Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 12 of 12
  1. #1
    Regular Coder tpeck's Avatar
    Join Date
    Oct 2002
    Location
    Sydney, Australia
    Posts
    806
    Thanks
    42
    Thanked 6 Times in 5 Posts

    spam not being filtered by captcha

    I have devised some forms for a client and the forms work well.

    But the captcha idea I used to prevent spam is starting to allow autospam through.

    The php code is in quite a few places on the web and I show it below:

    PHP Code:
    <?php
    session_start
    ();

    $string '';

    for (
    $i 0$i 5$i++) {
     
    $string .= chr(rand(97122));
    }

    $_SESSION['random_number'] = $string;

    $dir 'fonts/';

    $image imagecreatetruecolor(16550);

    // random number 1 or 2
    $num rand(1,2);
    if(
    $num==1)
    {
     
    $font "Capture it 2.ttf"// font style
    }
    else
    {
     
    $font "Molot.otf";// font style
    }

    // random number 1 or 2
    $num2 rand(1,2);
    if(
    $num2==1)
    {
     
    $color imagecolorallocate($image113193217);// color
    }
    else
    {
     
    $color imagecolorallocate($image16319782);// color
    }

    $white imagecolorallocate($image255255255); // background color white
    imagefilledrectangle($image,0,0,399,99,$white);

    imagettftext ($image3001040$color$dir.$font$_SESSION['random_number']);

    header("Content-type: image/png");
    imagepng($image);

    ?>
    My question is, how can I prevent this kind of thing getting through?

    Strata Plan No.: 66453
    Strata Street Address: zykeIUAygiHAbAbb
    Strata Suburb: dQNMIcTCzQYKsNOIg
    Property Age:
    How many Lots?: 26788
    Type of Complex:
    Additional Facilities: (none selected)
    Other Facilities?: KwpahoqdtjXiCIv
    I am not asking for a rewrite (!), but what sort of methods work these days?
    Last edited by tpeck; 06-13-2013 at 02:27 PM.
    The difference between genius and stupidity is that genius has its limits. (Albert Einstein)

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,089
    Thanks
    51
    Thanked 506 Times in 493 Posts
    You can't rely on captcha these days - it's useless.

    Instead you're better off using a Question and Answer challenge or random form field names that are then matched up to those in the session.

    If you want to be really sneaky, you can send the person an email telling them that their message is being held in a database table. In order to send it back they need to reply with a completely blank email - no subject, no text in the message. Spam bots programmed to reply to email address will naturally see this honey pot and reply with junk which you can filter out (though you'll need to use piping or a custom server to do this).
    My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!

  • #3
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,958
    Thanks
    2
    Thanked 304 Times in 296 Posts
    Does your code that checks if the submitted value matches the value in the session check if any of the values are not empty, because empty == empty.

    If a bot doesn't support sessions, the session variable won't exist at all and if the submitted value is empty, your logic could be comparing an empty value with an empty value and allowing the submission. By testing if one or both of the values being compared is not empty, will require that who/what ever is submitting the data is also supports passing the session id.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #4
    New Coder
    Join Date
    Dec 2011
    Posts
    61
    Thanks
    4
    Thanked 10 Times in 10 Posts
    Quote Originally Posted by tangoforce View Post
    Instead you're better off using a Question and Answer challenge or random form field names that are then matched up to those in the session.
    I have seen Question and Answer challenges on other boards being defeated. These bots can come up with the answer in no time, that is why homemade Captcha are worthless, heck even Re-Captcha isn't the greatest. It's only going to get worse.
    True courage is about knowing not when to take a life, but when to spare one. PDO Login Tutorial

  • #5
    Senior Coder
    Join Date
    Sep 2010
    Posts
    1,899
    Thanks
    15
    Thanked 226 Times in 226 Posts
    Quote Originally Posted by Strider64 View Post
    I have seen Question and Answer challenges on other boards being defeated. These bots can come up with the answer in no time, that is why homemade Captcha are worthless, heck even Re-Captcha isn't the greatest. It's only going to get worse.
    I wrote my own captcha code because I didn't like the way the ones I've seen worked or looked, but thanks to tangoforce I know that even it has weaknesses.I wrote it largely to prevent the message from being resubmitted when someone refreshes the page, it works for that, but a clever bot might still be able to defeat it. I don't understand why the people who write these scripts just can't get it right. so I'm going to add it to my to do list, and maybe can get one that defeats bots.
    Welcome to http://www.myphotowizard.net

    where you can edit images, make a photo calendar, add text to images, and do much more.


    When you know what you're doing it's called Engineering, when you don't know, it's called Research and Development. And you can always charge more for Research and Development.

  • #6
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,089
    Thanks
    51
    Thanked 506 Times in 493 Posts
    Quote Originally Posted by Strider64 View Post
    I have seen Question and Answer challenges on other boards being defeated. These bots can come up with the answer in no time
    True but it reduces the odds of success. As for reCaptcha, please don't get me started on that heap of junk. The damn thing is unreadable most of the time.

    Quote Originally Posted by DrDOS View Post
    I wrote my own captcha code because I didn't like the way the ones I've seen worked or looked, but thanks to tangoforce I know that even it has weaknesses.I wrote it largely to prevent the message from being resubmitted when someone refreshes the page, it works for that, but a clever bot might still be able to defeat it. I don't understand why the people who write these scripts just can't get it right.
    It's not so much that they can't get it right, it's more that the bot masters have techniques for filtering out colours (eg going into monochrome) and with a few more tricks and then a pass through OCR software they can read the captcha image directly. Thats not something that the captcha authors can easily overcome.
    My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!

  • #7
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,454
    Thanks
    0
    Thanked 632 Times in 622 Posts
    Quote Originally Posted by tangoforce View Post
    You can't rely on captcha these days - it's useless.
    CAPTCHA isn't useless. It will always distinguish between people and bots. If it doesn't then it isn't a CAPTCHA.

    The best CAPTCHAs I have found are ones that use timing differences between how quickly a bot can do something and how much longer a real person takes.

    Quote Originally Posted by tangoforce View Post
    As for reCaptcha, please don't get me started on that heap of junk. The damn thing is unreadable most of the time.
    Of course one of the two words is unreadable. The whole point of that script is to get the opinions of lots of people on what that part of the scanned part of a book says so that they can finish creating a digital version of the book. Its use as a CAPTCHA is a far lower priority than finding out what everyone thinks the unreadable word says so they can finish converting that book. For its main purpose of getting lots of opinions to help convert books it works very well and definitely is a long way from being a piece of junk.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #8
    Senior Coder
    Join Date
    Sep 2010
    Posts
    1,899
    Thanks
    15
    Thanked 226 Times in 226 Posts
    This is what mine looks like, and it does stop people from repeating messages by reloading the page.

    Welcome to http://www.myphotowizard.net

    where you can edit images, make a photo calendar, add text to images, and do much more.


    When you know what you're doing it's called Engineering, when you don't know, it's called Research and Development. And you can always charge more for Research and Development.

  • #9
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,089
    Thanks
    51
    Thanked 506 Times in 493 Posts
    Quote Originally Posted by felgall View Post
    CAPTCHA isn't useless. It will always distinguish between people and bots.
    You are wrong felgall. Captchas are not perfect and are easily cracked by many bots.

    Quote Originally Posted by felgall View Post
    The best CAPTCHAs I have found are ones that use timing differences between how quickly a bot can do something and how much longer a real person takes.
    So when I'm filling out a form and someone knocks on my front door and I come back 40 - 50 seconds later and hit submit, I'm going to be treated as a bot right? - You call that the best? I'd call it ridiculously stupid.

    Sorry felgall but you're not correct here.
    My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!

  • #10
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,089
    Thanks
    51
    Thanked 506 Times in 493 Posts
    Quote Originally Posted by DrDOS View Post
    This is what mine looks like, and it does stop people from repeating messages by reloading the page.
    Yes it will stop repeats by reloading but it doesn't mean it will stop a bot using OCR from submitting it.

    What you could do is break it up - say 10 numbers and randomly every Xth digit switch between a text number and an image number. You could end up with 4 numbers comprised of text and 6 made of images - all between each other. While I'm sure some bots may be smart enough to crack this I suspect they will be few and the chances of them visiting your site.. Call it in an iframe or dynamically via ajax so that the html source doesn't even contain this and you make life a bit more complex still.
    My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!

  • #11
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,454
    Thanks
    0
    Thanked 632 Times in 622 Posts
    Quote Originally Posted by tangoforce View Post
    Captchas are not perfect and are easily cracked by many bots.
    If it can be cracked by bots then it is no longa a CAPTCHA. The definition of a CAPTCHA is anything that can distinguish between people and bots.

    As I said before the most effective ones I have seen time how long it has taken to fill out the form and discard any that have been filled out more quickly than a fast typist could fill out the form. Bots fill out the form faster than that and so are all discarded. Of course if a fast typist were to copy/paste values into all of the fields then it would be possible that they might be mistaken for a bot but a simple response asking the person to wait a while before trying to submit the form again should take care of that.

    I do agree that the images that sites sometimes display that is supposed to work as a CAPTCHA are now mostly ineffective. The best CAPTCHAs are completely invisible to anyone filling out the form.



    Quote Originally Posted by tangoforce View Post
    So when I'm filling out a form and someone knocks on my front door and I come back 40 - 50 seconds later and hit submit, I'm going to be treated as a bot right?
    No. Any delays in you submitting the form make it less likely you'd be treated as a bot.

    Anyway I am stating this from personal experience. Anywhere that I have implemented code to discard any submission that have been made too quickly (eg. discarding all submissions made within 5 seconds of the page being accessed) have had zero bots successfully submitting the form. Since it takes at least that long for a person to read the form to see what they need to enter I doubt that there is anyone who can successfully fill out and submit any of the forms in under 5 seconds. Even if they do they simply get an error message come up on the form that asks them to wait 10 seconds and then try sumbitting their form again. The hidden field on the forms that indicates that they submitted too fast the first time and so had to try again has rarelyr been set in any of the responses that have got through - those are presumably people who had their values for all the fields in the form memorised by their browser and who therefore presumably had their browser fill out the form for them.
    Last edited by felgall; 06-13-2013 at 10:52 PM.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #12
    Regular Coder tpeck's Avatar
    Join Date
    Oct 2002
    Location
    Sydney, Australia
    Posts
    806
    Thanks
    42
    Thanked 6 Times in 5 Posts
    Mmm. I didn't realise CAPTCHA was so full of holes. I did a bit of research last night (5 or 6 hours) and, yes, the methods suggested above seem to be the best candidates.

    The site I am responsible for is not gigantic, so I've settled for a simple non-JS solution:

    Code:
    <div style="visibility:hidden">
    <input name="email" type="text" size="45" id="email" />
    </div>
    PHP Code:
    $email2 stripslashes($_POST["email2"]); 
    if (!empty(
    $email2)) { 
    header("location: pretend_that_email_sent.php"); 
    exit(); 

    It won't be perfect, but should help. Anyone disagree?
    The difference between genius and stupidity is that genius has its limits. (Albert Einstein)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •