Simple question patch for 4.7?

Reopening, I see no reason to close this.

The intent of this module is to control automated signups only - I have no plans currently for adding posting control. Of course, if anyone can come up with an elegant design for doing this, it would be cool to see it.

Setting to postponed (instead of closed), so that this doesn't get forgotten about.

I've updated the captcha module to support comments and other node types as well as user registrations. I borrowed a bit from Drupal4Blog which supports this already. I also worked on the image to make it more complex and added support for truetype fonts. I have added some ttf font files to the module directory on my host and it uses them randomly.

You can see it in action at my site.
http://www.intraplanar.net/node/51#comment

I am happy to report that I have not had a single instance of blog spam since setting this up and re-enabling anonymous comments.

Attached is the module, instead of a patch since it is quite rewritten. There is still an issue with form validation for nodes (page, blog, etc.) which I haven't been able to track down yet so I'm not setting this issue to "patch" until it is fixed.

I forgot to mention that for the module I posted to work, I had to modify the comment module with patches found in the following issues.

http://drupal.org/node/14710
http://drupal.org/node/14708

Two small issues that I witnessed in my testing.

1) It seems that if caching is enabled then the captcha image, but not its value, is also cached. This is a problem when previewing, since the image does not change. the user then has no idea why Drupal keeps saying "Status: The user verification code you entered is not correct."

Workaround: disable Drupal caching and clear MySQL cache.

2) I may be wrong about this one, but in my experiements, the code also fails if the character are not in all caps. This is a usability problem, since many users will not realize why the code is failing.

Workaround: Add help text asking to make sure the code is in all caps?

1) It seems that if caching is enabled then the captcha image, but not its value, is also cached. This is a problem when previewing, since the image does not change. the user then has no idea why Drupal keeps saying "Status: The user verification code you entered is not correct."

Workaround: disable Drupal caching and clear MySQL cache.

I don't use caching (since it still seems buggy) so I didn't realize this. I'm not familiar with the caching mechanism and using cache_clear_all() in a seemingly strategic place doesn't help. Any tips?

Is Drupal caching the image? I didn't think it could do that.

2) I may be wrong about this one, but in my experiements, the code also fails if the character are not in all caps. This is a usability problem, since many users will not realize why the code is failing.

Workaround: Add help text asking to make sure the code is in all caps?

Yeah. I thought about that. I'll update the help text.

I've been thinking that image based captcha's are not very friendly for visually impaired users. Therefore I've created a new version of captcha that uses a text challenge response instead of an image. This is much simpler to implement and could be just as difficult to circumvent if the wording of the question is varied enough.

This version also fixes the issue I had with validation on node forms. It also fixes the caching issue mentioned before (since there is no longer an image).

Uh, didn't notice I wasn't logged in. #11 and #12 was me.

Caching: This is a client side problem, and has a tradeoff involved. The only true option I can see to force new images to load is to change the filename, which means creating new files. Pinkblob's made modifications to make filenames timestamp dependent, but I'd worried that this will overload the server disk usage if someone presses refresh too fast.

My rewrite does not save the images to disk. They are sent directly to the client and never saved which removes the need for a cron job. Using a different url for the image every time would not be difficult to do to work around the caching issue. I used the no-cache headers so I'd hoped a client-side caching problem would not be an issue.

Usability: Might as well do an ignore-case match. IIRC, I've taken care of confusing 0s with Os already, so it should be pretty friendly after that.

I've considered this. It comes down to a difference between usability and security.

Logic problems: People have suggested "Math Problems", "General Knowledge", "Obvious Questions": The list can go on. Any ways to elegantly do this? Perhaps a parseable/editable text file to store a set of questions in?

I went with math problems as it is the easiest thing to implement. Obvious questions (what color is the sky) are more difficult since you need a question/answer library, which can just as easily be used by the attacker.

Bumping this up to attract attention of core maintainers since it's been a while.

I have found captchas to be overkill. Simple text questions work very well, and do not penalize the blind.

The key is this. You can't provide a library of sample test questions. Each site admin has to make
up their own. So you need a UI where they can add and delete questions. When I was running MT,
I just had all commenters enter my first name as the question. Worked extremely well. Got one or
two comment spams, presumably from manual spammers (which a captcha won't stop) in a year.

If spammers start collecting the questions and answers and distributing them, and you get a
comment spam, just change the question. It's really easy to do. Frankly now that nofollow is here,
doing this level of work to spam blogs seems less and less productive anyway.

The folks who started doing captchas, dreaming of spammers with fancy OCR systems trying to
defeat them were dreaming of a distant future that may never arrive. And you should never do more
than you need to do to make anti-spam work in any event.

Hello bradtem,

how do you implemented this in drupal? I want this what don't know how to do it.

Chris

PS: Would be nice if you drop me a message to spamspamsausagespam@gmx.de if you answer here because I surely forget to look here and I don't know when there is a new answer.

Ok, here is a patch to the comment module, not to the captcha module, which supports asking question s of people who post anonymous comments.

Captchas, as I indicated, are way-overkill. And they don't work for the blind. And they are a pain. Just asking a simple question works fine, if the question is a different one though up by each different drupal administrator. Truth is, I don't think spammers will take the time to try to collect answers and write bots to use them, but if they do, just change the question from time to time.

I use a very simple question (what's my first name) but of course I recommend you think up your own question. As long as the questions follow no pattern, the spammers can't automate figuring them out.

Try this patch and you'll have no more comment spam. You must turn on anonymous comments -- that's the point.

After putting in this patch, go to your comment config page.

I think content and comment captchas are a really good idea.

Answering a small question as alternatively suggested above is another feature altogether.

Have others considered the #6 captcha.patch to be stable w/ 4.6.3?

Thanks again for putting that together.

I can't make much sense of all these revisions.....what I really want to know is - I have a month old install of 4.6.3 and the latest captcha 4.6.x modules downloaded and installed.

Why the heck is there an option in settings for "check during anonymous comments" if it doesn't work (without some crazy patch not in core)?

Can someone explain this?

1. Comment captchas are supported in Drupal HEAD / 4.7, thanks to FormAPI.
2. Content captchas wil have to wait a while.

Just looking for any clarification - will anyone provide a patch for comment.module to work against captcha.module in 4.6.5?

I made a patch for 4.6.5

I've tested this on my installs - it seems to work for me.

Everything should be commented - all I did was re-patch and diff from existing patches for earlier versions of drupal.

--- comment.module.orig	2006-01-25 22:36:39.593183456 -0700
+++ comment.module	2006-01-25 22:50:09.268094160 -0700
@@ -441,6 +441,14 @@
   }
 
   // Validate the comment's body.
+// patch adds captcha module support
+// evilzenscientist 25Jan06
+// based on existing patches
+// comment.module_7.patch http://drupal.org/node/14708 
+//
+// Calls captcha to validate post.
+  module_invoke_all('comment', 'validate', $edit);
+// and back into the main comment code
   if ($edit['comment'] == '') {
     form_set_error('comment', t('The body of your comment is empty.'));
   }
@@ -1419,6 +1427,14 @@
 
   // format selector
   $form .= filter_form('format', $edit['format']);
+// patch adds captcha module support
+// evilzenscientist 25Jan06
+// based on existing patches
+// comment.module_7.patch http://drupal.org/node/14708 
+//
+// Calls captcha to validate post.
+  $form .= implode('', module_invoke_all('comment', 'form', $edit));
+// and back into the main comment code
 
   // preview button:
   $form .= form_hidden('cid', $edit['cid']);

Hi,

I've applied the new approach captcha module from #10. However, there is a bug on validation of the verification answer in the node creation forms.

This code

      // only validate captcha if "Submit" button is used
      if ($_POST['op'] == t('Preview') && (variable_get('captcha_code','') == '' || $node->captcha != variable_get('captcha_code',''))) {

should be changed to

      // only validate captcha if "Submit" button is used
      if ($_POST['op'] == t('Submit') && (variable_get('captcha_code','') == '' || $node->captcha != variable_get('captcha_code',''))) {

Also, there is a problem. If the user uses "Back" and "Forward" buttons of the browser, he can quickly spam the site and makes the captcha process non-sense. :(

Closing since this is supported in cvs version using fapi. Thanks for the patches / workarounds.

Is there any way we could get the simple question patch for ver 4.7? It really helped with spam.