        using "real
              names", i.e. John Doe. But I even got some like that that
        turn out to
              be spammers.

              On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey
        <lromey at gmail.com> wrote:
                I am having the same issue. Have you contacted Mollom?
        That's on my
                to-do list. I'm not sure of the value of the monthly fee if
        I still
                have to continually monitor my site and delete spam
        accounts
                manually.

                On Sat, Apr 5, 2014 at 8:09 AM, James Rome
        <jamesrome at gmail.com>
                wrote:
                 I have Mollom installed, but yet a handful of account
        applications
                 escape their captcha/analysis each day. The problem is
        that the
                 only
                 obviously wrong field is the username, which is not listed
        as a
                 field in
                 the Mollom configuration. I get names such as:
        qropspension_5362

                 Is there any other way to get rid of these would-be
        spammers?

                 --
                 James A. Rome

                 http://jamesrome.net

                 --
                 [ Drupal support list | http://lists.drupal.org/ ]

                --
                [ Drupal support list | http://lists.drupal.org/ ]

        --
        [ Drupal support list | http://lists.drupal.org/ ]

--
[ Drupal support list | http://lists.drupal.org/ ]