You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 Re: Modifications (1.4) » [Plugin] CAPTCHAv2 Image Mod - anti (spam)bot registration - *dev* » 2011-03-09 10:59:24
- JAcky
Well I posted it here because this is how I handled the development of the previous mod for PunBB and FluxBB 1.2.
I have not submitted the mod to your repo because it is not production ready. Also, I will only support MySQL and Postgres and I think the repo page states that a mod needs to support all databases support by FluxBB to be accepted.
#2 Re: Modifications (1.4) » [Plugin] CAPTCHAv2 Image Mod - anti (spam)bot registration - *dev* » 2011-03-08 20:40:22
- JAcky
OK I have addressed most of the concerns above. dev007 comes with a striped down version of class_captcha which only includes the image generation/validation code (before: 44KB after: 17KB).
I also removed the dependency for class_cache and class_email since they only make sense when used across an entire site but not when only protecting a single page. This removed another 15KB from the package.
I'll have to find a way to reload the image grid when the user goes back / uses the back button but other then that everything appears to be working quite well with FluxBB 
#3 Re: Modifications (1.4) » [Plugin] CAPTCHAv2 Image Mod - anti (spam)bot registration - *dev* » 2011-03-06 16:43:52
- JAcky
What is the src attribute of the images of the captcha? .....
The later. filenames are stored in the database and if caching is enabled, in the APC cache (do not enable this on shared hosting!!).
The link to the image ("img.php?f=5zmwifyw0ri7sii") is generated randomly. The association between the random link and the actual filename is only stored in $_SESSION.
#4 Re: Modifications (1.4) » [Plugin] CAPTCHAv2 Image Mod - anti (spam)bot registration - *dev* » 2011-03-06 15:36:23
- JAcky
I just downloaded it, it looks very heavy for a captcha... no offense.
Can you create a readme?
Well there is more to it. CAPTCHAv2 supports IP blocking by writing an offenders IP to the .htaccess file and it can prevent false blocks by checking the whois record.
The basic functions are described in the link below BUT they are not used at the moment because I have not tested them with Flux BB 1.4.4, the new image modification and my new database class with a simpleton (guarantees one db connection per code run, for my code).
http://www.network-technologies.org/Pro … like_this/
and this works very well too
http://www.network-technologies.org/Pro … _bot_trap/
but most of these parts will not be part of the final image protection mod. These are just methods I can remove from the class.
#5 Re: Modifications (1.4) » [Plugin] CAPTCHAv2 Image Mod - anti (spam)bot registration - *dev* » 2011-03-06 14:41:08
- JAcky
Thanks I'll look into the language files.
The reason for my own config.php is because this is a generic protection mechanism not specifically written for FluxBB. The CMS I am currently writing makes use of my classes and supports a fully cached operation.
EDIT: Here is the unofficial demo site: http://www.kaisersoft.net/
#6 Modifications (1.4) » [Plugin] CAPTCHAv2 Image Mod - anti (spam)bot registration - *dev* » 2011-03-06 14:15:12
- JAcky
- Replies: 12
Some of you may know my previous CAPTCHA plugins / modifications for FluxBB.
This time I have updated CAPTCHAv2 to create image based challenges.
The idea is that the script will randomly select tagged images from the database and ask the user to select the correct image.
Each image can hold multiple tags so the same image can be used in a totally different context. The system also ensures that it does not use decoy images with a related tag as not to confuse the user.
(BTW, CAPTCHAv2 can do a lot more then just displaying a few images. It can also block repeated offenders by writing the IP to the .htaccess file and offer a few ways to remove the IP without breaking the file. All advanced functions are not used for this demo but they make the file a bit bigger then it needs to be ATM.)
The current status of this Plugin is "under development". It appears to work fine with FluxBB v1.4.4 but I don't run any forums at the moment so I can not test it properly.
If you are interested you can download the current version below and give it a try. I appreciate any feedback.
Requirements:
* PHP5+ only
* MySQL only (new dev computer. don't have a postgres server setup ... will be added later)
* FluxBB v1.4.4
Download:
http://www.network-technologies.org/Dow … dev007.zip
EDIT: Version dev007
I have created a "slim version" for this release. It only contains the database connection code and the image captcha code. Everything else has been removed.
The only urgent thing to fix now is to make the image grid reload when the user selects the wrong image. ATM a $_SESSION var is cleared so the user can not brute force the solution but since the grid does not reload the user will assume that he/she can try again.
How to update Update:
Replace register.php and the files in include/ to update from a previous dev release. dev001 and dev002 also need the img.php file updated, img/grfx_select/ directory.
Installation:
1) Extract the archive and copy the directories img, include and plugins into your FluxBB directory. This will not overwrite any files in a standard installation.
2) Log into FluxBB as admin and goto the Administration screen. On the left click on "Manage CAPTCHA" then on "Goto Installer" to open the popup window.
3) The installer should detect all your FluxBB settings. The path to abuse.php does not matter at the moment since the feature is disabled. Click Next to continue.
4) Download the config.php file into the include directory. DO NOT download it into the FluxBB root or you will overwrite your configuration file!!!!
5) Click on "Create Tables" to write the tables and default values to your database. You may close the window when done.
6) Back on the FluxBB admin page, click on "Manage CAPTCHA" again. You should see the administrative interface this time.
7) If you can see the images on the administrative screen everything should be fine and you can copy the register.php file from the forum directory into the FluxBB root. This will overwrite the existing file so please back it up.
Configuration:
1) Click on "Manage Images"
2) You will now see a list of all the images found in /img/grfx_select/
3) This UI is currently very limited so you can only edit one image at a time!!!
Using your own images:
1) Just go out and download any images with the rights to be used the way you want.
2) Store them all in a directory and convert them into 100x100 gif images.
I use http://www.imagemagick.org on Linux:
mogrify -path out/ -thumbnail 100x100 *.png
mogrify -format gif -path out/ -thumbnail 100x100 *.png3) Copy these gif files into the grfx_select directory
4) Open the management page. The files will be displayed automatically. All you need to do now is tag them
This UI is currently very limited so you can only edit one image at a time!!!
5) Watch out when taggin images. If you forget to tag an animal or tag something where another image will can server as an answer as well but you don't tag it. Then it is likely that your image CAPTCHA can become confusing at times. It will look as if there are multiple correct solutions but only one "true key".
Here is how the selection process works:
1) The class will select a random tag (red rose).
2) It will remove all images which are tagged with the same or a linked word from the selection pool. The "red rose" image should also be tagged with "plant" and "flower" to ensure that similar images are removed.
3) It will now select random decoys which should not be related to anything asked for, a red rose (flower, plant).
That is all I can think of at the moment, ask if you have a questions/suggestions/input or output
#7 Re: Modifications (1.2) » [BETA-RELEASE] Anti SPAM bot CAPTCHA v2 » 2010-02-20 14:37:06
- JAcky
Interesting, JAcky.
Would the same problem be true for implementing a php page redirection (-method) with a delay?
I just had an idea while reading a book. it is so simple .... duhhhh
1) record the timestamp when the user clicks on Submit
2) Implement delay clientside via html meta or javascript
3) Compare timestamp to delay value on the landing page.
4a) timestamp + dely matches, user is ok
4b) does not match, user cheated
This can be handled in a couple of lines of code so it will not add any major load to the server.
I have a few things on my plate ATM but I will try to test this soon.
A 1sec delay should not bother most users and if it is implemennted in javascript might weed a lot of bots right there.
sry for not using spellcheck, I don,t think that my N900 has that feature yet 
#8 Re: Modifications (1.2) » [BETA-RELEASE] Anti SPAM bot CAPTCHA v2 » 2010-01-19 13:24:32
- JAcky
Interesting, JAcky.
* Would the same problem be true for implementing a php page redirection (-method) with a delay?
.....
* Hmmm... and, what about using a flash thingy...
If you handle the redirect like this:
1) User enters via index.php and is prompted for a CAPTCHA
2) index.php will send the CAPTCHA answer to delay.php
3) delay.php will pause execution for 2 seconds before passing the provided info to validate.php AND sends a token to validate.php, so it can verify that it was not called directly.
The problem with this approach is that someone can easily take down the webserver by calling http://localhost.local/delay.php a few thousand times a second. Since each run of delay.php will stay in memory for over 2 seconds it can be used to consume all available memory until the server goes boom. This will be really quick if executed from multiple computers and multiple Internet connections .... think WinNuke
Flash is nice for playing videos but even there it is lacking. IMHO, using flash in webdesign is like writing a website so it will only work with IE.
#9 Re: Modifications (1.2) » [BETA-RELEASE] Anti SPAM bot CAPTCHA v2 » 2009-12-17 10:03:05
- JAcky
Question: what's your opinon on potential effectiveness of using time delay in combination with some of these methods?
I.e., say you set up a delay for the captcha/question/etc before it will appear to the user.
And maybe once you pass one, you wait on the next page until the next one prompts you... kind of thing.
You explain to the human being to wait, and why, etc.
AFAIK the problem with a time delay is that it is either implemented on the server, in the php script, or on the client side by using javascript. If you know of another way, let me know and I'll consider it.
Delaying the execution in the php script opens the door for a DOS attack since the php script will pause, consuming resources while sitting idle.
Imagine 10000 connections attempting to open the CAPTCHA script. Without a delay the script would execute in a fraction of a second.
With a 2 second delay you could have thousands of scripts stuck in an idle loop, each one consuming server resources until the server runs out of resources and goes boom.
IMHO, implementing this in javascript is as pointless as any other javascript protection method, like disabling submit buttons, since javascript can be easily turned off.
CAPTCHAv2 can delay a bot attempting to brute force the captcha by writing the IP to the .htaccess file which will prevent the bot from breaking into the forum.
#10 Re: Modifications (1.2) » [BETA-RELEASE] Anti SPAM bot CAPTCHA v2 » 2009-07-19 20:19:21
- JAcky
Smartys is correct, using one system everywhere is never a good idea. It get more and more reports from users that Re-CAPTCHA has become useless.
The more people use any given system the more incentive a SPAM bot writer has to write a bot to break the CAPTCHA. And even when the 100% SPAM bot protection CAPTCHA is created it will simply be circumvented by cheap labor.
There was an article on Slashdot a few months ago about companies in 3rd World Countries offering "a guaranteed CAPTCHA breaking service". They have humans sitting at the computer doing nothing but answering CAPTCHA challenges so your bot can keep on working.
It works something like this: Bot hits your page, detects captcha => send CAPTCHA to company ABC, employee answers CAPTCHA => answer is send back to the bot who can now subscribe/submit/SPAM
Prices for breaking CAPTCHAs is about $0.008 to $0.005 per image in packs of 1000 to 100000 images. As you can see, there is no perfect system.
As far as questions goes, yes the question "What does 1+1 equal to?" is useless but the question
"Please remove the letters X and Y from the following word: cXaYXpiXXtalYisXm" is pretty good right now. The advantage of CAPTCHAv2 is that you create the questions and answers, so unlike the randomly generated implementations which always expect a 6 to 8 letter input. CAPTCHAv2's answer can vary from a single word to a full sentence.
I have created a few pages explaining CAPTCHAv2 in greater detail and how to use it as a bot trap. You can find the guides here:
http://www.network-technologies.org/tiny.php?id=1
#11 Re: Modifications (1.2) » Way to detect FluxBB? » 2009-07-05 21:12:31
- JAcky
I still don't see the issue. If you say it's a FluxBB 1.4 download, of course it's incompatible with PunBB 1.3. Why would someone try installing it in the first place?
You place too much faith into users. Why would we need input validation if people do what they are supposed to do?
Anyway, thanks for your reply, I'll add a big fat WARNING to the top of the page.
#12 Re: Modifications (1.2) » [BETA-RELEASE] Anti SPAM bot CAPTCHA v2 » 2009-07-03 14:25:36
- JAcky
OK CAPTCHAv2 0.7 is out, the plugin now comes with a setup script which generates the config.php file for you.
It also fixes a missing " in register.php for FluxBB 1.2.21
This looks pretty good now so I will continue to write documentation.
CAPTCHAv2 FluxBB mod/plugin
http://www.network-technologies.org/Pro … _bot_trap/
Other CAPTCHAv2 guides will be added here
http://www.network-technologies.org/Pro … /CAPTCHAv2
#13 Re: Modifications (1.2) » Way to detect FluxBB? » 2009-07-03 14:19:16
- JAcky
Why does it matter if it works with PunBB as well?
Well it does right now but I don't know what future changes may implement.
Like PunBB 1.3 is not compatible but the config file is in the same place. FluxBB 1.4 on the other hand is compatible so it would be nice to know....
#14 Modifications (1.2) » Way to detect FluxBB? » 2009-07-03 09:29:42
- JAcky
- Replies: 6
Hello,
I am currently writing an installer for my CAPTCHAv2 mod/plugin and I need to process FluxBB's config file but first I need to know for sure that the installed forum really is FluxBB.
Is there a file somewhere I can use to tell if the forum is PunBB or FluxBB?
I found the constant PUN but I guess that it is used by both.
I have considered looking for the string fluxbb.org in footer.php but I am sure some have removed it....
So what is a good way to know?
Thanks.
#15 Re: Modifications (1.2) » [BETA-RELEASE] Anti SPAM bot CAPTCHA v2 » 2009-07-02 07:05:05
- JAcky
I have been writing a lot of documentation but have not updated the guide because I decided to write a installer script which will create the separate config file this CAPTCHA implementation requires. So a little longer and it will be easy to use AND easy to install....
#16 Re: Modifications (1.2) » [BETA-RELEASE] Anti SPAM bot CAPTCHA v2 » 2009-06-29 20:54:19
- JAcky
First I would like to thank the testers and their kind emails, I am glad the new mod/plugin/protection works well for you all.
But now I need to apologize because I did not update the installation page, sorry..... I have been working on adding IP management to the Administrative interface so I hope you will forgive me
I will update the manual tomorrow, promised.
Here is a screenshot, it is now possible to add/delete IPs, export and import IP. So it will be possible to create and share an IP database of good bots to speedup lookups. This will be released as v0.7 tomorrow.
Hosted on Fotki
#17 Modifications (1.2) » [BETA-RELEASE] Anti SPAM bot CAPTCHA v2 » 2009-06-29 10:42:27
- JAcky
- Replies: 17
EDIT: If you are using this then you might want to check out this new thread: http://fluxbb.org/forums/viewtopic.php?pid=39217
Hello,
some of you may have seen my previous CAPTCHA mod for FluxBB/PunBB here:
http://www.network-technologies.org/Pro … mod_fluxbb
The new system works very similar to the old but it does not store questions in a text file but uses as database table instead. This makes adding/removing questions and answer very easy. It is also independent of FluxBB and can be used to protect any form on a website with a CAPTCHA and even has the ability to act as a bot trap.
Here is a screenshot of the management screen for FluxBB:
The other major change is that an abusing user or bot will be added to the .htaccess file. Before blocking the IP, the script will retrieve the whois information for the user's IP and match it against a whitelist rule. This will prevent good bots like Google, Yahoo and the like from being blocked. If the user's IP is not on the whitelist it will be added to the .htaccess file. This will block access to the entire domain, preventing further abuse.
Users may remove their own IP from the blocklist in case of "accidental abuse" or dynamic IP which was previously assigned to a bot.
The system is brand new and I have only tested it on my own two servers so I am posting here to see if people are willing to test the new CAPTCHA system.
Possible problems might be a conflict with existing rules in .htacess or problems with getting the whois information.
You can find the current guide at the URL below. The guide is very long and not very user friendly but I will clean it up today.
http://www.network-technologies.org/Pro … _bot_trap/
Requirements:
- FluxBB version 1.4 BETA or 1.2.21
- Apache Webserver, only tested with Apache 2.2.x
- PHP5 and ONLY PHP5, don't think about running this with PHP4!!!
- MySQL (tested with 5.1.35) or PostgreSQL (tested with 8.3.7)
- FluxBB database type can only be mysql, mysqli or pgsql
#18 General support (1.4) » [BETA-RELEASE] Anti SPAM bot CAPTCHA v2 » 2009-06-28 17:57:22
- JAcky
- Replies: 0
Hello,
since there is no FluxBB v1.4 mod forum yet I am posting this here. I hope that is ok.
I am in the process of creating a question/answer based CAPTCHA system designed to protect any form on a website and can be used as a bot trap. I have been testing this CAPTCHA system on my own servers for a while now and it has been working REALLY good. So I decided it is time to share the new bot protection by creating a mod/plugin for FluxBB 1.4. I will test it with 1.2 in the next few days as well.
After the mod/plugin is installed, the FluxBB registration process will have these additional features:
- Registration protected by Question/Answer based CAPTCHA system, not obfuscated/impossible to read images.
- Deny registration if the CAPTCHA has not been answered incorrectly after X attempts, new question after an invalid answer.
- Add user's IP to .htaccess file and block access to the entire domain (this will be optional soon)
- Allow user to remove own IP from blocklist
- Check whitelist (via whois implementation) to prevent accidental block of good bots
- use internal cache table for quick IP lookups
Requirements:
- FluxBB version 1.4 BETA
- Apache Webserver, only tested with Apache 2.2.x
- PHP5 and ONLY PHP5, don't think about running this with PHP4!!!
- MySQL (tested with 5.1.35) or PostgreSQL (tested with 8.3.7)
- FluxBB database type can only be mysql, mysqli or pgsql
As I mentioned above, this is brand new and has only been tested on two servers!
But if you would like to test this and provide feedback you can find the installation instructions and download here:
http://www.network-technologies.org/Pro … _bot_trap/
Please excuse the poorly worded text above, I have been looking at code, tweaking and fixing minor issues all day. Now my brainpower is gone...
EDIT: Works with FluxBB 1.2 now so I will keep the thread in the mod section updated:
http://fluxbb.org/forums/topic/3051/bet … aptcha-v2/
#19 Modifications (1.2) » [RELEASE] FluxBB question based CAPTCHA » 2009-06-24 22:32:51
- JAcky
- Replies: 1
I have updated my instructions for my question based CAPTCHA system for FluxBB.
The instructions are for version 1.2.21 and 1.4 BETA
Mod Description:
* register.php will ask a simple question which must be answered correctly. Unlike other solutions, my modification will ask randomly selected questions from a question and answer file.
Website:
http://www.network-technologies.org/Pro … mod_fluxbb
P.S. I am still tweaking the next version of my CAPTCHA/Bot trap system which will be able to protect any form on a website.
It will be ready soon
#20 Re: General support (1.2) » tons of spam and porn » 2009-06-10 09:27:50
- JAcky
i had the same problem with a forum i just put up for a new site i've built.... i did what i did with my other 1.2 forum, used the Anti-spam mod from Punres that also worked on pun 1.2
http://www.punres.org/desc.php?pid=503
I wrote that mod, thanks for the referral
I updated the mod yesterday to include the register.php file for PunBB 1.2.21. I am planning to download FluxBB 1.2.21 later today and check if there is a difference between register.php in PunBB 1.2.21 and FluxBB 1.2.21
I uploaded the 1.1 Release here
http://www.punres.org/desc.php?pid=503
and updated my own page with instructions for 1.2.21
http://www.network-technologies.org/Pro … mod_punbb/
Pages: 1