Don't click here if you agree. I think I've seen the Write "I agree" one before. Click here if you would like us to download a virus to your computer. Ok, I'm getting ridiculous.
From: Jamie Holly hovercrafter@earthlink.net To: support@drupal.org, Date: 04/08/2014 11:19 AM Subject: Re: [support] Many false applications for accounts Sent by: support-bounces@drupal.org
And to the point that even humans have trouble seeing what they are! There's been more than a few sites I decided "screw it" and not register because their captcha was about impossible to read.
But when you think about it, everything else in a registration form can be automated. My guess is a lot of these people have simple plugins they have written for their browsers to fill out the forms, then those paid humans only have to figure out the CAPTCHA. I remember years ago when there were programs out there to bulk register Yahoo accounts. All you had to do was enter the CAPTCHA for each one.
That just got me thinking. Something that might help is something non-captcha that changes. Say a "check here to agree to our terms" checkbox a lot of sites have. What if that got changed around to a few different things:
- Check here to agree - Check here to not-agree - Enter "i agree" in the textbox.
If someone is manually registering each account, that would of course not work, but if they are registering once and creating a "template" of the registration for an automation process, then that might work out. To even complicate it more, you could make it to where that area is disabled or hidden until the person actually scrolls to the bottom of the terms.
Like I said, it wouldn't stop them, but it would give them another hoop to jump through and one that wouldn't be that bad on regular users.
Jamie Holly http://hollyit.net
On 4/8/2014 8:03 AM, Philip_Wetzel@nhd.uscourts.gov wrote:
That's true. What I meant is that they have succeeded in teaching computers to hack earlier versions of CAPTCHA. They've had to make the images more and
more
complicated.
From: Walt Daniels wdlists@gmail.com To: MBR mbr@arlsoft.com, Cc: "support@drupal.org" support@drupal.org, support-bounces@drupal.org Date: 04/07/2014 10:10 PM Subject: Re: [support] Many false applications for accounts Sent by: support-bounces@drupal.org
Correct! There is no possible fix for hiring real humans to register
unless
you have an out of bounds way of telling your friends a secret that they can supply when asked. It can't be something that the bad guys can find with an internet search such as the price of gold on Feb 3, 2010. It
needs
to something as hard as a hard password. At which point you may as well just register them yourself and let them recover their password to set it to something they know.
On Mon, Apr 7, 2014 at 9:43 PM, MBR mbr@arlsoft.com wrote: CAPTCHA = "Completely Automated Public Turing test to tell Computers
and
Humans Apart"
CAPTCHA doesn't necessarily imply sending a distorted image. It's any test that can distinguish between computers and humans. So, if the
bad
guys are able to hire humans on the cheap, then CAPTCHA has been
broken
in a way that can't be fixed. Mark On 4/7/14 7:28 AM, Philip_Wetzel@nhd.uscourts.gov wrote: The CAPTCHA code has been broken a number of times and they've re-engineered it. If it's not currently effective, they'll probably come up with a fix. The game goes on.
From: MBR <mbr@arlsoft.com> To: support@drupal.org,
wdlists@gmail.com,
Date: 04/05/2014 12:31 PM Subject: Re: [support] Many false
applications for accounts
Sent by: support-bounces@drupal.org It's been reported that the bad guys have set up
CAPTCHA-breaking
networks that distribute the CAPTCHA to people in third-world countries
who
get paid a small amount for each CAPTCHA they solve. It's looking like CAPTCHA is no longer effective. I had to solve this problem for a site that was getting hit by about 15 bogus account-registrations per hour, even though CAPTCHA was enabled. The most effective approach I know of at present is to install a
module
that does reverse-CAPTCHA - i.e. instead of asking the human to prove he's human, it tricks the malware that's trying to pretend to be a
human
into demonstrating behavior that proves it's just a dumb piece of software. It does this by adding additional <input> tags to every <form> and making them invisible with CSS. A human won't fill in these fields because they won't be displayed. But software that's just parsing HTML will find
these
fields and fill them in, thus allowing the code on your server to distinguish between responses from humans and responses from machines. Among the modules that implement this approach are Honeypot, Botcha, and Spamicide. I tried Botcha, but I ran into installation problems.
I
didn't try Spamicide because it had a critical bug report claiming that the installation erased the default/files directory. Honeypot installed without problems and instantly cut the rate of bogus
registrations
dramatically. It didn't cut it all the way to 0 as I'd hoped it would, but the rate dropped from about 15/hr. to about 3/day. Mark Rosenthal mbr@arlsoft.com On 4/5/14 8:51 AM, Walt Daniels wrote: I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify
their
email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers. On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey <lromey@gmail.com> wrote: I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee
if
I still have to continually monitor my site and delete spam accounts manually. On Sat, Apr 5, 2014 at 8:09 AM, James Rome <jamesrome@gmail.com> wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not
listed
as a field in the Mollom configuration. I get names such as: qropspension_5362 Is there any other way to get rid of these would-be spammers? -- James A. Rome http://jamesrome.net -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ]-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]