Welcome to WebmasterWorld Guest from 54.163.49.19

Forum Moderators: phranque

Message Too Old, No Replies

vBulletin Issues Warning that reCAPTCHA Cracked

     
5:47 am on Jan 11, 2011 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
posts:38047
votes: 11


It has become apparent from our customers and customers of other BB Systems that there is a targeted effort being made to spam forums world-wide. Unfortunately as part of that effort it appears that ReCaptcha may have been cracked as per this page:
[vbulletin.com...]



Despite denials from Google, a security researcher continues to assert that the Search King’s reCAPTCHA system for protecting Web sites from spammers can be successfully exploited by Internet junk mail panderers.

Researcher Jonathan Wilkins published a paper recently that included an analysis of reCAPTCHA’s security. In automated attacks he conducted against the system, he reported he had an alarming success rate of 17.5 percent.
[allspammedup.com...]

Unlike most CAPTCHA systems, Google’s uses images with two words. That’s because Google uses reCAPTCHA for two purposes. Like other CAPTCHA systems, it’s designed to frustrate spammers, but it’s also incorporated into Google’s efforts to digitize books. When a word in a book scan can’t be recognized by Google’s OCR software, it’s sent to the reCAPTCHA pool. So when a person enters a reCAPTCHA phrase into a form, Google can discover what its OCR program couldn’t, without having to hire human editors to review scanning results.
6:19 am on Jan 11, 2011 (gmt 0)

Preferred Member

10+ Year Member

joined:Dec 29, 2002
posts:533
votes: 0


As a webmaster, I see why this is bad. As a surfer, it's great. I can't stand anything to do with CAPTCHA codes. We need a new solution to the spam problem that doesn't involve harassing visitors to repeatedly attempt to enter some hard-to-read code.
6:38 am on Jan 11, 2011 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 30, 2005
posts:120
votes: 2


The modern OCR most likely beats average user in character recognition. As long as they want people to be able to read the CAPTCHA, unlikely a bot success rate will drop.
9:52 am on Jan 11, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member piatkow is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 5, 2006
posts:3284
votes: 12


I know that I am finding CAPTCHAs increasingly difficult to read. I just wish I knew what the solution was.
10:29 am on Jan 11, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 8, 2003
posts:1141
votes: 0


I don't use captchas on any of my website. Instead I create random field names. So instead of:

username
password
email

the fieldnames are
<input type="text" name="434k35h7s9d79753535">
<input type="text" name="37849sgd7g7573576tg">
<input type="text" name="353bdfgrgtdfgdfgdfg">

and if you reload, the fieldname will change again:

dfe3553535ddfsdsfsd
jfkldsjfkdjsdfjfsdf
fddfgdfgdf464646666

So far I don't have any problems with bots. However I guess this only works because nobody else is using this solution. Of course password managers don't work either, because the fieldnames change everytime the website is loaded. Personally I find Captchas annoying, and nowadays I have to request a new captcha two or three times before one appears that I can read.

[edited by: jecasc at 10:36 am (utc) on Jan 11, 2011]

10:33 am on Jan 11, 2011 (gmt 0)

Full Member

5+ Year Member

joined:Jan 4, 2007
posts:221
votes: 0


Among other techniques, I use random (well... encrypted with a random salt) field names as well. Makes it more difficult to tell which fields are the dummies that shouldn't be filled in by dummies :>

Be aware that there is a trade-off however. It breaks auto form filling.
11:06 am on Jan 11, 2011 (gmt 0)

Preferred Member

10+ Year Member

joined:Feb 25, 2003
posts:418
votes: 0


Span is bad but recaptcha is a greater nuisance. Just wish that a spam prevention technique that is lesser evil than recaptcha existed.

[edited by: iThink at 11:09 am (utc) on Jan 11, 2011]

11:39 am on Jan 11, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1665
votes: 35


and if you reload, the fieldname will change again


Add those fields to DOM Via External JS and there will be no need to CHAPTCHA anything.
12:34 pm on Jan 11, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 10, 2007
posts:145
votes: 0


I suggest looking mods which make use of the StopForumSpam blacklists or writting your own to use their API. They're pretty effective. Plain English questions and the picture captcha developed by Microsoft also work well...
1:28 pm on Jan 11, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Feb 12, 2006
posts:2492
votes: 22


i've found that stopping people posting links (or anything containing http, www, url) in their first couple of posts works well.

if a member is new, and they include a phrase like that, then just block it at source -- and don't up their post count either. that way even if the bot comes back and posts again, every subsequent post will be rejected too.
1:49 pm on Jan 11, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


Googles response to this story:

Google counters that Wilkins test targeted an old form of reCAPTCHA from 2008 that’s been changed. “[T]his study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” a Google spokesperson told The Register. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”
2:04 pm on Jan 11, 2011 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
posts:38047
votes: 11


link frontpage?

Wilkins acknowledged that his initial tests were on an older version of reCAPTCHA, but since that time, he has conducted tests on the new images produced by the system and found them to be even weaker than the older ones. In one of his original tests on the system, his success rate was five in 200. When that test was run on the new reCAPTCHA, the rate was 23 in 100.


One weakness of CAPTCHA schemes, though is that they use words that can be found in a dictionary. This makes it easier for machines to crack the phrases because they have something to compare them to for errors.

In addition, reCAPTCHA uses a “one-off” system. That means a letter in a word can be incorrect, and it will still be accepted by the system.
So if the reCAPTCHA phrase contains the word “meat” and a Webster enters “peat,” his or her response will still be interpreted as a valid one.
3:09 pm on Jan 11, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 16, 2003
posts:992
votes: 0


So far I don't have any problems with bots. However I guess this only works because nobody else is using this solution.

I'm inclined to agree, and I think that's always going to be the problem. For most websites, a mass solution is what's going to be used: either a solution for a single website with a large audience, or something that the vast majority of non-technical webmasters are going to want to adopt.

I haven't had trouble with bots for years, since I implemented my system. It's only slightly unusual. Once you make the effort to create something that other people aren't using you're no longer worth the spammers' time to crack. But people are fundamentally lazy, so we'll never reach an ideal situation where all webmasters use a slightly different bot-beating system that they've thought up themselves.
3:24 pm on Jan 11, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:June 4, 2009
posts:42
votes: 0


I have a popular VBulletin forum using recaptcha. It has worked great for a longtime but for about a week I've been manually approving accounts and getting hundreds of spam registrations a day from xrumer bots(they have 'man' entered in the Biography field).
I waited to see if Google had a quick fix but today, I am switching it over to something else at least for now.
3:33 pm on Jan 11, 2011 (gmt 0)

Full Member

5+ Year Member

joined:July 13, 2007
posts:235
votes: 0


Not trying to toot my own horn or anything like that (and since this is an internal link I hope the admins don't mind), but this may be legitimately useful to any of you exploring alternatives to CAPTCHAs. I posted the CAPTCHA-less solution I use fairly recently on this very forum. While not perfect, it does a pretty darned good job wherever I've used it in the past, mostly in low-traffic or moderate-traffic sites that got a large number of spam submissions.

Spamblocking without a CAPTCHA [webmasterworld.com]
3:59 pm on Jan 11, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 20, 2002
posts:1716
votes: 0


I suggest looking mods which make use of the StopForumSpam blacklists or writting your own to use their API. They're pretty effective.


Not recently. I had to disable a StopForumSpam mod on my forum because it stopped working. Tons of bots were registering and the IPs and usernames were not in their database.

I switched to a random Q&A to keep the bots out - the only spammers who have gotten in was a guy with two accounts who dropped a tag-team "question" and "answer (with link)".

This whole thing is so annoying, really. Such a waste of our time. I wonder if anyone has been able to estimate the payoff these guys are getting with their infiltration into forums. Logically the payoff has to be high enough for them to keep it up; but I just wonder how worth it it is.
4:23 pm on Jan 11, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:May 31, 2006
posts:1207
votes: 7


It really was only a matter of time until ReCaptcha was cracked.

I've noticed an increase in spam in the last week or so. I'm not using ReCaptcha at the moment (because Google bought them out), I was using a similar "code" antispam mod.

I now do the Q&A and that seems to have helped immensely. I put a question or two in there and it rotates between them, which is great.

I think ultimately a solution similar to how Askimet works on blocking comment spam in WordPress would be ideal. I guess StopForumSpam is supposed to work in a similar fashion. Having one authority that manages spam registrations all over the web in theory should be accurate and help. Between a solution like that and a Q&A question, that should cover 99.99% of spam sign-ups.
4:26 pm on Jan 11, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 2, 2006
posts:2112
votes: 2


I'm new to running a forum, and recently I saw an increase in spammy registrations. I switched from reCAPTCHA to question/answer. I'm not sure how well will this hold them back.
5:29 pm on Jan 11, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:Nov 14, 2006
posts:172
votes: 0


One size does not fit all. When google bought recaptcha I was forced to write my own captcha code to get rid of their spyware, never looked back and could not be happier, zero automated spam so far.
7:01 pm on Jan 11, 2011 (gmt 0)

Junior Member

10+ Year Member

joined:June 18, 2003
posts:161
votes: 0


I run a popular vbulletin forum, and reCaptcha definitely stopped working months ago. We switched over to Vbulletin's questions and answers and created our own custom questions, and that improved things significantly.

We also added the akismet check to the first one or two posts by a user, and that has helped catch a good bit of spam as well. So far we've only had one or two false positives, and their posts got approved within a day or two.

We've gone from deleting 5-10 spammers per day to less than five per week, and because of the akismet plugin, most of the time the spam never gets seen publicly.
7:22 pm on Jan 11, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:May 8, 2006
posts: 144
votes: 0


Even if they created an "unbeatable" captcha... I could "beat" it by hiring some foreign labor for a tenth of a penny per correct captcha. Literally.
8:35 pm on Jan 11, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts:5063
votes: 11


Not recently. I had to disable a StopForumSpam mod on my forum

It's not your forum. It's Brett's.

Just sayin'.

:)
9:01 pm on Jan 11, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 23, 2002
posts:659
votes: 0


Link?


[theregister.co.uk...]
9:13 pm on Jan 11, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 10, 2007
posts:145
votes: 0


Not recently. I had to disable a StopForumSpam mod on my forum because it stopped working. Tons of bots were registering and the IPs and usernames were not in their database.

I switched to a random Q&A to keep the bots out - the only spammers who have gotten in was a guy with two accounts who dropped a tag-team "question" and "answer (with link)".


A mix of plain english questions, StopForumSpam, Akismet and human moderation works very well for me...
9:46 pm on Jan 11, 2011 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 30, 2005
posts:120
votes: 2


The problem with "plain English questions" is that it is fairly easy to create a database of them, with automated handling for variations. Similar to CAPTCHAs, the questions would then have to become complex enough so that Joe User will have difficuly answering them. The whole thing is like an arms race.
12:20 am on Jan 12, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Apr 28, 2006
posts:1043
votes: 1


When a word in a book scan can’t be recognized by Google’s OCR software, it’s sent to the reCAPTCHA pool. So when a person enters a reCAPTCHA phrase into a form, Google can discover what its OCR program couldn’t, without having to hire human editors to review scanning results.

Hey, if Google's OCR software cant read it, and we type it in during the verification process, how can the challange be compared to the response?
12:40 am on Jan 12, 2011 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 28, 2004
posts:45
votes: 0


The more difficult it is to register, the fewer registrations you'll get.

On our forum with 1.3 million posts, we don't use captchas, or even email verification upon registration. Just a simple Q&A.

When we uncover organized corporate stealth marketing campaigns (as opposed to random viagra spammers), we find photos of the executives on the board of directors of the parent company behind the campaign, and, with a simple software tool, we allow people to make comics of them, and then email the comics to the executives, in a sort of "reverse" marketing campaign. They love that.

As rollinj mentioned, paid crowdsourcing makes captchas almost irrelevant, and there is plenty of spammer-for-hire work on Mechanical Turk. See: [behind-the-enemy-lines.blogspot.com...]
1:26 am on Jan 12, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 21, 2005
posts:2259
votes: 0


youfoundjake, each suspect word is run against multiple human users. I guess the first few will get through with any nonsense they type :)
1:36 am on Jan 12, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 7, 2003
posts: 1048
votes: 0


there has to be a clever and inexpensive way to resolve this silly cat/mouse style arms-race!

very useful:

[webmasterworld.com...]
2:11 am on Jan 12, 2011 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


Well this is rather disconcerting. What should a vBulletin user do about it - what can we do about it?
This 35 message thread spans 2 pages: 35
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members