SitePoint Sponsor

User Tag List

Results 1 to 23 of 23
  1. #1
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    London
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    CAPTCHA No longer effective..

    Hi, I'm using the google Captcha api/system on my site.. Its definitely working, I can't send a contact message to myself without typing in the scrambled phrases. But yet I'm getting about 10 emails a day lately from spammers using this form. Have spammers gotten more sophisticated lately? Is anyone else experiencing this?
    Chuck
    --------------------------
    Add Poker Tables to your Website
    http://www.PlugInPoker.com

  2. #2
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by PWS View Post
    Have spammers gotten more sophisticated lately?
    Yes. There are ways to scan and interpret CAPTCHAs. The reCAPTCHA service is actually one of the easier ones to read.

    You can try including a blank "honeypot" input field in your form. The idea is that spammers will fill this form, put real people won't. So when the form is submitted, you check to make sure it's empty.

    If messages from the form you are protecting with CAPTCHA are sent to an email account, I would recommend filtering them through a gmail account. Their spam filter is pretty good at filtering that stuff out.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  3. #3
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    London
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thats too bad, I saw a site with a new type of capture using puzzle pieces you assemble. Maybe I'll try that one if I can find a free API somewhere. Unfortunately I can't use spam protection, since each lead can potentially be a 5 figure sale and I don't get many leads, I can't afford to miss a single one. I'd rather wade through 50 spams a day than risk that. However an effective human validation system would solve all my problems. Thanks for the info!
    Chuck
    --------------------------
    Add Poker Tables to your Website
    http://www.PlugInPoker.com

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,807
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by PWS View Post
    Unfortunately I can't use spam protection, since each lead can potentially be a 5 figure sale and I don't get many leads, I can't afford to miss a single one.
    You do realise that any CAPTCHA aalso blocks a small percentage of real people from being able to use the form as well. The more effective it is at blocking bots the more real people it potentially blocks. Just as with any form of spam protection a CAPTCHA has some false positives - so if not missing a lead is that important to you then why are you using that spam protection aka CAPTCHA.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #5
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    London
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not sure I understand how the captcha would fail... if they get the code wrong my page says its wrong and they have to keep trying until it lets them email go through and says 'Email sent' etc. The script doesn't just silently fail and lead the user to believe it was sent..

    Or am I missing something?
    Chuck
    --------------------------
    Add Poker Tables to your Website
    http://www.PlugInPoker.com

  6. #6
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,650
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Chuck,

    What you're missing is that some people have problems with various types of CAPTCHA images, spoken words, text, etc. They will leave in frustration if CAPTCHA slows them too much.

    What Stephen often recommends is a timer which would differentiate an automated form-bot from a human ... but it will pass human spammers just like your current CAPTCHA is apparently doing.

    Nothing's perfect but you just have to weigh the cost-aggravation (to you)-aggravation (to site visitors) to determine which method is best for you.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  7. #7
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,807
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by PWS View Post
    Not sure I understand how the captcha would fail... if they get the code wrong my page says its wrong and they have to keep trying until it lets them email go through and says 'Email sent' etc. The script doesn't just silently fail and lead the user to believe it was sent..

    Or am I missing something?
    Some people are blind and so can't see a visual captcha. Some people are deaf and so can't hear an audio captcha. Some people have mental disabilities that would prevent them from being able to correctly answer a simple question type captcha. Usability studies have shown that about 70% or so of web users are disabled in some way that affects their ability to interact with some ways of doing things on the web.

    If the particular captcha you are using relies on a particular ability that people have and computers do not then those people whose disability is that they don't have that particular ability can not be distinguished from a bot using that captcha. Some captchas try to partly get around this by presenting the captcha two ways so that a person would have to be disabled in both ways in order to not be able to use one of the two. That's why some visual captchas have the ability to play a sound file of the captcha content - that way both deaf and blind people will be able to use the captcha just as long as they are not both deaf and blind.

    Do you really want to aggravate someone looking to spend a five figure amount who is colour blond and who therefore has failed to distinguish the characters in your captcha several times already and who therefore decides to go to some other site and let them have the money instead?

    Ideally you want to use a captcha that clearly distinguishes based on some difference between people and bots that applies to all people and all bots. Unfortunately there is no such captcha. As David said, the closest to that non existent captcha that I have found so far is the time that it takes people to fill out the form - bots can type a lot quicker than people. Where that type of captcha may run into problems is if people copy and paste content - you'd have to try to work out the appropriate points in the process to time between to take things like that into account.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  8. #8
    SitePoint Wizard bronze trophy PicnicTutorials's Avatar
    Join Date
    Dec 2007
    Location
    Carlsbad, California, United States
    Posts
    3,656
    Mentioned
    15 Post(s)
    Tagged
    0 Thread(s)
    I doubt Hellen Keller is bringing him 5 figures. The recaptcha is probably the most assessable one there is. It has audio for the def and can refresh another image. On my recent site I just said screw it to the forms. And just ofsuficated my email. That's all 99% of users want anyway - to simply email you.

  9. #9
    SitePoint Wizard bronze trophy PicnicTutorials's Avatar
    Join Date
    Dec 2007
    Location
    Carlsbad, California, United States
    Posts
    3,656
    Mentioned
    15 Post(s)
    Tagged
    0 Thread(s)
    Additionally I'm a large supporter of the random 5 + 2 question. I hate trying to read those captcha images. I would never subject my users to the likes of those. If a bot could do math then a bot could read. So if they are equal in regards to spam protection why not provide a simple question to your user. Ofcourse that does not account for the def. but if others really carred then they would make a audible plugin for simple math.

  10. #10
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,807
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by EricWatson View Post
    Additionally I'm a large supporter of the random 5 + 2 question.
    Which doesn't help those with a mental disability so that they don't know how to add numbers together - there are some people like that who are perfectly average in every other way. Of course with a financial transaction they are probably best being blocked as well as the bots.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  11. #11
    SitePoint Wizard bronze trophy PicnicTutorials's Avatar
    Join Date
    Dec 2007
    Location
    Carlsbad, California, United States
    Posts
    3,656
    Mentioned
    15 Post(s)
    Tagged
    0 Thread(s)
    I see your point. But realistically if a user can't solve a simple math problem then most likely they can't make out those horrible captchas either. So they are equal again.

    If you have specific information you need to gather then yes a form is more appropriate. But if you only providing a way for them to send you a email then I think email obfuscation is better and easier for all involved. At the very least easier. http://www.websitecodetutorials.com/...n-tutorial.php

  12. #12
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    London
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Eric I like your point about users just wanting to email, because I'm the same way. If I see a contact form I'm looking around for an actual email address I can use. I do have an image of an email address on my contact page, so maybe I can emphasize that better as an option. Maybe get rid of the captcha form altogether..

    What technique are you using to obfuscate your email? I would think a spammer's robot could reassemble it just as easily as a browser could for display?
    Chuck
    --------------------------
    Add Poker Tables to your Website
    http://www.PlugInPoker.com

  13. #13
    SitePoint Wizard bronze trophy PicnicTutorials's Avatar
    Join Date
    Dec 2007
    Location
    Carlsbad, California, United States
    Posts
    3,656
    Mentioned
    15 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by PWS View Post
    Eric I like your point about users just wanting to email, because I'm the same way. If I see a contact form I'm looking around for an actual email address I can use. I do have an image of an email address on my contact page, so maybe I can emphasize that better as an option. Maybe get rid of the captcha form altogether..

    What technique are you using to obfuscate your email? I would think a spammer's robot could reassemble it just as easily as a browser could for display?
    Image of a email is no good either. You have to assume a user cant remember your email by looking at it. And they cant copy it. So they have to go back and forth between windows entering the email. I gave this considerable thought and google time. These 3 ways are the best I could find. Option one being my preferred way. I have this implemented on 2 of my sites each getting 15,000 visitors monthly and no spam at all. Aside from the human ones that is offering me seo services. I DONT WANT YOUR SERVICES. YOUR A DYING BREED. GIVE UP ALREADY.

  14. #14
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    London
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I read your solution #1.. That seems to address the problem of email address scrapers, but the spam bots are actually using my own form they aren't just stealing my email. So your solution hides the email but what if their technology just clicks on the link and sends an email through just as though a live person were using the browser?

    Quote Originally Posted by EricWatson View Post
    Image of a email is no good either. You have to assume a user cant remember your email by looking at it. And they cant copy it. So they have to go back and forth between windows entering the email. I gave this considerable thought and google time. These 3 ways are the best I could find. Option one being my preferred way. I have this implemented on 2 of my sites each getting 15,000 visitors monthly and no spam at all. Aside from the human ones that is offering me seo services. I DONT WANT YOUR SERVICES. YOUR A DYING BREED. GIVE UP ALREADY.
    Chuck
    --------------------------
    Add Poker Tables to your Website
    http://www.PlugInPoker.com

  15. #15
    SitePoint Wizard bronze trophy PicnicTutorials's Avatar
    Join Date
    Dec 2007
    Location
    Carlsbad, California, United States
    Posts
    3,656
    Mentioned
    15 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by PWS View Post
    I read your solution #1.. That seems to address the problem of email address scrapers, but the spam bots are actually using my own form they aren't just stealing my email. So your solution hides the email but what if their technology just clicks on the link and sends an email through just as though a live person were using the browser?
    Bots dont click. They only read. So if they cant read it they cant use it.

  16. #16
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    London
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In my case on my contact page (http://www.justforfunsoftware.com/contact.asp) its actually submitting my contact form with spam in the comments.. I get about 15 a day now. There is no email address visible at any time in the HTML, its just a form post. So these bots are filling out their spam in my comments area and then submitting (as well as foiling the captcha). If they can do that they there must be other crawlers going around and automatically clicking on every LINKTO anchor tag? Well, you did mention the solution has worked for you for years, so I'll give it a try. What I'm using now its useless. This is the type of email I'm getting from my form ( removed part of their URL):


    NAME: fake coach purses
    EMAIL: kjdfkjkebkjwbkww52@gmail.com
    LANGUAGE:
    COMMENTS: Your Site Is Great!, http://www.{REMOVING THIS}/profile/92211 First fake coach purses, 8[,


    Quote Originally Posted by EricWatson View Post
    Bots dont click. They only read. So if they cant read it they cant use it.
    Chuck
    --------------------------
    Add Poker Tables to your Website
    http://www.PlugInPoker.com

  17. #17
    SitePoint Wizard bronze trophy PicnicTutorials's Avatar
    Join Date
    Dec 2007
    Location
    Carlsbad, California, United States
    Posts
    3,656
    Mentioned
    15 Post(s)
    Tagged
    0 Thread(s)
    I don't know for sure but I believe bots can only highjack (and use it to spam others) a poorly secured form. Not an email address. So even if they are able to read your address they won't use your mail to spam others only you. Tell me if I'm wrong?

  18. #18
    SitePoint Enthusiast
    Join Date
    Apr 2003
    Location
    London
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Interesting article of captha's ineffectiveness: http://www.karlgroves.com/2013/02/09...aking-captcha/

    I am just going to add a question/answer system, can't do any worse than recaptcha. It was working 100% of the time with zero spams for the past year, then just a coouple weeks ago I started getting 20+ per day. So its rubbish now.
    Chuck
    --------------------------
    Add Poker Tables to your Website
    http://www.PlugInPoker.com

  19. #19
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,807
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by EricWatson View Post
    I don't know for sure but I believe bots can only highjack (and use it to spam others) a poorly secured form. Not an email address. So even if they are able to read your address they won't use your mail to spam others only you. Tell me if I'm wrong?
    There is nothing to prevent bots filling out forms with their garbage and having that email go to the address that the form is set up to send to. The bot can't use the form to send to anyone other than that email address because it doesn't have access to the email address at all. The bot doesn't know the address it is sending to just that the form goes to an email address that does exist. So with a properly coded form that adds the email address after the form is submitted the only person who gets spammed is the owner of that address.

    The purpose of introducing a CAPTCHA is to try to separate the legitimate emails going to that address from the spam ones. As only one form and one email address are involved there are several places where the CAPTCHA can be applied - to the form when it is first filled out, on the mail server where the mail is sent to, on your computer where you receive the emails. If there is an obvious difference between what legitimate emails and spam emails contain then testing for that difference would be the least obtrusive CAPTCHA.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  20. #20
    SitePoint Wizard bronze trophy PicnicTutorials's Avatar
    Join Date
    Dec 2007
    Location
    Carlsbad, California, United States
    Posts
    3,656
    Mentioned
    15 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    There is nothing to prevent bots filling out forms with their garbage and having that email go to the address that the form is set up to send to. The bot can't use the form to send to anyone other than that email address because it doesn't have access to the email address at all. The bot doesn't know the address it is sending to just that the form goes to an email address that does exist. So with a properly coded form that adds the email address after the form is submitted the only person who gets spammed is the owner of that address.

    The purpose of introducing a CAPTCHA is to try to separate the legitimate emails going to that address from the spam ones. As only one form and one email address are involved there are several places where the CAPTCHA can be applied - to the form when it is first filled out, on the mail server where the mail is sent to, on your computer where you receive the emails. If there is an obvious difference between what legitimate emails and spam emails contain then testing for that difference would be the least obtrusive CAPTCHA.
    http://www.softswot.com/form-hijacking.php

    What is Form Hijacking?

    "Form Hijacking is the exploitation of vulnerable web forms to send unauthorized email. It is used predominately to send spam emails and uses the server on which the form is hosted to deliver the spam emails. This effectively makes the domain and server that processes the form the spam source allowing the real spam originator to remain anonymous. This can have serious consequences for the hijacked domain including blacklisting of the domain.

    Automated robot scripts crawl the internet looking for web forms, following web page links from site to site. When they identify a web form they test the form processing script to see if it is vulnerable to hijacking. The hijacking robot script attempts to send the form processing script a character combination that will corrupt the headers of the form delivery email, this is known as email injection. These headers are basically the email delivery instructions. They can include To: From: Subject: BCC: and a range of other information applied in delivering the email. If the headers can be corrupted it is possible to set these values and the body of the email. This enables a hijacker to send an email with any subject, with any message, including any attachment, to any email address (usually as a BCC) and it is sent by the hijacked server."

  21. #21
    SitePoint Wizard bronze trophy PicnicTutorials's Avatar
    Join Date
    Dec 2007
    Location
    Carlsbad, California, United States
    Posts
    3,656
    Mentioned
    15 Post(s)
    Tagged
    0 Thread(s)
    @PWS

    If you want to implement a captcha here is an easy I help put together http://www.websitecodetutorials.com/...hp-captcha.php

    If you want to do a honeypot here is a simple one http://www.websitecodetutorials.com/...p-honeypot.php

    Otherwise you have the obfuscated email way or Fegal has a script that will watch the amount of time to fill out the form. If its done in a robot amount of time like 2 seconds the form is stopped.

  22. #22
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,807
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by EricWatson View Post
    What is Form Hijacking?
    But if the form is sending an email to a single destination address that is added after the form is submitted then the headers are constructed entirely on the server with no field in the form having any access. Therefore form hijacking is irrelevant in this situation. No fields would exist within the form that could be used to carry out hijacking.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  23. #23
    SitePoint Wizard bronze trophy PicnicTutorials's Avatar
    Join Date
    Dec 2007
    Location
    Carlsbad, California, United States
    Posts
    3,656
    Mentioned
    15 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    But if the form is sending an email to a single destination address that is added after the form is submitted then the headers are constructed entirely on the server with no field in the form having any access. Therefore form hijacking is irrelevant in this situation. No fields would exist within the form that could be used to carry out hijacking.
    Huh. So how would he/you know if the spambot is sending a spam message just to him or him and 100 others? I'm not being fesseciuos I really don't know.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •