I have a simple user registration form on my website and everyday I have at least two or three bot-users (like "taylor7i123" with fake name in the profile and with an e-mail at "123.com" domain) who bypass the Captcha and registered "themselves".

How is it possible ?

Does Captcha really work ?

konrad

CommentFileSizeAuthor
#4 captcha_azb.png95.13 KBkonrad_m

Comments

soxofaan’s picture

Category: bug » support
konrad_m’s picture

I use the Image Captcha.

soxofaan’s picture

With what settings? How many characters? can you provide a screen shot?

do you have an idea of how many attempts/attacks you get on this CAPTCHA? Do you have the option "Log wrong responses" enabled on the CAPTCHA settings page?

konrad_m’s picture

StatusFileSize
new95.13 KB

Image captcha with 5 characters, letters and numbers. Here is a screenshot.

I just enabled the "log wrong response" to see how many attempts.

wundo’s picture

Status: Active » Postponed (maintainer needs more info)

Konrad_m, try adding some noise to your captcha configuration, also, what did you find out after enabling the log wrong response?

konrad_m’s picture

Not so much atttempt in the log files: only two at this time were blocked.

jfall’s picture

I've been watching the spambots activity closely on my site, and based on my observations here I'd say they definitely can solve the image Captcha sometimes. Certainly with the default settings (5 characters with very little noise or distortion), I was getting 2 or 3 per day solving the captcha. Many of the attempts that were blocked by Captcha were only off by one similar character - e.g., an 'i' instead of a '1' or a '6' instead of a 'b', etc.

I have been slowly increasing the captcha difficulty by adding distortion and noise and increasing the length of the captcha string. If I had time, it would be very interesting to adjust these independently and see which is the most effective. Currently, with a 6 character captcha and low-med distortion and noise, bots able to bypass the Captcha have been reduced to 1 every couple days. However, based on some trials I've done with human beings, this is nearing the limit for a human to solve successfully - even with these relatively low settings, people are finding it hard and making mistakes solving the Captcha.

The problem seems to be vastly improved image-processing and text recognition by the bots coupled with shear volume - our site gets a failed registration request nearly every minute. Although the majority of these are rejected by other anti-bot measures, the Captcha module blocks dozens or hundreds of requests each day. So still an indispensable line of defense, but with that volume, it seems some of them have image-captcha algorithms good enough now that some of the Captchas will be solved some of the time.

At this time, it seems, the problem is still manageable - from log inspections, only a small portion of the bots have good image-captcha solving algorithms, the majority don't guess anything close to the right answer. But, there are certainly some bots out there with very good algorithms, and they likely will proliferate as they become more successful. Also, from the log inspections, their algorithms don't need to improve much before they can solve image captchas better than humans. I know this is a much bigger issue than the one raised here, but as developers we need to start asking Now What?

jfall’s picture

Hmmmm... on more considered thought, I jumped the gun in blaming bots for solving the captcha - I'd guess I've got an attacker who is using human solvers - makes sense with the patterns I'm seeing.
http://en.wikipedia.org/wiki/CAPTCHA#Human_solvers

Then again, bots were resoundingly defeating image captchas at least 5 years ago..
http://www.pcmag.com/article2/0,2817,2209782,00.asp

damn them all!

tomfriedel’s picture

I've had about 20 fake signups every day for at least three years on BirdPhotos.com. When I let one in, I get 50,000 forum messages posted in one day. I've basically had to shut down user signups (I request an email before validating anyone). I just updated to latest CAPTCHA and drupal 6.x. I am stuck on 6.x because I integrate with Gallery2. I would be open to totally redoing the site,but can not find a image gallery with the features of Gallery2 + Drupal 6.x. Reading this thread, it seems that CAPTCHA has already been beaten by the bots, so what is there to do?

hass’s picture

Try reCaptcha... It is the safest one available as of today with best usability.

UncleScotty’s picture

In terms of the CAPTCHA technology being "at all" effective, I had a recent experience where I was writing to a regional government councilor and the mailto form in which I completed my message had a CAPTCHA verification code element at the bottom of the page.
(see the form here: https://niagararegion.ca/mailto.aspx?email=andrew.petrowski&name=Andrew+...)

I accidentally hit a "rogue" key, possibly even the ENTER key, on my laptop before finishing my message and my page flashed and went to a new page with the text "Thank you...Your message has been sent", etc etc.....or words to that effect.

I KNEW I hadn't completed the CAPTCHA routine and was curious how the message could have "gone" without my completing the "test". I emailed AND phoned the government office to explain to the Communications Co-ordinator what had happened and here's the answer I got:

"Based on our conversation last week, here’s some information that will hopefully help explain what happened:

· All HTML forms allow a user to hit enter to submit by default. For example, when you login to any type of application, you can typically hit enter or the button -- whatever is easier for the end user.

· The primary purpose of the CAPTCHA was set up to deter robots, but at the same time we wanted to make it simple for humans. Therefore, the form itself detects if you are a human or robot based on how you interact with the form. Since you spent time on the page it detected you as a human, and allowed the form to submit without being typed in."
------------------------------------------------------

Does that make any sense to you folks? Seems bizarre to me that "time spent" would allow passage.....but, what do I know?!?!

chris matthews’s picture

Version: 7.x-1.0-beta2 » 7.x-1.x-dev

Version change only

anybody’s picture

Status: Postponed (maintainer needs more info) » Closed (works as designed)