bots on my forum are having a walk on the park with the captcha images. are these worthless nowadays?

im setting up those questions/answers if you are curious to know :) it's quite fun making them actually :D

I added custom captcha backgrounds and fonts to my forums and removed the default ones and that seemed to stop them.

See the newly added info in this thread: [vB 3.7] How to Reduce Spam and Registration Bots (http://www.vbulletin.com/forum/showthread.php?t=275800)

I believe that Image based Captchas and even Question and Answer Captchas are stopgap measures and as computers get more powerful will have always been easier to crack. For image captchas, you have OCR which gets more and more reliable everyday. For Question and Answer, you can build rainbow tables that hold questions and any number of answers assigned to them.

The way to stop spammers in the future will be preventing their message from being heard through intelligent filtering and methods to determine concentrated attacks. This is how it is applied in email systems and how it should be applied in online systems. Using filters like Spam Assassin and those provided by my email client, I hardly ever get spam in my inbox anymore. If I do, I mark it as junk and the filter learns over time. Akismet is like this for forums and blogs but it is still learning. For vBulletin there are also addons the detect bot-like activity and can filter posts based on keyword ratings. These tools are the way forward.

To be honest, I partly agree but partly disagree. The best spam prevention is simply to use custom measures, because it's easy to crack the default captchas and question and answer sets simply by having premade software and what not. It's a lot harder if you use specific questions related to your site or specific captcha backgrounds simply due to how most bot creators likely won't try and work out a counter to every single measure every single site has used (why waste effort for them on a forum with a custom answer set or a custom captcha background and work out seperate stuff for each individual forum when they could aim for the default which is used by a whole lot more forums).

Hmm, the real question would be: will we come to the point where CAPTCHAs no longer do any good. They've been used in such abundance these few years that it would seem odd to sign up for a service without them (ahh, those were the days), so why use an extra step for the user if it does no good?

This is just hypothetical, keep in mind.

Yes, just like there was a time where it was not needed at all, and just 'verify email during registration' blocked 99% of the spam.

Hmm, the real question would be: will we come to the point where CAPTCHAs no longer do any good. They've been used in such abundance these few years that it would seem odd to sign up for a service without them (ahh, those were the days), so why use an extra step for the user if it does no good?

This is just hypothetical, keep in mind.

Seems like that time is very close already

I think vB should allow the administrator to choose the captcha or question answer input name, so everyone could make a custom one so the bots won't know how to send the info? Not sure if they already have a way to work around that.

I think vB should allow the administrator to choose the captcha or question answer input name, so everyone could make a custom one so the bots won't know how to send the info? Not sure if they already have a way to work around that.

This wouldn't solve anything really... it would just read the form and input it. If they need human assistance the program beeps and waits.

One of the easiest ways I use to filter spam is use obfuscated Javascript to hide a field after a page has rendered. Bots tend to always still fill it out. Those that fill it out are bots. Easy peasy :)

This is a pasisve method, which your user shouldn't even notice. You should also combine it with other techniques.

One of the easiest ways I use to filter spam is use obfuscated Javascript to hide a field after a page has rendered. Bots tend to always still fill it out. Those that fill it out are bots. Easy peasy :)

This is a pasisve method, which your user shouldn't even notice. You should also combine it with other techniques.

So, are you just about to tell us more about this so others can implement it?

Jim

now THAT'S irony, what should we do with the owner of this bot?

someone removed the bot, but it was kinda funny how it spoke about spam being a problem :) hehehe

btw I got my first bot after changing to Q&A, one of those that fill in the profile fields.

I've been the target of spam related to the topic of my forum, so that bot might be some user that was requested input on what to do as Wayne said interested in spamming my kind of forum. These spams have been made in my language, which isn't english, with some bot script out there, I'm guessing the one in the post linked by Floris, which seems to be the most famous one? I'm lucky enough to get 1 spam per day I guess.

One of the easiest ways I use to filter spam is use obfuscated Javascript to hide a field after a page has rendered. Bots tend to always still fill it out. Those that fill it out are bots. Easy peasy :)

This is a pasisve method, which your user shouldn't even notice. You should also combine it with other techniques.

Couldn't you just place it in a <div> with display:none? Why do you need Javascript to hide it?

Couldn't you just place it in a <div> with display:none? Why do you need Javascript to hide it?

Because a bot scrapes the HTML page for <input>'s. It's pretty easy scraping the attributes of an input to check for inline CSS or a class which has a hidden attribute. If you use obfuscated javascript, it presents a problem for the scraper as they can't tell you are hiding it.

But a fallback has to be there for browsers who have js turned off, right?

<div class="requiredinfo">
<input type="text" length="25" name="whyjoin">
</div>

Assign value display:none in your external stylesheet.

<div class="requiredinfo">
<input type="text" length="25" name="whyjoin">
</div>

Assign value display:none in your external stylesheet.

I'm not sure how this is actually implemented. I think part of what you're saying is to add a class, requiredinfo, to the extra CSS portion of the All Style Options section in AdminCP and assign the value "display:none". It would/could look like this:


.requiredinfo {display:none}

Then add your HTML to the form (registration, new thread, reply, etc.):


<div class="requiredinfo">
<input type="text" length="25" name="whyjoin">
</div>

If the form was a list, it might look like this:


<li class="requiredinfo">
<input type="text" length="25" name="whyjoin">
</li>

What I don't understand (besides whatever I might have misinterpreted above) is how the bot gets rejected. http://www.grumpsplace.com/images/smilies/didnt_know.gif

Thanks for any further information on this.

Jim

Well first there has to be additional code behind the scenes to store that value. Then you moderate new users. If the user has the hidden form field filled out then they are a bot since any normal user would never see it. Could go further with the custom code and moderate only those new users who fill out the field.

In other words, this might be better served as a plugin, rather than to edit templates?

Jim

To be effective, yes.

In other words, this might be better served as a plugin, rather than to edit templates?

Jim

No it's useless if you put it in a CSS file, as I have said already. Hook into the on page loaded event and do it there and then obfuscate your javascript once you have it working. If a bot can decode captcha, they can certainly check your stylesheets. Obfuscating javascript adds an extra hurdle though :)

No it's useless if you put it in a CSS file, as I have said already. Hook into the on page loaded event and do it there and then obfuscate your javascript once you have it working. If a bot can decode captcha, they can certainly check your stylesheets. Obfuscating javascript adds an extra hurdle though :)

I do appreciate you trying to help, but I bet I am in the majority when I say, "I have no idea what you just said." It's like a foreign language. Can you break it down in layman's terms, maybe even give us an example?

Jim

So how exactly would that work with users who, be default, have CSS and Javascript turned off?

I really think Dean is on to something very smart because its a different approach. However nothing is bot proof.

If you hide it with js, couldn't bots only wait for post page load to be completed and then walk through the visible elements to fill those in (supposing that it uses a browser)? If that is the case then regardless of whether it is in CSS or done through js, there will be an eventual way around it as a parent element will eventually be "display: none;". Could you use CSS to absolute the position (or size) of the element way off the visible page? ;)

I really think Dean is on to something very smart because its a different approach. However nothing is bot proof.

If you hide it with js, couldn't bots only wait for post page load to be completed and then walk through the visible elements to fill those in (supposing that it uses a browser)? If that is the case then regardless of whether it is in CSS or done through js, there will be an eventual way around it as a parent element will eventually be "display: none;". Could you use CSS to absolute the position (or size) of the element way off the visible page? ;)

How would a bot programatically know if an element is visible or not unless they used some special screen rendering technique? All they will see is the input tag in the HTML, they won't know it's invisible as the JS is hiding it :)

I suppose it depends on how the bot is written. I have written programs with embedded browsers that allows the program to query and manipulate the dom so little or no human interaction was required. Though it has been awhile I never specifically tried to query visibility of a js hidden element, I am almost 100% sure I could do it with ease. This type of bot design would also allow for easier human intervention if the bot need help.

Anyhooo, not an expert on bots by any stretch of the imagination, I am just pretty sure its possible to test the visibility regardless of if its done via css or js.

How would a bot programatically know if an element is visible or not unless they used some special screen rendering technique? All they will see is the input tag in the HTML, they won't know it's invisible as the JS is hiding it :)


Well you would be manipulating the CSS of elements with the DOM to hide it so it isn't visible. If the bot can read CSS then they can just look at the DOM for each element and know what its display value is. Neither method is really foolproof.

See the newly added info in this thread: [vB 3.7] How to Reduce Spam and Registration Bots (http://www.vbulletin.com/forum/showthread.php?t=275800)
Wow I just finished reading that, I didn't know Hotmail/Gmail captcha cracker bots were actually using humans to decode them and make spam accounts.

I highly doubt theres an indian cracking my forum captcha though. That would be scary...