<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Times New Roman, Times, serif">Good thinking, Jamie. I
hope you can find something else unique besides the Firefox
versions that Tor is built on. While it's certainly true that the
bad guys like the anonymity that Tor provides, there are also
legitimate reasons why people might want anonymity. And I don't
think any of us would want to lock out of our websites all users
who are browsing with the same version of Firefox that the bad
guys are using.<br>
<br>
Let us know if you find any other characteristics unique to the
bogus registrants.<br>
</font>
<blockquote><font face="Times New Roman, Times, serif">Mark
Rosenthal</font><br>
<font face="Times New Roman, Times, serif"><a class="moz-txt-link-abbreviated" href="mailto:mbr@arlsoft.com">mbr@arlsoft.com</a></font><br>
<font face="Times New Roman, Times, serif"></font></blockquote>
<div class="moz-cite-prefix">On 4/5/14 12:48 PM, Jamie Holly wrote:<br>
</div>
<blockquote cite="mid:534033F8.8010501@earthlink.net" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">One thing I have done is a simple
module to capture all the $_POST and $_SERVER variables, along
with the new $user object and log them on a user registration
submit. Just did it to a simple text file located in a directory
that isn't in the web root. That gives a lot of good information
to look through and determine certain signatures of spammers.
One of the big ones is the presence of Firefox 24, 17 or 8.
Those are Firefox versions that Tor is built on, and spammers
seem to love Tor. <br>
<br>
It seems tedious, but actually it's kind of fun, making you feel
like you're playing detective. <br>
<br>
<pre class="moz-signature" cols="72">Jamie Holly
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://hollyit.net">http://hollyit.net</a></pre>
On 4/5/2014 12:30 PM, MBR wrote:<br>
</div>
<blockquote cite="mid:53402FA9.2090008@arlsoft.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<font face="Times New Roman, Times, serif">It's been reported
that the bad guys have set up CAPTCHA-breaking networks that
distribute the CAPTCHA to people in third-world countries who
get paid a small amount for each CAPTCHA they solve. It's
looking like CAPTCHA is no longer effective.<br>
<br>
I had to solve this problem for a site that was getting hit by
about 15 bogus account-registrations per hour, even though
CAPTCHA was enabled. The most effective approach I know of at
present is to install a module that does reverse-CAPTCHA -
i.e. instead of asking the human to prove he's human, it
tricks the malware that's trying to pretend to be a human into
demonstrating behavior that proves it's just a dumb piece of
software. It does this by adding additional <input> tags
to every <form> and making them invisible with CSS. A
human won't fill in these fields because they won't be
displayed. But software that's just parsing HTML will find
these fields and fill them in, thus allowing the code on your
server to distinguish between responses from humans and
responses from machines.<br>
<br>
Among the modules that implement this approach are Honeypot,
Botcha, and Spamicide. I tried Botcha, but I ran into
installation problems. I didn't try Spamicide because it had
a critical bug report claiming that the installation erased
the default/files directory. Honeypot installed without
problems and instantly cut the rate of bogus registrations
dramatically. It didn't cut it all the way to 0 as I'd hoped
it would, but the rate dropped from about 15/hr. to about
3/day.<br>
</font>
<blockquote><font face="Times New Roman, Times, serif">Mark
Rosenthal</font><br>
<font face="Times New Roman, Times, serif"><a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:mbr@arlsoft.com">mbr@arlsoft.com</a></font><font
face="Times New Roman, Times, serif"> </font><br>
</blockquote>
<div class="moz-cite-prefix">On 4/5/14 8:51 AM, Walt Daniels
wrote:<br>
</div>
<blockquote
cite="mid:CALZ-9dX5ANepeMJ=ND_hoEK4dYfrAm13awv7G6M_RaXO0xFSqw@mail.gmail.com"
type="cite">
<div dir="ltr">I get them to, but it is not mollom's fault.
They are actually registering and typing the captcha just
like a legitimate user. In our case they even have to use a
legitimate email as they cannot do anything more than an
anonymous user until the verify their email. I don't see any
pattern I could apply to the user names that would
distinguish them from our valid users who have some pretty
weird usernames. You could find or right a module that
enforced using "real names", i.e. John Doe. But I even got
some like that that turn out to be spammers.</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Sat, Apr 5, 2014 at 8:13 AM,
Linda Romey <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:lromey@gmail.com" target="_blank">lromey@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I am having the same issue. Have you
contacted Mollom? That's on my to-do list. I'm not
sure of the value of the monthly fee if I still have
to continually monitor my site and delete spam
accounts manually.</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Sat, Apr 5, 2014 at
8:09 AM, James Rome <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:jamesrome@gmail.com"
target="_blank">jamesrome@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"> I have Mollom
installed, but yet a handful of account
applications<br>
escape their captcha/analysis each day. The
problem is that the only<br>
obviously wrong field is the username, which
is not listed as a field in<br>
the Mollom configuration. I get names such as:
qropspension_5362<br>
<br>
Is there any other way to get rid of these
would-be spammers?<br>
<span><font color="#888888"><br>
--<br>
James A. Rome<br>
<br>
<a moz-do-not-send="true"
href="http://jamesrome.net"
target="_blank">http://jamesrome.net</a><br>
<br>
--<br>
[ Drupal support list | <a
moz-do-not-send="true"
href="http://lists.drupal.org/"
target="_blank">http://lists.drupal.org/</a>
]<br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</div>
<br>
--<br>
[ Drupal support list | <a moz-do-not-send="true"
href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a>
]<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>