Closed (works as designed)
Project:
CAPTCHA
Version:
7.x-1.x-dev
Component:
User interface
Priority:
Normal
Category:
Support request
Assigned:
Unassigned
Reporter:
Created:
26 Jun 2012 at 16:02 UTC
Updated:
21 Nov 2022 at 15:07 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #1
soxofaan commentedWhat challenge are you using? Math captcha or Image CAPTCHA?
related reading:
#519314: Spam bot getting through?
#1191774: Captcha module has been cracked!
#1135682: Drupal sites using Captcha are vulnerable...
Comment #2
konrad_m commentedI use the Image Captcha.
Comment #3
soxofaan commentedWith what settings? How many characters? can you provide a screen shot?
do you have an idea of how many attempts/attacks you get on this CAPTCHA? Do you have the option "Log wrong responses" enabled on the CAPTCHA settings page?
Comment #4
konrad_m commentedImage captcha with 5 characters, letters and numbers. Here is a screenshot.
I just enabled the "log wrong response" to see how many attempts.
Comment #5
wundo commentedKonrad_m, try adding some noise to your captcha configuration, also, what did you find out after enabling the log wrong response?
Comment #6
konrad_m commentedNot so much atttempt in the log files: only two at this time were blocked.
Comment #7
jfall commentedI've been watching the spambots activity closely on my site, and based on my observations here I'd say they definitely can solve the image Captcha sometimes. Certainly with the default settings (5 characters with very little noise or distortion), I was getting 2 or 3 per day solving the captcha. Many of the attempts that were blocked by Captcha were only off by one similar character - e.g., an 'i' instead of a '1' or a '6' instead of a 'b', etc.
I have been slowly increasing the captcha difficulty by adding distortion and noise and increasing the length of the captcha string. If I had time, it would be very interesting to adjust these independently and see which is the most effective. Currently, with a 6 character captcha and low-med distortion and noise, bots able to bypass the Captcha have been reduced to 1 every couple days. However, based on some trials I've done with human beings, this is nearing the limit for a human to solve successfully - even with these relatively low settings, people are finding it hard and making mistakes solving the Captcha.
The problem seems to be vastly improved image-processing and text recognition by the bots coupled with shear volume - our site gets a failed registration request nearly every minute. Although the majority of these are rejected by other anti-bot measures, the Captcha module blocks dozens or hundreds of requests each day. So still an indispensable line of defense, but with that volume, it seems some of them have image-captcha algorithms good enough now that some of the Captchas will be solved some of the time.
At this time, it seems, the problem is still manageable - from log inspections, only a small portion of the bots have good image-captcha solving algorithms, the majority don't guess anything close to the right answer. But, there are certainly some bots out there with very good algorithms, and they likely will proliferate as they become more successful. Also, from the log inspections, their algorithms don't need to improve much before they can solve image captchas better than humans. I know this is a much bigger issue than the one raised here, but as developers we need to start asking Now What?
Comment #8
jfall commentedHmmmm... on more considered thought, I jumped the gun in blaming bots for solving the captcha - I'd guess I've got an attacker who is using human solvers - makes sense with the patterns I'm seeing.
http://en.wikipedia.org/wiki/CAPTCHA#Human_solvers
Then again, bots were resoundingly defeating image captchas at least 5 years ago..
http://www.pcmag.com/article2/0,2817,2209782,00.asp
damn them all!
Comment #9
tomfriedel commentedI've had about 20 fake signups every day for at least three years on BirdPhotos.com. When I let one in, I get 50,000 forum messages posted in one day. I've basically had to shut down user signups (I request an email before validating anyone). I just updated to latest CAPTCHA and drupal 6.x. I am stuck on 6.x because I integrate with Gallery2. I would be open to totally redoing the site,but can not find a image gallery with the features of Gallery2 + Drupal 6.x. Reading this thread, it seems that CAPTCHA has already been beaten by the bots, so what is there to do?
Comment #10
hass commentedTry reCaptcha... It is the safest one available as of today with best usability.
Comment #11
UncleScotty commentedIn terms of the CAPTCHA technology being "at all" effective, I had a recent experience where I was writing to a regional government councilor and the mailto form in which I completed my message had a CAPTCHA verification code element at the bottom of the page.
(see the form here: https://niagararegion.ca/mailto.aspx?email=andrew.petrowski&name=Andrew+...)
I accidentally hit a "rogue" key, possibly even the ENTER key, on my laptop before finishing my message and my page flashed and went to a new page with the text "Thank you...Your message has been sent", etc etc.....or words to that effect.
I KNEW I hadn't completed the CAPTCHA routine and was curious how the message could have "gone" without my completing the "test". I emailed AND phoned the government office to explain to the Communications Co-ordinator what had happened and here's the answer I got:
"Based on our conversation last week, here’s some information that will hopefully help explain what happened:
· All HTML forms allow a user to hit enter to submit by default. For example, when you login to any type of application, you can typically hit enter or the button -- whatever is easier for the end user.
· The primary purpose of the CAPTCHA was set up to deter robots, but at the same time we wanted to make it simple for humans. Therefore, the form itself detects if you are a human or robot based on how you interact with the form. Since you spent time on the page it detected you as a human, and allowed the form to submit without being typed in."
------------------------------------------------------
Does that make any sense to you folks? Seems bizarre to me that "time spent" would allow passage.....but, what do I know?!?!
Comment #12
chris matthews commentedVersion change only
Comment #13
anybody