Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 14 of 14
  1. #1
    Regular Coder ArcticFox's Avatar
    Join Date
    Jan 2004
    Location
    Vostok Station, AQ
    Posts
    602
    Thanks
    35
    Thanked 3 Times in 3 Posts

    Cool Are you deaf or just blind?

    http://www.basestationzero.com/IPB2....ct=Reg&CODE=00 - Check the [] box and click [Register] to get to the page I'm talking about.


    I'm having problems with spambots getting past the numerical image recognition test on my registration page. I can usualy tell if the registration is a bot or human by just looking at the username, but sometimes I have to look up the user profie to figure it out.

    I get an email when a registration is complete. They must have a valid email to continue, and that's what keeps the bots from posting. What I'd like is a way to keep the bots from completing registration, thus, keeping me from recieving a useless email.

    My last idea was to have a FORM SELECT. The visitor has to select a choice showing that the've read the rules -> bots always select the first option. Any other option selected is a different issue. I wanted to code JS on that so if the correct option is not selected, the submit button would not be active, or would attempt to close/crash the browser window (no whining, this is a bot we're crashing), but I haven't yet.

    My newest idea involves "Voice Image Verification". What I'm wanting to do on this is remove the image completely and just have the visitor play the soundfile for the security code confirmation. But now I'm wondering... who's blind vs who's deaf?

    Good idea? Bad idea? Why?
    Last edited by ArcticFox; 09-30-2006 at 09:32 PM.
    <div> - putting your mind in a box since 1997

  • #2
    Regular Coder
    Join Date
    Sep 2006
    Location
    Vermont, USA
    Posts
    154
    Thanks
    0
    Thanked 6 Times in 6 Posts
    You've got some pretty smart bots visiting your site. Captcha is in for a rude awkening....just kidding....there has to be some way to by pass your security code confirmation or you're leaking it somewhere.

    My suggestion is to look at the full process of signing up. I have a hard time considering there is a bot reading your captcha image.
    Active PHP/MySQL application developer available for immediate work.
    syosoft.com mavieo.com - Remote Web Site Administration Suite - Reseller Ready

  • #3
    Senior Coder
    Join Date
    Dec 2004
    Location
    Essex, UK
    Posts
    2,636
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Is that md5 or something the code is stored in (eg. 0d2a842aafe035ea1ce689c744c0228e.wav)?

    A bot may be able to read that and look up the value based on the hash (it knows it's 6 digits so the rainbow tables wouldn't be _that_ big). Just an idea but probably not the right one... :/

  • #4
    Regular Coder ArcticFox's Avatar
    Join Date
    Jan 2004
    Location
    Vostok Station, AQ
    Posts
    602
    Thanks
    35
    Thanked 3 Times in 3 Posts

    Question

    I've been looking through the codes all day with no idea how a bot would get through, or on a way to read the image via the html.

    This has been a problem on other IPB forums, yet no one seems to know how the bots get through.

    I'm now thinking of coding a JS to pass on the value of the image URL as well as what is entered in the textarea to see what the bots are entering. Maybe there's some chance that there's a "master code" to bypass the verifications...?


    -----------------------

    The bots were getting in before I put the soundfile codes in. An example of what I see:


    Code:
    804542
    Image:
    26eb5f6602649e52dc562721784ad80b
    Soundfile:
    26eb5f6602649e52dc562721784ad80b.wav



    Code:
    276735
    Image:
    a6d8fc9e994a8aaed952e6a1447c9c7c
    Soundfile:
    a6d8fc9e994a8aaed952e6a1447c9c7c.wav





    I'm sure there's some sort of math equation that would decode this...
    Last edited by ArcticFox; 09-30-2006 at 09:34 PM.
    <div> - putting your mind in a box since 1997

  • #5
    Regular Coder ArcticFox's Avatar
    Join Date
    Jan 2004
    Location
    Vostok Station, AQ
    Posts
    602
    Thanks
    35
    Thanked 3 Times in 3 Posts
    And I just found this site:

    http://www.myownbot.com/about.htm

    • Can this program bypass captcha?
    Yes, in special ways. MyBot automatically attempts to bypass it. If MyBot fails it allows the user to view and type in the code to continue!

    And now that I'm looking into it more, I see that these bots aren't showing up on any of my trackers. That might say something.
    Last edited by ArcticFox; 09-30-2006 at 09:17 PM.
    <div> - putting your mind in a box since 1997

  • #6
    Regular Coder
    Join Date
    Sep 2006
    Location
    Vermont, USA
    Posts
    154
    Thanks
    0
    Thanked 6 Times in 6 Posts
    Wonder what the percentage is of the bot actually being able to read the image...that would be some rather advanced image parsing. I would think it could be easily fooled by using a gradient overlay on the letters/numbers as the only way i can think of how someone would code a captcha bypass would be to read the image data pixel by pixel and try to trace the letters by matching/like colors and then correlate that with the alphabet...very tricky stuff.

    However, a program that haults and lets the operator type the image in makes a weeee bit more sense than full automation. It still allows the operator to concentrate 99% of their time on startrak so i'm sure they don't mind too much.

    Not sure how to twart it other than changing your registration process. You could dump all reg data in a holding tank (temp database) using something to the effect of base64_encode(serialize($_POST)) (after it's been error checked of course) and then once the link in the email is clicked to verify it, you copy that temp data into the live user db, send yourself an email, and remove the temp record.

    It's creative - and it would solve your problem....but only if creating this work around isn't a big problem of its own.

    Good luck.
    Active PHP/MySQL application developer available for immediate work.
    syosoft.com mavieo.com - Remote Web Site Administration Suite - Reseller Ready

  • #7
    Senior Coder
    Join Date
    Dec 2004
    Location
    Essex, UK
    Posts
    2,636
    Thanks
    0
    Thanked 0 Times in 0 Posts
    It's kind-of odd without knowing how the numbers are hashed. eg. 26eb5f6602649e52dc562721784ad80b is not the MD5 hash of 804542. It could be salted but I'm not sure how salting works really...

    If this is a known problem with IPB then my suggestion would just be to wait for a new release or install any security patches which are available.

  • #8
    Regular Coder
    Join Date
    Jun 2002
    Posts
    138
    Thanks
    0
    Thanked 0 Times in 0 Posts
    IF bots are reading your images then its pretty useless..
    Bots have one problem which can be used to save oneself..
    Bots mostly check the Tick Boxes..fill fields whatever they find..on that page..

    this is what u can do.. Insert a Check BOX with a RED BOLD text like this


    * Warning! Check this box ONLY if you want to cancel registration process OR Check this box ONLY if you want to Reset the whole form

    Humans wont check the Box... BUT bots will DO coz they know how to check the box but they dont know what to check and what not to check.. so the form wont submit and No registrations No email..
    Move on....

  • #9
    New Coder
    Join Date
    Aug 2006
    Posts
    97
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Why would you be blind visiting a site?.... but anyway instead of that.. (not sure because i havent got this far) how about having an image of an object and having the user type in what it is (like car / boat)

  • #10
    Senior Coder
    Join Date
    Dec 2004
    Location
    Essex, UK
    Posts
    2,636
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by haveacigar View Post
    Why would you be blind visiting a site?.... but anyway instead of that.. (not sure because i havent got this far) how about having an image of an object and having the user type in what it is (like car / boat)
    Valid point!

    CAPTCHA does have a program which does something similar; although whether or not it could be implemented into IPB, I'm not too sure.

  • #11
    Regular Coder ArcticFox's Avatar
    Join Date
    Jan 2004
    Location
    Vostok Station, AQ
    Posts
    602
    Thanks
    35
    Thanked 3 Times in 3 Posts

    Smile

    Quote Originally Posted by kab_184 View Post
    IF bots are reading your images then its pretty useless..
    Bots have one problem which can be used to save oneself..
    Bots mostly check the Tick Boxes..fill fields whatever they find..on that page..
    That's the idea I had with the select menu:

    Code:
    Have you read the Guidelines & Rules, please select:
    1) No, I'm a spambot and can't read.
    2) I can't remember.
    3) Possible, maybe... Probably not.
    4) Yes I did!
    The bot always select the first one. What I tried to do (but failed) was create a javascript code that only enables the submit button if the fourth option is chosen. But I could not get it to work...


    I have since removed the image altogether and just left the soundfile. I usually get 1-2 bots registering per day, but since yesterday I've had none get through.
    <div> - putting your mind in a box since 1997

  • #12
    Senior Coder
    Join Date
    Dec 2004
    Location
    Essex, UK
    Posts
    2,636
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I have since removed the image altogether and just left the soundfile. I usually get 1-2 bots registering per day, but since yesterday I've had none get through.
    That's good... but I wouldn't like to guess at what percentage of people do not have sound on their computer...

  • #13
    New Coder Grobulous's Avatar
    Join Date
    Sep 2006
    Location
    Earth...
    Posts
    63
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I may be interrupting this discussion, but...

    I've been having the same problem on my forums (www.sabukudo.com/phpBB2/memberlist.php). Except I'm getting to think that they are actually real live humans. A few have just been random letters and numbers, the rest have similarly formatted usernames, like (first initial or first name)(underscore or hyphen)(last initial or last name). For location, all of them say USA, so that leads me to suspect that if it is a person doing this, they're foreign. and their websites link to obscure perscription drugs on the same website. I've been getting like 5 to 10 a day for the last few weeks, and I have to constantly delete them. I just hate them so much.

    I am using phpBB. so far I haven't found a way to prevent them. If they aren't bots, there may not be. I don't know.
    Release your mighty juices of creativity... SabuKudo.com!

  • #14
    Regular Coder
    Join Date
    Jun 2002
    Posts
    138
    Thanks
    0
    Thanked 0 Times in 0 Posts
    there is another workaround without pain ...Just split the location of the Code and the place where u put it..

    Print the Security Code in Bold at the Top of the registration Page. And at the end of form ask user " Enter the security Code printed on the Top of this page"

    I dont think hearing sound is a gud idea..some mite b behind firewall..somewont have speakers..issues issues.. stick to text pattern
    Move on....


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •