<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">BINGO!<br>
<br>
Just remember, spam accounts is a problem that even Google,
Facebook, Yahoo, Hotmail, etc. even face. Of all that man power
and money, they can't stop it, simply because it can't be stopped.
Sure you can make the spammers have to jump through hoops to
register, but at the same time your regular users are going to
have to do the same thing. People already balk at having to
register, so making it even harder is just going to kill off our
website.<br>
<br>
The only real prevention is coming up with a system to raise flags
of suspicious account registrations and then have a person
actually manage them. Outside of that, there isn't much more. That
and making automation tools is a lot simpler today. Process a web
page and CSS to make sure something is hidden or not? That used to
require a ton of work a couple of years ago. Now you can do it in
less than 100 lines of code in Node.js and PhantomJS. You can even
easily trigger key events in order on the form to make it look
like a human is typing things in. <br>
<br>
It's just become a fact of life and something we all have to learn
to deal with. I really think the next generation of spam combating
modules that will provide the best level of defense are going to
be more geared towards raising warning flags than prevention (3
registrations from the same IP in an hour? Require admin
authorization on any further ones.), because prevention is so easy
for these guys to get around now.<br>
<br>
<pre class="moz-signature" cols="72">Jamie Holly
<a class="moz-txt-link-freetext" href="http://hollyit.net">http://hollyit.net</a></pre>
On 4/7/2014 10:09 PM, Walt Daniels wrote:<br>
</div>
<blockquote
cite="mid:CALZ-9dUQcfv-OoDH3L=AZ08msP4+nXmF9gfvh_O+U5Fm1idOeA@mail.gmail.com"
type="cite">
<div dir="ltr">Correct! There is no possible fix for hiring real
humans to register unless you have an out of bounds way of
telling your friends a secret that they can supply when asked.
It can't be something that the bad guys can find with an
internet search such as the price of gold on Feb 3, 2010. It
needs to something as hard as a hard password. At which point
you may as well just register them yourself and let them recover
their password to set it to something they know.</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Apr 7, 2014 at 9:43 PM, MBR <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbr@arlsoft.com" target="_blank">mbr@arlsoft.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <font face="Times
New Roman, Times, serif">CAPTCHA = "<u><b>C</b></u>ompletely
<u><b>A</b></u>utomated <u><b>P</b></u>ublic <u><b>T</b></u>uring
test to tell <u><b>C</b></u>omputers and <u><b>H</b></u>umans
<u><b>A</b></u>part"<br>
<br>
CAPTCHA doesn't necessarily imply sending a distorted
image. It's any test that can distinguish between
computers and humans. So, if the bad guys are able to
hire humans on the cheap, then CAPTCHA has been broken
in a way that can't be fixed.<br>
</font>
<blockquote><font face="Times New Roman, Times, serif">Mark</font><br>
</blockquote>
<div>
<div class="h5"> On 4/7/14 7:28 AM, <a
moz-do-not-send="true"
href="mailto:Philip_Wetzel@nhd.uscourts.gov"
target="_blank">Philip_Wetzel@nhd.uscourts.gov</a>
wrote:<br>
<blockquote type="cite">
<pre>The CAPTCHA code has been broken a number of times and they've
re-engineered it. If it's not currently effective, they'll probably come
up
with a fix. The game goes on.
From: MBR <a moz-do-not-send="true" href="mailto:mbr@arlsoft.com" target="_blank"><mbr@arlsoft.com></a>
To: <a moz-do-not-send="true" href="mailto:support@drupal.org" target="_blank">support@drupal.org</a>, <a moz-do-not-send="true" href="mailto:wdlists@gmail.com" target="_blank">wdlists@gmail.com</a>,
Date: 04/05/2014 12:31 PM
Subject: Re: [support] Many false applications for accounts
Sent by: <a moz-do-not-send="true" href="mailto:support-bounces@drupal.org" target="_blank">support-bounces@drupal.org</a>
It's been reported that the bad guys have set up CAPTCHA-breaking networks
that distribute the CAPTCHA to people in third-world countries who get paid
a small amount for each CAPTCHA they solve. It's looking like CAPTCHA is no
longer effective.
I had to solve this problem for a site that was getting hit by about 15
bogus account-registrations per hour, even though CAPTCHA was enabled. The
most effective approach I know of at present is to install a module that
does reverse-CAPTCHA - i.e. instead of asking the human to prove he's
human, it tricks the malware that's trying to pretend to be a human into
demonstrating behavior that proves it's just a dumb piece of software. It
does this by adding additional <input> tags to every <form> and making them
invisible with CSS. A human won't fill in these fields because they won't
be displayed. But software that's just parsing HTML will find these fields
and fill them in, thus allowing the code on your server to distinguish
between responses from humans and responses from machines.
Among the modules that implement this approach are Honeypot, Botcha, and
Spamicide. I tried Botcha, but I ran into installation problems. I didn't
try Spamicide because it had a critical bug report claiming that the
installation erased the default/files directory. Honeypot installed
without problems and instantly cut the rate of bogus registrations
dramatically. It didn't cut it all the way to 0 as I'd hoped it would, but
the rate dropped from about 15/hr. to about 3/day.
Mark Rosenthal
<a moz-do-not-send="true" href="mailto:mbr@arlsoft.com" target="_blank">mbr@arlsoft.com</a>
On 4/5/14 8:51 AM, Walt Daniels wrote:
I get them to, but it is not mollom's fault. They are actually
registering and typing the captcha just like a legitimate user. In
our case they even have to use a legitimate email as they cannot do
anything more than an anonymous user until the verify their email. I
don't see any pattern I could apply to the user names that would
distinguish them from our valid users who have some pretty weird
usernames. You could find or right a module that enforced using "real
names", i.e. John Doe. But I even got some like that that turn out to
be spammers.
On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey <a moz-do-not-send="true" href="mailto:lromey@gmail.com" target="_blank"><lromey@gmail.com></a> wrote:
I am having the same issue. Have you contacted Mollom? That's on my
to-do list. I'm not sure of the value of the monthly fee if I still
have to continually monitor my site and delete spam accounts
manually.
On Sat, Apr 5, 2014 at 8:09 AM, James Rome <a moz-do-not-send="true" href="mailto:jamesrome@gmail.com" target="_blank"><jamesrome@gmail.com></a>
wrote:
I have Mollom installed, but yet a handful of account applications
escape their captcha/analysis each day. The problem is that the
only
obviously wrong field is the username, which is not listed as a
field in
the Mollom configuration. I get names such as: qropspension_5362
Is there any other way to get rid of these would-be spammers?
--
James A. Rome
<a moz-do-not-send="true" href="http://jamesrome.net" target="_blank">http://jamesrome.net</a>
--
[ Drupal support list | <a moz-do-not-send="true" href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]
--
[ Drupal support list | <a moz-do-not-send="true" href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]
--
[ Drupal support list | <a moz-do-not-send="true" href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]
</pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>