| 9:52 pm on Mar 4, 2009 (gmt 0)|
don't know if this is the problem but you have an HTML error just before the captcha image is called:
see the two <tr> tags? The first one should be a closing tag: </tr>
| 3:53 pm on Mar 5, 2009 (gmt 0)|
I fixed the </tr> and it still doesn't work.
| 5:14 pm on Mar 5, 2009 (gmt 0)|
1. Open an SSH window to your domain. Know where your error logs are.
2. From a browser, enter example.com/cgi-bin/captcha.cgi
3. Immediately issue this command (with correct path) in the SSH window.
The problem obviously lies in the captcha script, maybe it's just that you shouldn't have your images in cgi-bin . . . the error log should help.
You probably don't want to hear this, but you would be better off putting your energy into fixing the mailer script to stop spam as captchas are pretty easily beaten . . .
| 2:53 pm on Mar 6, 2009 (gmt 0)|
I have no idea what an SSH window is. I"m on a Mac. Is there a tool on DNSstuff that will do this?
| 4:44 pm on Mar 6, 2009 (gmt 0)|
SSH is a command line connection to your server. Do you have access to error logs on your server, maybe in the domain control panel? If you do, get on to the error log view (in one tab, if it's browser-based) and emulate the above. Call the captcha script and refresh the error log page, look at the last few lines.
| 7:05 pm on Mar 6, 2009 (gmt 0)|
|You probably don't want to hear this, but you would be better off putting your energy into fixing the mailer script to stop spam as captchas are pretty easily beaten . . . |
How are they "easily" beaten? I know they can be beaten, but easily is not the way I would describe it. Is there something new out there that can easily and accurately convert a captcha to text?
| 3:21 am on Mar 7, 2009 (gmt 0)|
I can't tell you "how", because then I'd have to kill you. :-) Seriously, I can't tell you because I don't know how they do it. I really don't care how they do it.
When I say "pretty easily" I mean it appears to be pretty easy for those that know how. I've never gone down that road of research, but I've seen the effect - looked like they got past it "pretty easily" to me . . .
I've run a few vBulletin boards for a few years now. Captchas on, on all of them (and in retrospect, I might as well turn them off . . . ) As soon as one goes live, it's like these guys are just looking for new vBulletin installs to hack - and they get right by the captcha. You might think it's a manual input, but the data they submit is consistent with a lot of spam attacks on forms. You know the type - varying IP addresses, real words pulled from a dictionary but when strung together make very little sense, a regular pattern of attempts as if it's a 'bot process.
They hit them hard for a few weeks, but the other tools in place make them lose interest and they give up. Specifically, a simple trivia challenge that I change every couple weeks seems to be the most discouraging.
| 5:55 am on Mar 7, 2009 (gmt 0)|
Its hard to imagine someone wanting to crack the captchas of an unimportant website, but for sites like google, it is a problem.
Its not easy to crack captchas although it is possible. A captcha cracking program that gets it right 50% is very good. But pattern recognition (as in OCR) is not always the first point of entry to captcha cracking.
I also suspect that the vBulletin attacks are probably not captcha cracking, but exploitation of vulnerabilities in the vBulletin software.
Anyway, getting off topic and maybe not fair to the OP to take the thread off on a tangent.
| 6:03 am on Mar 7, 2009 (gmt 0)|
the vBulletin forum has a number of reports of the captcha images being cracked. Seems versions earlier than 3.5 need upgrading to reduce the problem.
| 4:41 pm on Mar 7, 2009 (gmt 0)|
Nah, the upgrades didn't change anything. What did stop them was the trivia question on registration.
My initial comment compels Lorel to address the root issue rather than try to road-block it at the front end. I suggest this for two reasons:
- Your users will hate you for a captcha. They seem to despise them, and this is another barrier for them.
- If you are getting problems with spam, there are a myriad of ways to stop them server-side. There are many threads here on this very topic.
Other than the vBulletin example, in which I use captcha only because it's built in and because it's not my software (and I don't want to tweak it because my tweaks get overwritten with every "update"), I've never had to use a captchka (fingers crossed.) I've managed to stop all spam attempts on all my client sites, and boy they do try (I log all input.) No user action required, and it's not all that difficult using stringent input filtering.