Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2009-06-29 10:42:27

JAcky
Member
Registered: 2009-06-09
Posts: 26

[BETA-RELEASE] Anti SPAM bot CAPTCHA v2

EDIT: If you are using this then you might want to check out this new thread: http://fluxbb.org/forums/viewtopic.php?pid=39217


Hello,

some of you may have seen my previous CAPTCHA mod for FluxBB/PunBB here:
http://www.network-technologies.org/Pro … mod_fluxbb

The new system works very similar to the old but it does not store questions in a text file but uses as database table instead. This makes adding/removing questions and answer very easy. It is also independent of FluxBB and can be used to protect any form on a website with a CAPTCHA and even has the ability to act as a bot trap.
Here is a screenshot of the management screen for FluxBB:
fluxbb_cpatcha_management_ui-vi.png

The other major change is that an abusing user or bot will be added to the .htaccess file.  Before blocking the IP, the script will retrieve the whois information for the user's IP and match it against a whitelist rule. This will prevent good bots like Google, Yahoo and the like from being blocked. If the user's IP is not on the whitelist it will be added to the .htaccess file. This will block access to the entire domain, preventing further abuse.
Users may remove their own IP from the blocklist in case of "accidental abuse" or dynamic IP which was previously assigned to a bot.

The system is brand new and I have only tested it on my own two servers so I am posting here to see if people are willing to test the new CAPTCHA system.
Possible problems might be a conflict with existing rules in .htacess or problems with getting the whois information.

You can find the current guide at the URL below. The guide is very long and not very user friendly but I will clean it up today.
http://www.network-technologies.org/Pro … _bot_trap/

Requirements:
- FluxBB version 1.4 BETA or 1.2.21
- Apache Webserver, only tested with Apache 2.2.x
- PHP5 and ONLY PHP5, don't think about running this with PHP4!!!
- MySQL (tested with 5.1.35) or PostgreSQL (tested with 8.3.7)
- FluxBB database type can only be mysql, mysqli or pgsql

Last edited by JAcky (2011-03-06 18:50:53)

Offline

#2 2009-06-29 20:54:19

JAcky
Member
Registered: 2009-06-09
Posts: 26

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

First I would like to thank the testers and their kind emails, I am glad the new mod/plugin/protection works well for you all.

But now I need to apologize because I did not update the installation page, sorry..... I have been working on adding IP management to the Administrative interface so I hope you will forgive me smile

I will update the manual tomorrow, promised.

Here is a screenshot, it is now possible to add/delete IPs, export and import IP. So it will be possible to create and share an IP database of good bots to speedup lookups. This will be released as v0.7 tomorrow.
bb_captcha_management_with_ips-vi.png
Hosted on Fotki

Offline

#3 2009-06-29 21:18:14

MattF
Member
From: South Yorkshire, England
Registered: 2008-05-06
Posts: 1,233
Website

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

That looks impressive. smile


Screw the chavs and God save the Queen!

Offline

#4 2009-07-02 06:56:16

barlos
Member
Registered: 2009-07-02
Posts: 10

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

I am very looking forward for this ^_^

Offline

#5 2009-07-02 07:05:05

JAcky
Member
Registered: 2009-06-09
Posts: 26

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

I have been writing a lot of documentation but have not updated the guide because I decided to write a installer script which will create the separate config file this CAPTCHA implementation requires. So a little longer and it will be easy to use AND easy to install....

Last edited by JAcky (2009-07-03 14:25:58)

Offline

#6 2009-07-03 14:25:36

JAcky
Member
Registered: 2009-06-09
Posts: 26

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

OK CAPTCHAv2 0.7 is out, the plugin now comes with a setup script which generates the config.php file for you.
It also fixes a missing " in register.php for FluxBB 1.2.21

This looks pretty good now so I will continue to write documentation.

CAPTCHAv2 FluxBB mod/plugin
http://www.network-technologies.org/Pro … _bot_trap/

Other CAPTCHAv2 guides will be added here
http://www.network-technologies.org/Pro … /CAPTCHAv2

Offline

#7 2009-07-18 00:26:25

xSDMx
Member
Registered: 2008-06-24
Posts: 129

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

Couldn't a bot be easily made to read the text off of the page, and run it in a calculator? Or, couldn't someone crack the entire user generated list manually and feed it to their bot?

Offline

#8 2009-07-18 00:42:09

Smartys
Former Developer
Registered: 2008-04-27
Posts: 3,139
Website

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

xSDMx wrote:

Couldn't a bot be easily made to read the text off of the page, and run it in a calculator?

Yes, if all of the questions were math problems phrased in a similar format (ie: solve for X) you might be able to write something to do it.

xSDMx wrote:

Or, couldn't someone crack the entire user generated list manually and feed it to their bot?

Yes, if the list is small enough.

That's not what this mod is for, however.

This modification stops general spam attacks aimed at FluxBB forums or at forms in general. It requires the person registering to answer a question that a computer, stumbling upon the page, could not answer. A bot that targets a specific site (and thus can afford to have a full list of answers) or a user registering manually could bypass this protection. That doesn't take away from the fact that it does cut down on a specific type of spam.

Spam is a complex issue and there is no panacea for it. This modification solves the issue of mass-spamming but does not protect against a targeted attack; a CAPTCHA would protect (somewhat) against mass-spamming and targeted attacks, with the downside that as a specific system becomes more used, it will be more likely to be attacked; restrictions on links in signatures, posts, etc would discourage targeted attacks (since there's no reason to target your site if the link won't go through) but do nothing to stop mass-spamming (since mass-spammers care about the quantity of their efforts, not the quality).

Offline

#9 2009-07-18 00:50:15

xSDMx
Member
Registered: 2008-06-24
Posts: 129

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

True enough - I guess spam should indeed be taken on a case by case basis.

Offline

#10 2009-07-19 20:19:21

JAcky
Member
Registered: 2009-06-09
Posts: 26

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

Smartys is correct, using one system everywhere is never a good idea. It get more and more reports from users that Re-CAPTCHA has become useless.
The more people use any given system the more incentive a SPAM bot writer has to write a bot to break the CAPTCHA. And even when the 100% SPAM bot protection CAPTCHA is created it will simply be circumvented by cheap labor.
There was an article on Slashdot a few months ago about companies in 3rd World Countries offering "a guaranteed CAPTCHA breaking service". They have humans sitting at the computer doing nothing but answering CAPTCHA challenges so your bot can keep on working.
It works something like this: Bot hits your page, detects captcha => send CAPTCHA to company ABC, employee answers CAPTCHA => answer is send back to the bot who can now subscribe/submit/SPAM
Prices for breaking CAPTCHAs is about $0.008 to $0.005 per image in packs of 1000 to 100000 images. As you can see, there is no perfect system.

As far as questions goes, yes the question "What does 1+1 equal to?" is useless but the question
"Please remove the letters X and Y from the following word: cXaYXpiXXtalYisXm" is pretty good right now. The advantage of CAPTCHAv2 is that you create the questions and answers, so unlike the randomly generated implementations which always expect a 6 to 8 letter input. CAPTCHAv2's answer can vary from a single word to a full sentence.

I have created a few pages explaining CAPTCHAv2 in greater detail and how to use it as a bot trap. You can find the guides here:
http://www.network-technologies.org/tiny.php?id=1

Offline

#11 2009-12-14 14:27:19

sagar
Member
From: USA
Registered: 2008-07-26
Posts: 49

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

Will this work with 1.4beta?


cheers...sagar

Offline

#12 2009-12-14 14:39:54

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,728
Website

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

JAcky wrote:

Requirements:
- FluxBB version 1.4 BETA or 1.2.21


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#13 2009-12-14 14:52:02

sagar
Member
From: USA
Registered: 2008-07-26
Posts: 49

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

Thank you, somehow I missed that big_smile


cheers...sagar

Offline

#14 2009-12-16 00:47:43

twohawks
Member
From: Stateline, NV USA
Registered: 2008-05-11
Posts: 135

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

Question: what's your opinon on potential effectiveness of using time delay in combination with some of these methods?
I.e., say you set up a delay for the captcha/question/etc  before it will appear to the user.
And maybe once you pass one, you wait on the next page until the next one prompts you... kind of thing.
You explain to the human being to wait, and why, etc.

It occurred to me because after, say, defeating a bot, the site potentially gets forwarded off to a human being.   It seems they get paid per item, and isn't there a time figured in to how it is worth their while?  I.e.....  if it takes longer than, say, X.Xmins ..wouldn't they dump it and move on?

I could imagine that, as an honest registering person, I would be fairly unconcerned with having to wait a bit as I jump thru some hoops.


TwoHawks
Love is the Function.
No Form is the Tool.

Offline

#15 2009-12-17 10:03:05

JAcky
Member
Registered: 2009-06-09
Posts: 26

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

twohawks wrote:

Question: what's your opinon on potential effectiveness of using time delay in combination with some of these methods?
I.e., say you set up a delay for the captcha/question/etc  before it will appear to the user.
And maybe once you pass one, you wait on the next page until the next one prompts you... kind of thing.
You explain to the human being to wait, and why, etc.

AFAIK the problem with a time delay is that it is either implemented on the server, in the php script, or on the client side by using javascript. If you know of another way, let me know and I'll consider it.

Delaying the execution in the php script opens the door for a DOS attack since the php script will pause, consuming resources while sitting idle.
Imagine 10000 connections attempting to open the CAPTCHA script. Without a delay the script would execute in a fraction of a second.
With a 2 second delay you could have thousands of scripts stuck in an idle loop, each one consuming server resources until the server runs out of resources and goes boom.

IMHO, implementing this in javascript is as pointless as any other javascript protection method, like disabling submit buttons, since javascript can be easily turned off.

CAPTCHAv2 can delay a bot attempting to brute force the captcha by writing the IP to the .htaccess file which will prevent the bot from breaking into the forum.

Last edited by JAcky (2009-12-17 10:03:41)

Offline

#16 2009-12-17 21:21:09

twohawks
Member
From: Stateline, NV USA
Registered: 2008-05-11
Posts: 135

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

Interesting, JAcky.

Would the same problem be true for implementing a php page redirection (-method)  with a delay?

Hmmm... and, what about using a flash thingy...
- make it so the visitor must click on it to "make it go",
- then it has to play out before you get to the prompting material (for filling out) -- whether directly or via a 'buried' page redirection.
- it would also thus require the user enables flash, which I abhore in most cases, but maybe there is a benefit with this (for handling bots?)

I am not th expert in these things, so I have no under-the-hood clue how these ideas may weigh in.


TwoHawks
Love is the Function.
No Form is the Tool.

Offline

#17 2010-01-19 13:24:32

JAcky
Member
Registered: 2009-06-09
Posts: 26

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

twohawks wrote:

Interesting, JAcky.
* Would the same problem be true for implementing a php page redirection (-method)  with a delay?
.....
* Hmmm... and, what about using a flash thingy...

If you handle the redirect like this:
1) User enters via index.php and is prompted for a CAPTCHA
2) index.php will send the CAPTCHA answer to delay.php
3) delay.php will pause execution for 2 seconds before passing the provided info to validate.php AND sends a token to validate.php, so it can verify that it was not called directly.

The problem with this approach is that someone can easily take down the webserver by calling http://localhost.local/delay.php a few thousand times a second. Since each run of delay.php will stay in memory for over 2 seconds it can be used to consume all available memory until the server goes boom. This will be really quick if executed from multiple computers and multiple Internet connections .... think WinNuke smile

Flash is nice for playing videos but even there it is lacking. IMHO, using flash in webdesign is like writing a website so it will only work with IE.

Offline

#18 2010-02-20 14:37:06

JAcky
Member
Registered: 2009-06-09
Posts: 26

Re: [BETA-RELEASE] Anti SPAM bot CAPTCHA v2

twohawks wrote:

Interesting, JAcky.

Would the same problem be true for implementing a php page redirection (-method)  with a delay?

I just had an idea while reading a book. it is so simple .... duhhhh

1) record the timestamp when the user clicks on Submit
2) Implement delay clientside via html meta or javascript
3) Compare timestamp to delay value on the landing page.
4a) timestamp + dely matches, user is ok
4b) does not match, user cheated

This can be handled in a couple of lines of code so it will not add any major load to the server.

I have a few things on my plate ATM but I will try to test this soon.

A 1sec delay should not bother most users and if it is implemennted in javascript might weed a lot of bots right there.

sry for not using spellcheck, I don,t think that my N900 has that feature yet smile

Offline

Board footer

Powered by FluxBB