homepage Welcome to WebmasterWorld Guest from 174.129.74.186
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

This 35 message thread spans 2 pages: 35 ( [1] 2 > >     
vBulletin Issues Warning that reCAPTCHA Cracked
Brett_Tabke




msg:4251669
 5:47 am on Jan 11, 2011 (gmt 0)

It has become apparent from our customers and customers of other BB Systems that there is a targeted effort being made to spam forums world-wide. Unfortunately as part of that effort it appears that ReCaptcha may have been cracked as per this page:
[vbulletin.com...]



Despite denials from Google, a security researcher continues to assert that the Search King’s reCAPTCHA system for protecting Web sites from spammers can be successfully exploited by Internet junk mail panderers.

Researcher Jonathan Wilkins published a paper recently that included an analysis of reCAPTCHA’s security. In automated attacks he conducted against the system, he reported he had an alarming success rate of 17.5 percent.
[allspammedup.com...]


Unlike most CAPTCHA systems, Google’s uses images with two words. That’s because Google uses reCAPTCHA for two purposes. Like other CAPTCHA systems, it’s designed to frustrate spammers, but it’s also incorporated into Google’s efforts to digitize books. When a word in a book scan can’t be recognized by Google’s OCR software, it’s sent to the reCAPTCHA pool. So when a person enters a reCAPTCHA phrase into a form, Google can discover what its OCR program couldn’t, without having to hire human editors to review scanning results.

 

MWpro




msg:4251675
 6:19 am on Jan 11, 2011 (gmt 0)

As a webmaster, I see why this is bad. As a surfer, it's great. I can't stand anything to do with CAPTCHA codes. We need a new solution to the spam problem that doesn't involve harassing visitors to repeatedly attempt to enter some hard-to-read code.

Vamm




msg:4251679
 6:38 am on Jan 11, 2011 (gmt 0)

The modern OCR most likely beats average user in character recognition. As long as they want people to be able to read the CAPTCHA, unlikely a bot success rate will drop.

piatkow




msg:4251719
 9:52 am on Jan 11, 2011 (gmt 0)

I know that I am finding CAPTCHAs increasingly difficult to read. I just wish I knew what the solution was.

jecasc




msg:4251726
 10:29 am on Jan 11, 2011 (gmt 0)

I don't use captchas on any of my website. Instead I create random field names. So instead of:

username
password
email

the fieldnames are
<input type="text" name="434k35h7s9d79753535">
<input type="text" name="37849sgd7g7573576tg">
<input type="text" name="353bdfgrgtdfgdfgdfg">

and if you reload, the fieldname will change again:

dfe3553535ddfsdsfsd
jfkldsjfkdjsdfjfsdf
fddfgdfgdf464646666

So far I don't have any problems with bots. However I guess this only works because nobody else is using this solution. Of course password managers don't work either, because the fieldnames change everytime the website is loaded. Personally I find Captchas annoying, and nowadays I have to request a new captcha two or three times before one appears that I can read.

[edited by: jecasc at 10:36 am (utc) on Jan 11, 2011]

Status_203




msg:4251727
 10:33 am on Jan 11, 2011 (gmt 0)

Among other techniques, I use random (well... encrypted with a random salt) field names as well. Makes it more difficult to tell which fields are the dummies that shouldn't be filled in by dummies :>

Be aware that there is a trade-off however. It breaks auto form filling.

iThink




msg:4251733
 11:06 am on Jan 11, 2011 (gmt 0)

Span is bad but recaptcha is a greater nuisance. Just wish that a spam prevention technique that is lesser evil than recaptcha existed.

[edited by: iThink at 11:09 am (utc) on Jan 11, 2011]

blend27




msg:4251742
 11:39 am on Jan 11, 2011 (gmt 0)

and if you reload, the fieldname will change again


Add those fields to DOM Via External JS and there will be no need to CHAPTCHA anything.

hugh




msg:4251780
 12:34 pm on Jan 11, 2011 (gmt 0)

I suggest looking mods which make use of the StopForumSpam blacklists or writting your own to use their API. They're pretty effective. Plain English questions and the picture captcha developed by Microsoft also work well...

londrum




msg:4251819
 1:28 pm on Jan 11, 2011 (gmt 0)

i've found that stopping people posting links (or anything containing http, www, url) in their first couple of posts works well.

if a member is new, and they include a phrase like that, then just block it at source -- and don't up their post count either. that way even if the bot comes back and posts again, every subsequent post will be rejected too.

frontpage




msg:4251830
 1:49 pm on Jan 11, 2011 (gmt 0)

Googles response to this story:

Google counters that Wilkins test targeted an old form of reCAPTCHA from 2008 that’s been changed. “[T]his study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” a Google spokesperson told The Register. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”

Brett_Tabke




msg:4251841
 2:04 pm on Jan 11, 2011 (gmt 0)

link frontpage?

Wilkins acknowledged that his initial tests were on an older version of reCAPTCHA, but since that time, he has conducted tests on the new images produced by the system and found them to be even weaker than the older ones. In one of his original tests on the system, his success rate was five in 200. When that test was run on the new reCAPTCHA, the rate was 23 in 100.


One weakness of CAPTCHA schemes, though is that they use words that can be found in a dictionary. This makes it easier for machines to crack the phrases because they have something to compare them to for errors.

In addition, reCAPTCHA uses a “one-off” system. That means a letter in a word can be incorrect, and it will still be accepted by the system.
So if the reCAPTCHA phrase contains the word “meat” and a Webster enters “peat,” his or her response will still be interpreted as a valid one.

Rosalind




msg:4251876
 3:09 pm on Jan 11, 2011 (gmt 0)

So far I don't have any problems with bots. However I guess this only works because nobody else is using this solution.

I'm inclined to agree, and I think that's always going to be the problem. For most websites, a mass solution is what's going to be used: either a solution for a single website with a large audience, or something that the vast majority of non-technical webmasters are going to want to adopt.

I haven't had trouble with bots for years, since I implemented my system. It's only slightly unusual. Once you make the effort to create something that other people aren't using you're no longer worth the spammers' time to crack. But people are fundamentally lazy, so we'll never reach an ideal situation where all webmasters use a slightly different bot-beating system that they've thought up themselves.

Samanthatouch




msg:4251886
 3:24 pm on Jan 11, 2011 (gmt 0)

I have a popular VBulletin forum using recaptcha. It has worked great for a longtime but for about a week I've been manually approving accounts and getting hundreds of spam registrations a day from xrumer bots(they have 'man' entered in the Biography field).
I waited to see if Google had a quick fix but today, I am switching it over to something else at least for now.

WesleyC




msg:4251896
 3:33 pm on Jan 11, 2011 (gmt 0)

Not trying to toot my own horn or anything like that (and since this is an internal link I hope the admins don't mind), but this may be legitimately useful to any of you exploring alternatives to CAPTCHAs. I posted the CAPTCHA-less solution I use fairly recently on this very forum. While not perfect, it does a pretty darned good job wherever I've used it in the past, mostly in low-traffic or moderate-traffic sites that got a large number of spam submissions.

Spamblocking without a CAPTCHA [webmasterworld.com]

Hawkgirl




msg:4251931
 3:59 pm on Jan 11, 2011 (gmt 0)

I suggest looking mods which make use of the StopForumSpam blacklists or writting your own to use their API. They're pretty effective.


Not recently. I had to disable a StopForumSpam mod on my forum because it stopped working. Tons of bots were registering and the IPs and usernames were not in their database.

I switched to a random Q&A to keep the bots out - the only spammers who have gotten in was a guy with two accounts who dropped a tag-team "question" and "answer (with link)".

This whole thing is so annoying, really. Such a waste of our time. I wonder if anyone has been able to estimate the payoff these guys are getting with their infiltration into forums. Logically the payoff has to be high enough for them to keep it up; but I just wonder how worth it it is.

Swanny007




msg:4251947
 4:23 pm on Jan 11, 2011 (gmt 0)

It really was only a matter of time until ReCaptcha was cracked.

I've noticed an increase in spam in the last week or so. I'm not using ReCaptcha at the moment (because Google bought them out), I was using a similar "code" antispam mod.

I now do the Q&A and that seems to have helped immensely. I put a question or two in there and it rotates between them, which is great.

I think ultimately a solution similar to how Askimet works on blocking comment spam in WordPress would be ideal. I guess StopForumSpam is supposed to work in a similar fashion. Having one authority that manages spam registrations all over the web in theory should be accurate and help. Between a solution like that and a Q&A question, that should cover 99.99% of spam sign-ups.

smallcompany




msg:4251950
 4:26 pm on Jan 11, 2011 (gmt 0)

I'm new to running a forum, and recently I saw an increase in spammy registrations. I switched from reCAPTCHA to question/answer. I'm not sure how well will this hold them back.

Alcoholico




msg:4251983
 5:29 pm on Jan 11, 2011 (gmt 0)

One size does not fit all. When google bought recaptcha I was forced to write my own captcha code to get rid of their spyware, never looked back and could not be happier, zero automated spam so far.

seoArt




msg:4252026
 7:01 pm on Jan 11, 2011 (gmt 0)

I run a popular vbulletin forum, and reCaptcha definitely stopped working months ago. We switched over to Vbulletin's questions and answers and created our own custom questions, and that improved things significantly.

We also added the akismet check to the first one or two posts by a user, and that has helped catch a good bit of spam as well. So far we've only had one or two false positives, and their posts got approved within a day or two.

We've gone from deleting 5-10 spammers per day to less than five per week, and because of the akismet plugin, most of the time the spam never gets seen publicly.

rollinj




msg:4252038
 7:22 pm on Jan 11, 2011 (gmt 0)

Even if they created an "unbeatable" captcha... I could "beat" it by hiring some foreign labor for a tenth of a penny per correct captcha. Literally.

wheel




msg:4252084
 8:35 pm on Jan 11, 2011 (gmt 0)

Not recently. I had to disable a StopForumSpam mod on my forum

It's not your forum. It's Brett's.

Just sayin'.

:)

frontpage




msg:4252092
 9:01 pm on Jan 11, 2011 (gmt 0)

Link?


[theregister.co.uk...]

hugh




msg:4252098
 9:13 pm on Jan 11, 2011 (gmt 0)

Not recently. I had to disable a StopForumSpam mod on my forum because it stopped working. Tons of bots were registering and the IPs and usernames were not in their database.

I switched to a random Q&A to keep the bots out - the only spammers who have gotten in was a guy with two accounts who dropped a tag-team "question" and "answer (with link)".


A mix of plain english questions, StopForumSpam, Akismet and human moderation works very well for me...

Vamm




msg:4252114
 9:46 pm on Jan 11, 2011 (gmt 0)

The problem with "plain English questions" is that it is fairly easy to create a database of them, with automated handling for variations. Similar to CAPTCHAs, the questions would then have to become complex enough so that Joe User will have difficuly answering them. The whole thing is like an arms race.

youfoundjake




msg:4252156
 12:20 am on Jan 12, 2011 (gmt 0)

When a word in a book scan can’t be recognized by Google’s OCR software, it’s sent to the reCAPTCHA pool. So when a person enters a reCAPTCHA phrase into a form, Google can discover what its OCR program couldn’t, without having to hire human editors to review scanning results.

Hey, if Google's OCR software cant read it, and we type it in during the verification process, how can the challange be compared to the response?

Jonathan




msg:4252163
 12:40 am on Jan 12, 2011 (gmt 0)

The more difficult it is to register, the fewer registrations you'll get.

On our forum with 1.3 million posts, we don't use captchas, or even email verification upon registration. Just a simple Q&A.

When we uncover organized corporate stealth marketing campaigns (as opposed to random viagra spammers), we find photos of the executives on the board of directors of the parent company behind the campaign, and, with a simple software tool, we allow people to make comics of them, and then email the comics to the executives, in a sort of "reverse" marketing campaign. They love that.

As rollinj mentioned, paid crowdsourcing makes captchas almost irrelevant, and there is plenty of spammer-for-hire work on Mechanical Turk. See: [behind-the-enemy-lines.blogspot.com...]

oddsod




msg:4252172
 1:26 am on Jan 12, 2011 (gmt 0)

youfoundjake, each suspect word is run against multiple human users. I guess the first few will get through with any nonsense they type :)

chewy




msg:4252174
 1:36 am on Jan 12, 2011 (gmt 0)

there has to be a clever and inexpensive way to resolve this silly cat/mouse style arms-race!

very useful:

[webmasterworld.com...]

lorax




msg:4252181
 2:11 am on Jan 12, 2011 (gmt 0)

Well this is rather disconcerting. What should a vBulletin user do about it - what can we do about it?

This 35 message thread spans 2 pages: 35 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved