They say it's a free world,but I'm not sure. Can I grant myself the right to say that the captcha image verification is nothing but a mere sadistic way of humiliating those who wish to register in a forum? Not the concept itself but the way it displays with distorted everything: shadows, squares, lines, slanted characters, etc., without even a Redraw button for those who find the captcha unreadable. What is all that for? (I have read almost everything on the web about the wisdom of using them, but I'm not yet convinced.
Why shouldn't they be as simple as this one:
OR just as plain as this one:
Or as straight as this one:
What is really funny is that sometimes they are case sensitive and sometimes they are not.
I have made some modifications to the captcha.php and uploaded one single ttf font to the captcha_fonts directory. Still hoping to make it as simple as possible.
Also still hoping to find a single convincing viewpoint on this issue.
Regards
Making it any less obfuscated is the equivalent to turning it off and opening the gateway to a flood of spam bots.
I've written scripts that can break the last two easily and even the first one but its a tad harder.
maatty Wrote:What is really funny is that sometimes they are case sensitive and sometimes they are not.
They're not case sensitive and I have the code to prove it.
Tikitiki Wrote:Making it any less obfuscated is the equivalent to turning it off and opening the gateway to a flood of spam bots.
I've written scripts that can break the last two easily and even the first one but its a tad harder.
Just a quick question, does the spambot read the image and Identifies the numbers/letters? If so I can only imagine the images to get harder to read then straight forward.
rcpalace Wrote:Tikitiki Wrote:Making it any less obfuscated is the equivalent to turning it off and opening the gateway to a flood of spam bots.
I've written scripts that can break the last two easily and even the first one but its a tad harder.
Just a quick question, does the spambot read the image and Identifies the numbers/letters? If so I can only imagine the images to get harder to read then straight forward.
In a manner of speaking, yes. A CAPTCHA program emulates the AI of the "eye" the best it can
Alright...let me school you.
botmaster.net/more1/ (do not direct link from here copy and paste in new window)
That's a program called XRumer which can be used to massive spam forums, blogs, and other sites. It circumvents things like Captcha. It's important for webmaster to have all options of spam protection available. Without it spammers will use automated programs and wreak havoc on your site. I have yet to see a phpbb site where the memberlist wasn't 90% pure spam signups just to get their www link on the memberlist page.
If you notice mybb isn't listed on the XRumer program of forums it can attack. Not saying it can't but for now I believe mybb is too small for them to care. God help us when they and the other spammers figure out mybb is widely used.
And here is a black-hatter describing how captcha breaking is done.
Quote:You can break CAPTCHA. Not easily. But you can do it. The issue is that there's so many out there right now. Some web sites use a basic system that's just a list of numbers, where the numbers are not QUITE black, and the background is not QUITE white. For that, it's a simple deal to break it. Take a look at the RGB values for each pixel. The lightest 50% are turned to FFFFFF, and the darkest 50% is turned to 000000. Suddenly one layer of ambiguation is gone. From there, you can try to either match the font, and attempt to set various sizes against the modified image, or use the other method detailed below
Morphing letters make it harder, but each letter must still bear some resemblence to the real letters.
For example, let's say with the morphed letters, you CAN separate the letters. The first letter, in reality, is a "g". Your program starts with the full alphabet. You then check the height of the letter. Approx 50% down the letter, there is a break(the opening for the tail of the "g"). That fact alone can eliminate almost every letter as a possibility. It could be a "s", "g",j/J".
So that's a good reason to use hard to read fonts, overlapping letters, and colorful backgrounds.
If you are asking yourself why I know about all these black-hat methods...it's to keep ahead of them.
what a great information you provided labrocca we hope we still save from this people
I just cerious isn't there any law to stop them?
Tikitiki Wrote:Making it any less obfuscated is the equivalent to turning it off and opening the gateway to a flood of spam bots.
But my dear I was thinking of the poor innocent users and how to make it easier for them. The question is: will spam bots still have access to the forum when admin activation is required? Or, do you mean that it is only necessary in the case of instant activation?
Just need a clarification of this this point. Thanks in advance.
Tikitiki Wrote:They're not case sensitive and I have the code to prove it.
I trust your knowledge. Maybe they are just inconsistent in my case, for some reason.
labrocca Wrote:That's a program called XRumer which can be used to massive spam forums, blogs, and other sites.
Oh my God, that XRumer is really freighting! I could never have imagined that the human mind could harbor so much evil. Who on earth would use it and what for? What will they benefit out of posting "up to 10000 messages all looking different but with similar contextual meaning and the user-defined hyperlinks in them."?
So, it is not just a question of the capcha, is it? What else, in your opinion, should one consider to protect his or her forum?
Thanks a lot for your highly informative post.
Regards
Email or Admin activation.
Quote:So, it is not just a question of the capcha, is it? What else, in your opinion, should one consider to protect his or her forum?
IF your site has a spam or spambot problem I would suggest Akismet. Tikitiki made a great plugin using it for mybb. It basically checks posts for certain spam text like "viagra" from new members. Akismet was originally developed for Wordpress to help combat comment spam but there is an API to use it for other programs.
And yes..Xrumer scared the shit outta me when I found it too. I was like WTF! OMG!
Quote:Email or Admin activation.
Email activation is a good thing but it's not protection from spam. It's just nice to have members with legit working email for their subscriptions and to prevent a lot of bounces. Admin activation is ok but it deters members from participating because they have to wait around for an admin to activate them.
![[Image: dotted.jpg]](http://edcu.net/dotted.jpg)
![[Image: plain.jpg]](http://edcu.net/plain.jpg)
![[Image: straight.jpg]](http://edcu.net/straight.jpg)