Posted by konrad_m on June 26, 2012 at 4:02pm
5 followers
| Project: | CAPTCHA |
| Version: | 7.x-1.0-beta2 |
| Component: | User interface |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | postponed (maintainer needs more info) |
Issue Summary
I have a simple user registration form on my website and everyday I have at least two or three bot-users (like "taylor7i123" with fake name in the profile and with an e-mail at "123.com" domain) who bypass the Captcha and registered "themselves".
How is it possible ?
Does Captcha really work ?
konrad
Comments
#1
What challenge are you using? Math captcha or Image CAPTCHA?
related reading:
#519314: Spam bot getting through?
#1191774: Captcha module has been cracked!
#1135682: Drupal sites using Captcha are vulnerable...
#2
I use the Image Captcha.
#3
With what settings? How many characters? can you provide a screen shot?
do you have an idea of how many attempts/attacks you get on this CAPTCHA? Do you have the option "Log wrong responses" enabled on the CAPTCHA settings page?
#4
Image captcha with 5 characters, letters and numbers. Here is a screenshot.
I just enabled the "log wrong response" to see how many attempts.
#5
Konrad_m, try adding some noise to your captcha configuration, also, what did you find out after enabling the log wrong response?
#6
Not so much atttempt in the log files: only two at this time were blocked.
#7
I've been watching the spambots activity closely on my site, and based on my observations here I'd say they definitely can solve the image Captcha sometimes. Certainly with the default settings (5 characters with very little noise or distortion), I was getting 2 or 3 per day solving the captcha. Many of the attempts that were blocked by Captcha were only off by one similar character - e.g., an 'i' instead of a '1' or a '6' instead of a 'b', etc.
I have been slowly increasing the captcha difficulty by adding distortion and noise and increasing the length of the captcha string. If I had time, it would be very interesting to adjust these independently and see which is the most effective. Currently, with a 6 character captcha and low-med distortion and noise, bots able to bypass the Captcha have been reduced to 1 every couple days. However, based on some trials I've done with human beings, this is nearing the limit for a human to solve successfully - even with these relatively low settings, people are finding it hard and making mistakes solving the Captcha.
The problem seems to be vastly improved image-processing and text recognition by the bots coupled with shear volume - our site gets a failed registration request nearly every minute. Although the majority of these are rejected by other anti-bot measures, the Captcha module blocks dozens or hundreds of requests each day. So still an indispensable line of defense, but with that volume, it seems some of them have image-captcha algorithms good enough now that some of the Captchas will be solved some of the time.
At this time, it seems, the problem is still manageable - from log inspections, only a small portion of the bots have good image-captcha solving algorithms, the majority don't guess anything close to the right answer. But, there are certainly some bots out there with very good algorithms, and they likely will proliferate as they become more successful. Also, from the log inspections, their algorithms don't need to improve much before they can solve image captchas better than humans. I know this is a much bigger issue than the one raised here, but as developers we need to start asking Now What?
#8
Hmmmm... on more considered thought, I jumped the gun in blaming bots for solving the captcha - I'd guess I've got an attacker who is using human solvers - makes sense with the patterns I'm seeing.
http://en.wikipedia.org/wiki/CAPTCHA#Human_solvers
Then again, bots were resoundingly defeating image captchas at least 5 years ago..
http://www.pcmag.com/article2/0,2817,2209782,00.asp
damn them all!