I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362
Is there any other way to get rid of these would-be spammers?
I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually.
On Sat, Apr 5, 2014 at 8:09 AM, James Rome jamesrome@gmail.com wrote:
I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362
Is there any other way to get rid of these would-be spammers?
-- James A. Rome
-- [ Drupal support list | http://lists.drupal.org/ ]
I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers.
On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey lromey@gmail.com wrote:
I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually.
On Sat, Apr 5, 2014 at 8:09 AM, James Rome jamesrome@gmail.com wrote:
I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362
Is there any other way to get rid of these would-be spammers?
-- James A. Rome
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
That's a huge problem that started a couple of years ago. There are some companies out there actually paying people X dollars for registering Y accounts on different sites. One of my clients was getting up to 1,000 registrations a day last year from these people. We finally let some through for a couple of days to post their spam, then checked what all the links were going to. They were different sites, but owned by one company in the UK. The lawyers sent this company a letter and it stopped.
The really sad part about this new tactic is that your options are greatly limited to the point of non-existent on stopping them. Since they are humans doing actual registrations, any attempts to thwart them will also get the regular users trying to sign up. You're left with actual human moderation to combat them.
Globally 2013 saw huge spikes in spamming activity. These people are getting more bold, and that does lead to us having to rethink a strategy to combat them. Here's some possibilities:
- Limit the number of registrations by IP in a given time frame. Either block or require admin authorization on future attempts. This works to an extent, but if people use something like Tor to register, then it doesn't. - Create moderation displays, showing the first 5 posts and comments from new registrations. - If you allow new users to post content, force the new post to a draft and email site administration/moderators to approve it. Once they get X approved posts, then they can publish. - Depending on your site and users, require admin authorization on certain IP's based upon their geographical location (requires GeoIP library or 3rd party API).
No solution is perfect, but I have used a combination of these in the past for clients and they have been very happy with the results. Most options are only doable via custom coding though.
Jamie Holly http://hollyit.net
On 4/5/2014 8:51 AM, Walt Daniels wrote:
I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers.
On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey <lromey@gmail.com mailto:lromey@gmail.com> wrote:
I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually. On Sat, Apr 5, 2014 at 8:09 AM, James Rome <jamesrome@gmail.com <mailto:jamesrome@gmail.com>> wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362 Is there any other way to get rid of these would-be spammers? -- James A. Rome http://jamesrome.net -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ]
Take a look at the spambot module. This module will check to see if an entered email address is in their database of know spammers and will not let them register if it is.
Ken
On Sat, Apr 5, 2014 at 10:23 AM, Jamie Holly hovercrafter@earthlink.netwrote:
That's a huge problem that started a couple of years ago. There are some companies out there actually paying people X dollars for registering Y accounts on different sites. One of my clients was getting up to 1,000 registrations a day last year from these people. We finally let some through for a couple of days to post their spam, then checked what all the links were going to. They were different sites, but owned by one company in the UK. The lawyers sent this company a letter and it stopped.
The really sad part about this new tactic is that your options are greatly limited to the point of non-existent on stopping them. Since they are humans doing actual registrations, any attempts to thwart them will also get the regular users trying to sign up. You're left with actual human moderation to combat them.
Globally 2013 saw huge spikes in spamming activity. These people are getting more bold, and that does lead to us having to rethink a strategy to combat them. Here's some possibilities:
- Limit the number of registrations by IP in a given time frame. Either
block or require admin authorization on future attempts. This works to an extent, but if people use something like Tor to register, then it doesn't.
- Create moderation displays, showing the first 5 posts and comments from
new registrations.
- If you allow new users to post content, force the new post to a draft
and email site administration/moderators to approve it. Once they get X approved posts, then they can publish.
- Depending on your site and users, require admin authorization on certain
IP's based upon their geographical location (requires GeoIP library or 3rd party API).
No solution is perfect, but I have used a combination of these in the past for clients and they have been very happy with the results. Most options are only doable via custom coding though.
Jamie Hollyhttp://hollyit.net
On 4/5/2014 8:51 AM, Walt Daniels wrote:
I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers.
On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey lromey@gmail.com wrote:
I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually.
On Sat, Apr 5, 2014 at 8:09 AM, James Rome jamesrome@gmail.com wrote:
I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362
Is there any other way to get rid of these would-be spammers?
-- James A. Rome
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
I've used the before. It helps. About 3 years ago it was catching 75% of them. Now it's down to less than 10%.
Jamie Holly http://hollyit.net
On 4/5/2014 11:12 AM, Ken Robinson wrote:
Take a look at the spambot module. This module will check to see if an entered email address is in their database of know spammers and will not let them register if it is.
Ken
On Sat, Apr 5, 2014 at 10:23 AM, Jamie Holly <hovercrafter@earthlink.net mailto:hovercrafter@earthlink.net> wrote:
That's a huge problem that started a couple of years ago. There are some companies out there actually paying people X dollars for registering Y accounts on different sites. One of my clients was getting up to 1,000 registrations a day last year from these people. We finally let some through for a couple of days to post their spam, then checked what all the links were going to. They were different sites, but owned by one company in the UK. The lawyers sent this company a letter and it stopped. The really sad part about this new tactic is that your options are greatly limited to the point of non-existent on stopping them. Since they are humans doing actual registrations, any attempts to thwart them will also get the regular users trying to sign up. You're left with actual human moderation to combat them. Globally 2013 saw huge spikes in spamming activity. These people are getting more bold, and that does lead to us having to rethink a strategy to combat them. Here's some possibilities: - Limit the number of registrations by IP in a given time frame. Either block or require admin authorization on future attempts. This works to an extent, but if people use something like Tor to register, then it doesn't. - Create moderation displays, showing the first 5 posts and comments from new registrations. - If you allow new users to post content, force the new post to a draft and email site administration/moderators to approve it. Once they get X approved posts, then they can publish. - Depending on your site and users, require admin authorization on certain IP's based upon their geographical location (requires GeoIP library or 3rd party API). No solution is perfect, but I have used a combination of these in the past for clients and they have been very happy with the results. Most options are only doable via custom coding though. Jamie Holly http://hollyit.net On 4/5/2014 8:51 AM, Walt Daniels wrote:I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers. On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey <lromey@gmail.com <mailto:lromey@gmail.com>> wrote: I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually. On Sat, Apr 5, 2014 at 8:09 AM, James Rome <jamesrome@gmail.com <mailto:jamesrome@gmail.com>> wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362 Is there any other way to get rid of these would-be spammers? -- James A. Rome http://jamesrome.net -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ]-- [ Drupal support list | http://lists.drupal.org/ ]
At this point, may I suggest a spam prevention module that I wrote? It's called spaces_enforced and as the name implies, I force users to put spaces in usernames. New version also allows you to set your own character and how many of this character should occur in the username. On 5 Apr 2014 18:22, "Jamie Holly" hovercrafter@earthlink.net wrote:
I've used the before. It helps. About 3 years ago it was catching 75% of them. Now it's down to less than 10%.
Jamie Hollyhttp://hollyit.net
On 4/5/2014 11:12 AM, Ken Robinson wrote:
Take a look at the spambot module. This module will check to see if an entered email address is in their database of know spammers and will not let them register if it is.
Ken
On Sat, Apr 5, 2014 at 10:23 AM, Jamie Holly hovercrafter@earthlink.netwrote:
That's a huge problem that started a couple of years ago. There are some companies out there actually paying people X dollars for registering Y accounts on different sites. One of my clients was getting up to 1,000 registrations a day last year from these people. We finally let some through for a couple of days to post their spam, then checked what all the links were going to. They were different sites, but owned by one company in the UK. The lawyers sent this company a letter and it stopped.
The really sad part about this new tactic is that your options are greatly limited to the point of non-existent on stopping them. Since they are humans doing actual registrations, any attempts to thwart them will also get the regular users trying to sign up. You're left with actual human moderation to combat them.
Globally 2013 saw huge spikes in spamming activity. These people are getting more bold, and that does lead to us having to rethink a strategy to combat them. Here's some possibilities:
- Limit the number of registrations by IP in a given time frame. Either
block or require admin authorization on future attempts. This works to an extent, but if people use something like Tor to register, then it doesn't.
- Create moderation displays, showing the first 5 posts and comments from
new registrations.
- If you allow new users to post content, force the new post to a draft
and email site administration/moderators to approve it. Once they get X approved posts, then they can publish.
- Depending on your site and users, require admin authorization on
certain IP's based upon their geographical location (requires GeoIP library or 3rd party API).
No solution is perfect, but I have used a combination of these in the past for clients and they have been very happy with the results. Most options are only doable via custom coding though.
Jamie Hollyhttp://hollyit.net
On 4/5/2014 8:51 AM, Walt Daniels wrote:
I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers.
On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey lromey@gmail.com wrote:
I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually.
On Sat, Apr 5, 2014 at 8:09 AM, James Rome jamesrome@gmail.com wrote:
I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362
Is there any other way to get rid of these would-be spammers?
-- James A. Rome
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
https://drupal.org/project/spambot indicates Spambot's maintenance status as "Minimally maintained". Honeypot and Botcha are under active development. I had difficulty installing Botcha but Honeypot installed just fine, and instantly cut the rate of bogus registrations from about 15/hr. to about 3/day.
Mark Rosenthal mbr@arlsoft.com
On 4/5/14 11:12 AM, Ken Robinson wrote:
Take a look at the spambot module. This module will check to see if an entered email address is in their database of know spammers and will not let them register if it is.
Ken
On Sat, Apr 5, 2014 at 10:23 AM, Jamie Holly <hovercrafter@earthlink.net mailto:hovercrafter@earthlink.net> wrote:
That's a huge problem that started a couple of years ago. There are some companies out there actually paying people X dollars for registering Y accounts on different sites. One of my clients was getting up to 1,000 registrations a day last year from these people. We finally let some through for a couple of days to post their spam, then checked what all the links were going to. They were different sites, but owned by one company in the UK. The lawyers sent this company a letter and it stopped. The really sad part about this new tactic is that your options are greatly limited to the point of non-existent on stopping them. Since they are humans doing actual registrations, any attempts to thwart them will also get the regular users trying to sign up. You're left with actual human moderation to combat them. Globally 2013 saw huge spikes in spamming activity. These people are getting more bold, and that does lead to us having to rethink a strategy to combat them. Here's some possibilities: - Limit the number of registrations by IP in a given time frame. Either block or require admin authorization on future attempts. This works to an extent, but if people use something like Tor to register, then it doesn't. - Create moderation displays, showing the first 5 posts and comments from new registrations. - If you allow new users to post content, force the new post to a draft and email site administration/moderators to approve it. Once they get X approved posts, then they can publish. - Depending on your site and users, require admin authorization on certain IP's based upon their geographical location (requires GeoIP library or 3rd party API). No solution is perfect, but I have used a combination of these in the past for clients and they have been very happy with the results. Most options are only doable via custom coding though. Jamie Holly http://hollyit.net On 4/5/2014 8:51 AM, Walt Daniels wrote:I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers. On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey <lromey@gmail.com <mailto:lromey@gmail.com>> wrote: I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually. On Sat, Apr 5, 2014 at 8:09 AM, James Rome <jamesrome@gmail.com <mailto:jamesrome@gmail.com>> wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362 Is there any other way to get rid of these would-be spammers? -- James A. Rome http://jamesrome.net -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ]-- [ Drupal support list | http://lists.drupal.org/ ]
It's been reported that the bad guys have set up CAPTCHA-breaking networks that distribute the CAPTCHA to people in third-world countries who get paid a small amount for each CAPTCHA they solve. It's looking like CAPTCHA is no longer effective.
I had to solve this problem for a site that was getting hit by about 15 bogus account-registrations per hour, even though CAPTCHA was enabled. The most effective approach I know of at present is to install a module that does reverse-CAPTCHA - i.e. instead of asking the human to prove he's human, it tricks the malware that's trying to pretend to be a human into demonstrating behavior that proves it's just a dumb piece of software. It does this by adding additional <input> tags to every <form> and making them invisible with CSS. A human won't fill in these fields because they won't be displayed. But software that's just parsing HTML will find these fields and fill them in, thus allowing the code on your server to distinguish between responses from humans and responses from machines.
Among the modules that implement this approach are Honeypot, Botcha, and Spamicide. I tried Botcha, but I ran into installation problems. I didn't try Spamicide because it had a critical bug report claiming that the installation erased the default/files directory. Honeypot installed without problems and instantly cut the rate of bogus registrations dramatically. It didn't cut it all the way to 0 as I'd hoped it would, but the rate dropped from about 15/hr. to about 3/day.
Mark Rosenthal mbr@arlsoft.com
On 4/5/14 8:51 AM, Walt Daniels wrote:
I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers.
On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey <lromey@gmail.com mailto:lromey@gmail.com> wrote:
I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually. On Sat, Apr 5, 2014 at 8:09 AM, James Rome <jamesrome@gmail.com <mailto:jamesrome@gmail.com>> wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362 Is there any other way to get rid of these would-be spammers? -- James A. Rome http://jamesrome.net -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ]
I'll try honeypot!
I've been making do with the attached script and adding things to .htaccess; it was surprisingly effective (though lately I'm seeing spam from within my own city).
One other thing I forgot to mention about Honeypot - besides implementing reverse-CAPTCHA, it also looks at how long it took from when your server sent the HTML with the <form> and when the response arrived. A lot of the malware out there is too dumb to delay a few seconds, so the malware sends its response faster than a human possibly could.
What's worrisome is that these solutions are only temporary measures. I can easily think of ways around both of these tests if I were writing code for the bad guys. So I expect that their programmers will implement such workarounds in the near future. And at that point we'll have no effective protection.
This is not just a Drupal problem - it affects every website regardless of what technology it's built with. So, please put the word out to any developers you know - we need to be dreaming up innovative ways of distinguishing between software-generated responses and human-generated responses right now so we'll be ready when the current approaches all start failing.
Mark Rosenthal mbr@arlsoft.com
On 4/5/14 12:38 PM, Dan Kegel wrote:
I'll try honeypot!
I've been making do with the attached script and adding things to .htaccess; it was surprisingly effective (though lately I'm seeing spam from within my own city).
One thing I have done is a simple module to capture all the $_POST and $_SERVER variables, along with the new $user object and log them on a user registration submit. Just did it to a simple text file located in a directory that isn't in the web root. That gives a lot of good information to look through and determine certain signatures of spammers. One of the big ones is the presence of Firefox 24, 17 or 8. Those are Firefox versions that Tor is built on, and spammers seem to love Tor.
It seems tedious, but actually it's kind of fun, making you feel like you're playing detective.
Jamie Holly http://hollyit.net
On 4/5/2014 12:30 PM, MBR wrote:
It's been reported that the bad guys have set up CAPTCHA-breaking networks that distribute the CAPTCHA to people in third-world countries who get paid a small amount for each CAPTCHA they solve. It's looking like CAPTCHA is no longer effective.
I had to solve this problem for a site that was getting hit by about 15 bogus account-registrations per hour, even though CAPTCHA was enabled. The most effective approach I know of at present is to install a module that does reverse-CAPTCHA - i.e. instead of asking the human to prove he's human, it tricks the malware that's trying to pretend to be a human into demonstrating behavior that proves it's just a dumb piece of software. It does this by adding additional <input> tags to every <form> and making them invisible with CSS. A human won't fill in these fields because they won't be displayed. But software that's just parsing HTML will find these fields and fill them in, thus allowing the code on your server to distinguish between responses from humans and responses from machines.
Among the modules that implement this approach are Honeypot, Botcha, and Spamicide. I tried Botcha, but I ran into installation problems. I didn't try Spamicide because it had a critical bug report claiming that the installation erased the default/files directory. Honeypot installed without problems and instantly cut the rate of bogus registrations dramatically. It didn't cut it all the way to 0 as I'd hoped it would, but the rate dropped from about 15/hr. to about 3/day.
Mark Rosenthal mbr@arlsoft.comOn 4/5/14 8:51 AM, Walt Daniels wrote:
I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers.
On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey <lromey@gmail.com mailto:lromey@gmail.com> wrote:
I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually. On Sat, Apr 5, 2014 at 8:09 AM, James Rome <jamesrome@gmail.com <mailto:jamesrome@gmail.com>> wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362 Is there any other way to get rid of these would-be spammers? -- James A. Rome http://jamesrome.net -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ]
Good thinking, Jamie. I hope you can find something else unique besides the Firefox versions that Tor is built on. While it's certainly true that the bad guys like the anonymity that Tor provides, there are also legitimate reasons why people might want anonymity. And I don't think any of us would want to lock out of our websites all users who are browsing with the same version of Firefox that the bad guys are using.
Let us know if you find any other characteristics unique to the bogus registrants.
Mark Rosenthal mbr@arlsoft.com
On 4/5/14 12:48 PM, Jamie Holly wrote:
One thing I have done is a simple module to capture all the $_POST and $_SERVER variables, along with the new $user object and log them on a user registration submit. Just did it to a simple text file located in a directory that isn't in the web root. That gives a lot of good information to look through and determine certain signatures of spammers. One of the big ones is the presence of Firefox 24, 17 or 8. Those are Firefox versions that Tor is built on, and spammers seem to love Tor.
It seems tedious, but actually it's kind of fun, making you feel like you're playing detective.
Jamie Holly http://hollyit.net On 4/5/2014 12:30 PM, MBR wrote:
It's been reported that the bad guys have set up CAPTCHA-breaking networks that distribute the CAPTCHA to people in third-world countries who get paid a small amount for each CAPTCHA they solve. It's looking like CAPTCHA is no longer effective.
I had to solve this problem for a site that was getting hit by about 15 bogus account-registrations per hour, even though CAPTCHA was enabled. The most effective approach I know of at present is to install a module that does reverse-CAPTCHA - i.e. instead of asking the human to prove he's human, it tricks the malware that's trying to pretend to be a human into demonstrating behavior that proves it's just a dumb piece of software. It does this by adding additional <input> tags to every <form> and making them invisible with CSS. A human won't fill in these fields because they won't be displayed. But software that's just parsing HTML will find these fields and fill them in, thus allowing the code on your server to distinguish between responses from humans and responses from machines.
Among the modules that implement this approach are Honeypot, Botcha, and Spamicide. I tried Botcha, but I ran into installation problems. I didn't try Spamicide because it had a critical bug report claiming that the installation erased the default/files directory. Honeypot installed without problems and instantly cut the rate of bogus registrations dramatically. It didn't cut it all the way to 0 as I'd hoped it would, but the rate dropped from about 15/hr. to about 3/day.
Mark Rosenthal mbr@arlsoft.comOn 4/5/14 8:51 AM, Walt Daniels wrote:
I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers.
On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey <lromey@gmail.com mailto:lromey@gmail.com> wrote:
I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually. On Sat, Apr 5, 2014 at 8:09 AM, James Rome <jamesrome@gmail.com <mailto:jamesrome@gmail.com>> wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362 Is there any other way to get rid of these would-be spammers? -- James A. Rome http://jamesrome.net -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ]
The CAPTCHA code has been broken a number of times and they've re-engineered it. If it's not currently effective, they'll probably come up with a fix. The game goes on.
From: MBR mbr@arlsoft.com To: support@drupal.org, wdlists@gmail.com, Date: 04/05/2014 12:31 PM Subject: Re: [support] Many false applications for accounts Sent by: support-bounces@drupal.org
It's been reported that the bad guys have set up CAPTCHA-breaking networks that distribute the CAPTCHA to people in third-world countries who get paid a small amount for each CAPTCHA they solve. It's looking like CAPTCHA is no longer effective.
I had to solve this problem for a site that was getting hit by about 15 bogus account-registrations per hour, even though CAPTCHA was enabled. The most effective approach I know of at present is to install a module that does reverse-CAPTCHA - i.e. instead of asking the human to prove he's human, it tricks the malware that's trying to pretend to be a human into demonstrating behavior that proves it's just a dumb piece of software. It does this by adding additional <input> tags to every <form> and making them invisible with CSS. A human won't fill in these fields because they won't be displayed. But software that's just parsing HTML will find these fields and fill them in, thus allowing the code on your server to distinguish between responses from humans and responses from machines.
Among the modules that implement this approach are Honeypot, Botcha, and Spamicide. I tried Botcha, but I ran into installation problems. I didn't try Spamicide because it had a critical bug report claiming that the installation erased the default/files directory. Honeypot installed without problems and instantly cut the rate of bogus registrations dramatically. It didn't cut it all the way to 0 as I'd hoped it would, but the rate dropped from about 15/hr. to about 3/day. Mark Rosenthal mbr@arlsoft.com On 4/5/14 8:51 AM, Walt Daniels wrote: I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers.
On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey lromey@gmail.com wrote: I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually.
On Sat, Apr 5, 2014 at 8:09 AM, James Rome jamesrome@gmail.com wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362
Is there any other way to get rid of these would-be spammers?
-- James A. Rome
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
CAPTCHA = "_*C*_ompletely _*A*_utomated _*P*_ublic _*T*_uring test to tell _*C*_omputers and _*H*_umans _*A*_part"
CAPTCHA doesn't necessarily imply sending a distorted image. It's any test that can distinguish between computers and humans. So, if the bad guys are able to hire humans on the cheap, then CAPTCHA has been broken in a way that can't be fixed.
Mark
On 4/7/14 7:28 AM, Philip_Wetzel@nhd.uscourts.gov wrote:
The CAPTCHA code has been broken a number of times and they've re-engineered it. If it's not currently effective, they'll probably come up with a fix. The game goes on.
From: MBR mbr@arlsoft.com To: support@drupal.org, wdlists@gmail.com, Date: 04/05/2014 12:31 PM Subject: Re: [support] Many false applications for accounts Sent by: support-bounces@drupal.org
It's been reported that the bad guys have set up CAPTCHA-breaking networks that distribute the CAPTCHA to people in third-world countries who get paid a small amount for each CAPTCHA they solve. It's looking like CAPTCHA is no longer effective.
I had to solve this problem for a site that was getting hit by about 15 bogus account-registrations per hour, even though CAPTCHA was enabled. The most effective approach I know of at present is to install a module that does reverse-CAPTCHA - i.e. instead of asking the human to prove he's human, it tricks the malware that's trying to pretend to be a human into demonstrating behavior that proves it's just a dumb piece of software. It does this by adding additional <input> tags to every <form> and making them invisible with CSS. A human won't fill in these fields because they won't be displayed. But software that's just parsing HTML will find these fields and fill them in, thus allowing the code on your server to distinguish between responses from humans and responses from machines.
Among the modules that implement this approach are Honeypot, Botcha, and Spamicide. I tried Botcha, but I ran into installation problems. I didn't try Spamicide because it had a critical bug report claiming that the installation erased the default/files directory. Honeypot installed without problems and instantly cut the rate of bogus registrations dramatically. It didn't cut it all the way to 0 as I'd hoped it would, but the rate dropped from about 15/hr. to about 3/day. Mark Rosenthal mbr@arlsoft.com On 4/5/14 8:51 AM, Walt Daniels wrote: I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers.
On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey <lromey@gmail.com> wrote: I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually. On Sat, Apr 5, 2014 at 8:09 AM, James Rome <jamesrome@gmail.com> wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362 Is there any other way to get rid of these would-be spammers? -- James A. Rome http://jamesrome.net -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ]-- [ Drupal support list | http://lists.drupal.org/ ]
Correct! There is no possible fix for hiring real humans to register unless you have an out of bounds way of telling your friends a secret that they can supply when asked. It can't be something that the bad guys can find with an internet search such as the price of gold on Feb 3, 2010. It needs to something as hard as a hard password. At which point you may as well just register them yourself and let them recover their password to set it to something they know.
On Mon, Apr 7, 2014 at 9:43 PM, MBR mbr@arlsoft.com wrote:
CAPTCHA = "*C*ompletely *A*utomated *P*ublic *T*uring test to tell *C*omputers and *H*umans *A*part"
CAPTCHA doesn't necessarily imply sending a distorted image. It's any test that can distinguish between computers and humans. So, if the bad guys are able to hire humans on the cheap, then CAPTCHA has been broken in a way that can't be fixed.
Mark
On 4/7/14 7:28 AM, Philip_Wetzel@nhd.uscourts.gov wrote:
The CAPTCHA code has been broken a number of times and they've re-engineered it. If it's not currently effective, they'll probably come up with a fix. The game goes on.
From: MBR mbr@arlsoft.com mbr@arlsoft.com To: support@drupal.org, wdlists@gmail.com, Date: 04/05/2014 12:31 PM Subject: Re: [support] Many false applications for accounts Sent by: support-bounces@drupal.org
It's been reported that the bad guys have set up CAPTCHA-breaking networks that distribute the CAPTCHA to people in third-world countries who get paid a small amount for each CAPTCHA they solve. It's looking like CAPTCHA is no longer effective.
I had to solve this problem for a site that was getting hit by about 15 bogus account-registrations per hour, even though CAPTCHA was enabled. The most effective approach I know of at present is to install a module that does reverse-CAPTCHA - i.e. instead of asking the human to prove he's human, it tricks the malware that's trying to pretend to be a human into demonstrating behavior that proves it's just a dumb piece of software. It does this by adding additional <input> tags to every <form> and making them invisible with CSS. A human won't fill in these fields because they won't be displayed. But software that's just parsing HTML will find these fields and fill them in, thus allowing the code on your server to distinguish between responses from humans and responses from machines.
Among the modules that implement this approach are Honeypot, Botcha, and Spamicide. I tried Botcha, but I ran into installation problems. I didn't try Spamicide because it had a critical bug report claiming that the installation erased the default/files directory. Honeypot installed without problems and instantly cut the rate of bogus registrations dramatically. It didn't cut it all the way to 0 as I'd hoped it would, but the rate dropped from about 15/hr. to about 3/day. Mark Rosenthal mbr@arlsoft.com On 4/5/14 8:51 AM, Walt Daniels wrote: I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers.
On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey <lromey@gmail.com> <lromey@gmail.com> wrote: I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually. On Sat, Apr 5, 2014 at 8:09 AM, James Rome <jamesrome@gmail.com> <jamesrome@gmail.com> wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362 Is there any other way to get rid of these would-be spammers? -- James A. Rome http://jamesrome.net -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ]-- [ Drupal support list | http://lists.drupal.org/ ]
BINGO!
Just remember, spam accounts is a problem that even Google, Facebook, Yahoo, Hotmail, etc. even face. Of all that man power and money, they can't stop it, simply because it can't be stopped. Sure you can make the spammers have to jump through hoops to register, but at the same time your regular users are going to have to do the same thing. People already balk at having to register, so making it even harder is just going to kill off our website.
The only real prevention is coming up with a system to raise flags of suspicious account registrations and then have a person actually manage them. Outside of that, there isn't much more. That and making automation tools is a lot simpler today. Process a web page and CSS to make sure something is hidden or not? That used to require a ton of work a couple of years ago. Now you can do it in less than 100 lines of code in Node.js and PhantomJS. You can even easily trigger key events in order on the form to make it look like a human is typing things in.
It's just become a fact of life and something we all have to learn to deal with. I really think the next generation of spam combating modules that will provide the best level of defense are going to be more geared towards raising warning flags than prevention (3 registrations from the same IP in an hour? Require admin authorization on any further ones.), because prevention is so easy for these guys to get around now.
Jamie Holly http://hollyit.net
On 4/7/2014 10:09 PM, Walt Daniels wrote:
Correct! There is no possible fix for hiring real humans to register unless you have an out of bounds way of telling your friends a secret that they can supply when asked. It can't be something that the bad guys can find with an internet search such as the price of gold on Feb 3, 2010. It needs to something as hard as a hard password. At which point you may as well just register them yourself and let them recover their password to set it to something they know.
On Mon, Apr 7, 2014 at 9:43 PM, MBR <mbr@arlsoft.com mailto:mbr@arlsoft.com> wrote:
CAPTCHA = "_*C*_ompletely _*A*_utomated _*P*_ublic _*T*_uring test to tell _*C*_omputers and _*H*_umans _*A*_part" CAPTCHA doesn't necessarily imply sending a distorted image. It's any test that can distinguish between computers and humans. So, if the bad guys are able to hire humans on the cheap, then CAPTCHA has been broken in a way that can't be fixed. Mark On 4/7/14 7:28 AM, Philip_Wetzel@nhd.uscourts.gov <mailto:Philip_Wetzel@nhd.uscourts.gov> wrote:The CAPTCHA code has been broken a number of times and they've re-engineered it. If it's not currently effective, they'll probably come up with a fix. The game goes on. From: MBR<mbr@arlsoft.com> <mailto:mbr@arlsoft.com> To: support@drupal.org <mailto:support@drupal.org>,wdlists@gmail.com <mailto:wdlists@gmail.com>, Date: 04/05/2014 12:31 PM Subject: Re: [support] Many false applications for accounts Sent by: support-bounces@drupal.org <mailto:support-bounces@drupal.org> It's been reported that the bad guys have set up CAPTCHA-breaking networks that distribute the CAPTCHA to people in third-world countries who get paid a small amount for each CAPTCHA they solve. It's looking like CAPTCHA is no longer effective. I had to solve this problem for a site that was getting hit by about 15 bogus account-registrations per hour, even though CAPTCHA was enabled. The most effective approach I know of at present is to install a module that does reverse-CAPTCHA - i.e. instead of asking the human to prove he's human, it tricks the malware that's trying to pretend to be a human into demonstrating behavior that proves it's just a dumb piece of software. It does this by adding additional <input> tags to every <form> and making them invisible with CSS. A human won't fill in these fields because they won't be displayed. But software that's just parsing HTML will find these fields and fill them in, thus allowing the code on your server to distinguish between responses from humans and responses from machines. Among the modules that implement this approach are Honeypot, Botcha, and Spamicide. I tried Botcha, but I ran into installation problems. I didn't try Spamicide because it had a critical bug report claiming that the installation erased the default/files directory. Honeypot installed without problems and instantly cut the rate of bogus registrations dramatically. It didn't cut it all the way to 0 as I'd hoped it would, but the rate dropped from about 15/hr. to about 3/day. Mark Rosenthal mbr@arlsoft.com <mailto:mbr@arlsoft.com> On 4/5/14 8:51 AM, Walt Daniels wrote: I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers. On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey<lromey@gmail.com> <mailto:lromey@gmail.com> wrote: I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually. On Sat, Apr 5, 2014 at 8:09 AM, James Rome<jamesrome@gmail.com> <mailto:jamesrome@gmail.com> wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362 Is there any other way to get rid of these would-be spammers? -- James A. Rome http://jamesrome.net -- [ Drupal support list |http://lists.drupal.org/ ] -- [ Drupal support list |http://lists.drupal.org/ ] -- [ Drupal support list |http://lists.drupal.org/ ]
That's true. What I meant is that they have succeeded in teaching computers to hack earlier versions of CAPTCHA. They've had to make the images more and more complicated.
From: Walt Daniels wdlists@gmail.com To: MBR mbr@arlsoft.com, Cc: "support@drupal.org" support@drupal.org, support-bounces@drupal.org Date: 04/07/2014 10:10 PM Subject: Re: [support] Many false applications for accounts Sent by: support-bounces@drupal.org
Correct! There is no possible fix for hiring real humans to register unless you have an out of bounds way of telling your friends a secret that they can supply when asked. It can't be something that the bad guys can find with an internet search such as the price of gold on Feb 3, 2010. It needs to something as hard as a hard password. At which point you may as well just register them yourself and let them recover their password to set it to something they know.
On Mon, Apr 7, 2014 at 9:43 PM, MBR mbr@arlsoft.com wrote: CAPTCHA = "Completely Automated Public Turing test to tell Computers and Humans Apart"
CAPTCHA doesn't necessarily imply sending a distorted image. It's any test that can distinguish between computers and humans. So, if the bad guys are able to hire humans on the cheap, then CAPTCHA has been broken in a way that can't be fixed. Mark On 4/7/14 7:28 AM, Philip_Wetzel@nhd.uscourts.gov wrote: The CAPTCHA code has been broken a number of times and they've re-engineered it. If it's not currently effective, they'll probably come up with a fix. The game goes on.
From: MBR mbr@arlsoft.com To: support@drupal.org, wdlists@gmail.com, Date: 04/05/2014 12:31 PM Subject: Re: [support] Many false applications for accounts Sent by: support-bounces@drupal.org
It's been reported that the bad guys have set up CAPTCHA-breaking networks that distribute the CAPTCHA to people in third-world countries who get paid a small amount for each CAPTCHA they solve. It's looking like CAPTCHA is no longer effective.
I had to solve this problem for a site that was getting hit by about 15 bogus account-registrations per hour, even though CAPTCHA was enabled. The most effective approach I know of at present is to install a module that does reverse-CAPTCHA - i.e. instead of asking the human to prove he's human, it tricks the malware that's trying to pretend to be a human into demonstrating behavior that proves it's just a dumb piece of software. It does this by adding additional <input> tags to every <form> and making them invisible with CSS. A human won't fill in these fields because they won't be displayed. But software that's just parsing HTML will find these fields and fill them in, thus allowing the code on your server to distinguish between responses from humans and responses from machines.
Among the modules that implement this approach are Honeypot, Botcha, and Spamicide. I tried Botcha, but I ran into installation problems. I didn't try Spamicide because it had a critical bug report claiming that the installation erased the default/files directory. Honeypot installed without problems and instantly cut the rate of bogus registrations dramatically. It didn't cut it all the way to 0 as I'd hoped it would, but the rate dropped from about 15/hr. to about 3/day. Mark Rosenthal mbr@arlsoft.com On 4/5/14 8:51 AM, Walt Daniels wrote: I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers.
On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey lromey@gmail.com wrote: I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually.
On Sat, Apr 5, 2014 at 8:09 AM, James Rome jamesrome@gmail.com wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362
Is there any other way to get rid of these would-be spammers?
-- James A. Rome
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
And to the point that even humans have trouble seeing what they are! There's been more than a few sites I decided "screw it" and not register because their captcha was about impossible to read.
But when you think about it, everything else in a registration form can be automated. My guess is a lot of these people have simple plugins they have written for their browsers to fill out the forms, then those paid humans only have to figure out the CAPTCHA. I remember years ago when there were programs out there to bulk register Yahoo accounts. All you had to do was enter the CAPTCHA for each one.
That just got me thinking. Something that might help is something non-captcha that changes. Say a "check here to agree to our terms" checkbox a lot of sites have. What if that got changed around to a few different things:
- Check here to agree - Check here to not-agree - Enter "i agree" in the textbox.
If someone is manually registering each account, that would of course not work, but if they are registering once and creating a "template" of the registration for an automation process, then that might work out. To even complicate it more, you could make it to where that area is disabled or hidden until the person actually scrolls to the bottom of the terms.
Like I said, it wouldn't stop them, but it would give them another hoop to jump through and one that wouldn't be that bad on regular users.
Jamie Holly http://hollyit.net
On 4/8/2014 8:03 AM, Philip_Wetzel@nhd.uscourts.gov wrote:
That's true. What I meant is that they have succeeded in teaching computers to hack earlier versions of CAPTCHA. They've had to make the images more and more complicated.
From: Walt Daniels wdlists@gmail.com To: MBR mbr@arlsoft.com, Cc: "support@drupal.org" support@drupal.org, support-bounces@drupal.org Date: 04/07/2014 10:10 PM Subject: Re: [support] Many false applications for accounts Sent by: support-bounces@drupal.org
Correct! There is no possible fix for hiring real humans to register unless you have an out of bounds way of telling your friends a secret that they can supply when asked. It can't be something that the bad guys can find with an internet search such as the price of gold on Feb 3, 2010. It needs to something as hard as a hard password. At which point you may as well just register them yourself and let them recover their password to set it to something they know.
On Mon, Apr 7, 2014 at 9:43 PM, MBR mbr@arlsoft.com wrote: CAPTCHA = "Completely Automated Public Turing test to tell Computers and Humans Apart"
CAPTCHA doesn't necessarily imply sending a distorted image. It's any test that can distinguish between computers and humans. So, if the bad guys are able to hire humans on the cheap, then CAPTCHA has been broken in a way that can't be fixed. Mark On 4/7/14 7:28 AM, Philip_Wetzel@nhd.uscourts.gov wrote: The CAPTCHA code has been broken a number of times and they've re-engineered it. If it's not currently effective, they'll probably come up with a fix. The game goes on.
From: MBR <mbr@arlsoft.com> To: support@drupal.org, wdlists@gmail.com, Date: 04/05/2014 12:31 PM Subject: Re: [support] Many false applications for accounts Sent by: support-bounces@drupal.org It's been reported that the bad guys have set up CAPTCHA-breaking networks that distribute the CAPTCHA to people in third-world countries who get paid a small amount for each CAPTCHA they solve. It's looking like CAPTCHA is no longer effective. I had to solve this problem for a site that was getting hit by about 15 bogus account-registrations per hour, even though CAPTCHA was enabled. The most effective approach I know of at present is to install a module that does reverse-CAPTCHA - i.e. instead of asking the human to prove he's human, it tricks the malware that's trying to pretend to be a human into demonstrating behavior that proves it's just a dumb piece of software. It does this by adding additional <input> tags to every <form> and making them invisible with CSS. A human won't fill in these fields because they won't be displayed. But software that's just parsing HTML will find these fields and fill them in, thus allowing the code on your server to distinguish between responses from humans and responses from machines. Among the modules that implement this approach are Honeypot, Botcha, and Spamicide. I tried Botcha, but I ran into installation problems. I didn't try Spamicide because it had a critical bug report claiming that the installation erased the default/files directory. Honeypot installed without problems and instantly cut the rate of bogus registrations dramatically. It didn't cut it all the way to 0 as I'd hoped it would, but the rate dropped from about 15/hr. to about 3/day. Mark Rosenthal mbr@arlsoft.com On 4/5/14 8:51 AM, Walt Daniels wrote: I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify their email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers. On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey <lromey@gmail.com> wrote: I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee if I still have to continually monitor my site and delete spam accounts manually. On Sat, Apr 5, 2014 at 8:09 AM, James Rome <jamesrome@gmail.com> wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362 Is there any other way to get rid of these would-be spammers? -- James A. Rome http://jamesrome.net -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ]-- [ Drupal support list | http://lists.drupal.org/ ]
Don't click here if you agree. I think I've seen the Write "I agree" one before. Click here if you would like us to download a virus to your computer. Ok, I'm getting ridiculous.
From: Jamie Holly hovercrafter@earthlink.net To: support@drupal.org, Date: 04/08/2014 11:19 AM Subject: Re: [support] Many false applications for accounts Sent by: support-bounces@drupal.org
And to the point that even humans have trouble seeing what they are! There's been more than a few sites I decided "screw it" and not register because their captcha was about impossible to read.
But when you think about it, everything else in a registration form can be automated. My guess is a lot of these people have simple plugins they have written for their browsers to fill out the forms, then those paid humans only have to figure out the CAPTCHA. I remember years ago when there were programs out there to bulk register Yahoo accounts. All you had to do was enter the CAPTCHA for each one.
That just got me thinking. Something that might help is something non-captcha that changes. Say a "check here to agree to our terms" checkbox a lot of sites have. What if that got changed around to a few different things:
- Check here to agree - Check here to not-agree - Enter "i agree" in the textbox.
If someone is manually registering each account, that would of course not work, but if they are registering once and creating a "template" of the registration for an automation process, then that might work out. To even complicate it more, you could make it to where that area is disabled or hidden until the person actually scrolls to the bottom of the terms.
Like I said, it wouldn't stop them, but it would give them another hoop to jump through and one that wouldn't be that bad on regular users.
Jamie Holly http://hollyit.net
On 4/8/2014 8:03 AM, Philip_Wetzel@nhd.uscourts.gov wrote:
That's true. What I meant is that they have succeeded in teaching computers to hack earlier versions of CAPTCHA. They've had to make the images more and
more
complicated.
From: Walt Daniels wdlists@gmail.com To: MBR mbr@arlsoft.com, Cc: "support@drupal.org" support@drupal.org, support-bounces@drupal.org Date: 04/07/2014 10:10 PM Subject: Re: [support] Many false applications for accounts Sent by: support-bounces@drupal.org
Correct! There is no possible fix for hiring real humans to register
unless
you have an out of bounds way of telling your friends a secret that they can supply when asked. It can't be something that the bad guys can find with an internet search such as the price of gold on Feb 3, 2010. It
needs
to something as hard as a hard password. At which point you may as well just register them yourself and let them recover their password to set it to something they know.
On Mon, Apr 7, 2014 at 9:43 PM, MBR mbr@arlsoft.com wrote: CAPTCHA = "Completely Automated Public Turing test to tell Computers
and
Humans Apart"
CAPTCHA doesn't necessarily imply sending a distorted image. It's any test that can distinguish between computers and humans. So, if the
bad
guys are able to hire humans on the cheap, then CAPTCHA has been
broken
in a way that can't be fixed. Mark On 4/7/14 7:28 AM, Philip_Wetzel@nhd.uscourts.gov wrote: The CAPTCHA code has been broken a number of times and they've re-engineered it. If it's not currently effective, they'll probably come up with a fix. The game goes on.
From: MBR <mbr@arlsoft.com> To: support@drupal.org,
wdlists@gmail.com,
Date: 04/05/2014 12:31 PM Subject: Re: [support] Many false
applications for accounts
Sent by: support-bounces@drupal.org It's been reported that the bad guys have set up
CAPTCHA-breaking
networks that distribute the CAPTCHA to people in third-world countries
who
get paid a small amount for each CAPTCHA they solve. It's looking like CAPTCHA is no longer effective. I had to solve this problem for a site that was getting hit by about 15 bogus account-registrations per hour, even though CAPTCHA was enabled. The most effective approach I know of at present is to install a
module
that does reverse-CAPTCHA - i.e. instead of asking the human to prove he's human, it tricks the malware that's trying to pretend to be a
human
into demonstrating behavior that proves it's just a dumb piece of software. It does this by adding additional <input> tags to every <form> and making them invisible with CSS. A human won't fill in these fields because they won't be displayed. But software that's just parsing HTML will find
these
fields and fill them in, thus allowing the code on your server to distinguish between responses from humans and responses from machines. Among the modules that implement this approach are Honeypot, Botcha, and Spamicide. I tried Botcha, but I ran into installation problems.
I
didn't try Spamicide because it had a critical bug report claiming that the installation erased the default/files directory. Honeypot installed without problems and instantly cut the rate of bogus
registrations
dramatically. It didn't cut it all the way to 0 as I'd hoped it would, but the rate dropped from about 15/hr. to about 3/day. Mark Rosenthal mbr@arlsoft.com On 4/5/14 8:51 AM, Walt Daniels wrote: I get them to, but it is not mollom's fault. They are actually registering and typing the captcha just like a legitimate user. In our case they even have to use a legitimate email as they cannot do anything more than an anonymous user until the verify
their
email. I don't see any pattern I could apply to the user names that would distinguish them from our valid users who have some pretty weird usernames. You could find or right a module that enforced using "real names", i.e. John Doe. But I even got some like that that turn out to be spammers. On Sat, Apr 5, 2014 at 8:13 AM, Linda Romey <lromey@gmail.com> wrote: I am having the same issue. Have you contacted Mollom? That's on my to-do list. I'm not sure of the value of the monthly fee
if
I still have to continually monitor my site and delete spam accounts manually. On Sat, Apr 5, 2014 at 8:09 AM, James Rome <jamesrome@gmail.com> wrote: I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not
listed
as a field in the Mollom configuration. I get names such as: qropspension_5362 Is there any other way to get rid of these would-be spammers? -- James A. Rome http://jamesrome.net -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ] -- [ Drupal support list | http://lists.drupal.org/ ]-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
On 4/5/14, 8:09 AM, James Rome wrote:
I have Mollom installed, but yet a handful of account applications escape their captcha/analysis each day. The problem is that the only obviously wrong field is the username, which is not listed as a field in the Mollom configuration. I get names such as: qropspension_5362
Is there any other way to get rid of these would-be spammers?
The big problem is that now the spammers are using real people (being paid a pittance) to do the registration.
The automated solutions will do a good job reducing the number, but can not totally eliminate it, and the problem is so big that just reducing it isn't good enough for many cases.
One thing that I use on another site (non-drupal) is a IP address blocking list, which collects the IP addresses (and blocks) that the spammers are using, it build the database from a large number of sites. This helps a lot, but isn't perfect, as you may well be one of the first to be hit from a given IP.
The only fool-proof method is to put a human at the end of the chain, to make a final approval process, either at registration or posting (and you still want good filters in front to keep that person from being overloaded, but you need something as smart as a person at the end). I personally prefer the on posting option, as lots of people may signup without actually wanting to post, or you can get someone who is a real person, but they totally don't understand your rules for what is a reasonable posting. Now, if your user list is public, and it is possible for members to post links (even if not really links, but just text urls) in their public lookup, then you will may want to have a vetting before they can do that, or you WILL get spammer usernames to posts links to their sites that way.