Basic captcha failing

Soldato
Joined
27 Dec 2005
Posts
17,316
Location
Bristol
Our site has recently started getting spammed (up to 10 emails a day) via the quick contact form at the bottom of our site at www.idoweddingfilms.co.uk.

I've already integrated a basic captcha which is neat and relevant, and this has always done the job in the past as it's good enough to prevent random bots and crawlers, and nobody would want to put enough effort into abusing it as there's no advantage in doing so.

Anyway we've just been getting random messages along the lines of "Thank God! Somenoe with brains speaks!", "All of these atrciles have saved me a lot of headaches." etc with random emails which I'm guessing we're supposed to be dumb enough to reply to or follow.

Firstly, how is it getting past the captcha? And secondly, based on that, how can I prevent it without going down the bulky and probably needless route of a full-blown third party captcha system?
 
Do you change the word regularly and is it an image or a bit of text? (can't check as I'm on a tablet)

It may be as simple as a spider reading the word if its text.
 
only 6? so that means after a minimum of 6 tries they could get it....I'd investigate a better solution, and if it's only 6 then a person could write them down and put them into a spambot and done!
 
a person could write them down and put them into a spambot and done!

I thought the purpose of a spambot was to completely automate spamming. :p


Since I hate those distorted-text-captchas so much, I'm experimenting with a simple php script that uses a mathematical challenge. Simple addition of two randomly generated numbers. So there's the usual input box, above which is a label with e.g. 1 + 7 = ?

Haven't tested it on a live site yet, but hopefully it will keep out the simpler bots.

Weaknesses? The operands and operators are plain text, so it would be trivial for a bot author to code for if the bot doesn't already have the capability.

Might try hardening the system by using CSS sprites.
 
I thought the purpose of a spambot was to completely automate spamming. :p


Since I hate those distorted-text-captchas so much, I'm experimenting with a simple php script that uses a mathematical challenge. Simple addition of two randomly generated numbers. So there's the usual input box, above which is a label with e.g. 1 + 7 = ?

Haven't tested it on a live site yet, but hopefully it will keep out the simpler bots.

Weaknesses? The operands and operators are plain text, so it would be trivial for a bot author to code for if the bot doesn't already have the capability.

Might try hardening the system by using CSS sprites.

of course it is, but as the site has 6 images it's dead easy isn't it...say 20 refreshes should do it. These operations are 24/7 and they want/need to get as many people spammed as possible. If I was running a spam business (what a strange thing!) I'd do it like that...
 
Simple addition of two randomly generated numbers. So there's the usual input box, above which is a label with e.g. 1 + 7 = ?

I don't really know too much about web-design. Could you implement a question based system, instead of arithmetic questions. For example, what is the capital of England? The user then enters London.

The only problem though is the developer would have to create these questions and individually link them with the correct answers. I could see how its easier to generate arithmetic questions, instead of the above. I really hate captcha.
 
not many people like captcha's but they are a necessary evil. I've seen some sites with arithmetic type solutions, a few with quiz types like said above, but as there are a few captcha solutions available that's what the majority use. People are also used to them now...
 
The bots are just doing some basic character recognition on the image you're linking to. It's a very user friendly font, so is very simple to pick the letters out of. You can make it more complicated by rotating letters and adding background lines and noise, but you'll a) make it harder for real people to read and b) the bots will probably be able to crack it still anyway. Therein lies the problem of effective captcha.
 
All of the wobbly letter captchas were beaten around the start of this year.

You can actually defeat the bots pretty easily by formatting a different question.

Something simple like, enter the first 4 letters of the word CARROT.

Most of the time they'll see the word and enter the whole thing, and thus fail. They're not clever enough to read what they actually have to do.

Works a treat on forums.
 
I've been using reCaptcha for a while. Used to be really good, but the spam has been immense of late. Google were denying it had been cracked. Some had attributed the spam to cheap Chinese labour employed to register accounts, though I'd be surprised if that were really true in the case of my blog.

As the others have suggested, a custom one might be worth a shot, and is often more usable than a captcha anyway.
 
was just an example...but as said above by many captcha's are a pain but sometimes a necessary evil. I also use cloudflare along with lulzsec!!!
 
only 6? so that means after a minimum of 6 tries they could get it....I'd investigate a better solution, and if it's only 6 then a person could write them down and put them into a spambot and done!

Yes, because there's no advantage to cracking/abusing the system unlike say a Gmail or forum registration.

It's worth mentioning that I've since changed the captcha images and it seems to have done the trick.
 
Back
Top Bottom