Captcha cracked? Captcha cracked?
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Captcha cracked?

Started by ff, November 22, 2008, 08:29:34 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

ff

Last night 120 spam entries from one IP were entered at 120 pictures.
Captcha is on, but they're posted.

Am I the only one or is captcha (v. 3.0 cracked)?

Joachim Müller

We can't tell for sure, since you haven't provided a link to your gallery.

Anyway, bots appear to be able to overcome captcha, although that's a resources-intensive process that's probably not being used on a coppermine-driven gallery yet. Here's part of a conversation lead on a dev-only board:
Quote from: Hein Traag on February 27, 2008, 03:50:52 PM
I just finished reading this : http://blogs.iss.net/archive/CAPTCHA.html.

Since 1.5 offers captcha as a option under the comments settings in config i thought of coppermine when reading that article. And since the big fish in the pond such as mickeysoft and gmail also got their captcha method hacked. Do the more code skilled devs see any problem arising with using captcha in cpg ?

Should we be looking for a other way for users to safeguard comment posting or is it safe to continue using captcha ?

Cheers
Hein
Quote from: Joachim Müller on February 27, 2008, 05:26:18 PM
It was only a question of time untill spammers where able to defeat captcha imo - I have anticipated that they would be able to compromise captchas sooner or later. The key in the article you refered to is this sentence:
QuotePersonally, I don't think it's really worth strengthening the algorithms used to create more complex CAPTCHA's – instead, just deploy them as a small "speed-bump" to stop the script-kiddies and their unsophisticated automated attack tools. CAPACHA's aren't the right tool for stopping today's commercially minded attackers.
This being said, consider captchas not as method that will stop spamming once and for all - it will just slow down the number of spam attacks by keeping the script kidies away (at least for a while).
That's why I have introduced comment moderation as well into cpg1.5.x. We might even consider adding the akismet mod into the core. Not because those methods will deliver the final blow to spammers - I agree to the author of the article that this fight has already been lost, but because it will allow our end users to achieve less spam comments.
Bottom line: captcha is not dead (yet), but it's certainly a valid idea to consider other technologies of spam prevention than captcha.

ff

Quote from: Joachim Müller on November 22, 2008, 10:10:14 AM
We can't tell for sure, since you haven't provided a link to your gallery.

Whoops http://www.xarno.nl/fotoalbum/ ;)

Quote
Anyway, bots appear to be able to overcome captcha, although that's a resources-intensive process that's probably not being used on a coppermine-driven gallery yet. Here's part of a conversation lead on a dev-only board:This being said, consider captchas not as method that will stop spamming once and for all - it will just slow down the number of spam attacks by keeping the script kidies away (at least for a while).
That's why I have introduced comment moderation as well into cpg1.5.x. We might even consider adding the akismet mod into the core. Not because those methods will deliver the final blow to spammers - I agree to the author of the article that this fight has already been lost, but because it will allow our end users to achieve less spam comments.
Bottom line: captcha is not dead (yet), but it's certainly a valid idea to consider other technologies of spam prevention than captcha.


Thanks :D

Joachim Müller

I strongly doubt that a spammer used the techniques to break captcha on your gallery. No offense, but your page is not relevant enough search engine indexes (page rank 0) to be a valuable target for spammers to burn resources.

ff

Quote from: Joachim Müller on November 22, 2008, 10:41:41 AM
I strongly doubt that a spammer used the techniques to break captcha on your gallery. No offense, but your page is not relevant enough search engine indexes (page rank 0) to be a valuable target for spammers to burn resources.

That's what I thougt :)
Just a baby/toddlers album.

Last week I received one message with the same content.
But last night there were 120 of those at 120 different images.
"wedding dresses wedding gowns bridal gowns lace front wigswedding invitationslace wigs full lace wigs cheap wedding invitations"

If they'd spammed our marriage album with this content I could understand it ;)

Maybe a testcase :D

ff

(just google for this phrase and you'll find some more invested sites :( )