By zwhalen on

Hello,

I'm dealing with a spam problem. We let anonymous users post comments, so we've been recently hit by a spambot that gets in and posts a couple hundred spam comments at a time. I installed the captcha module and (since I'm on 4.6.x) installed the comments patch. It seems to work fine; that is, when I pretend to be an anonymous user, I have to enter the correct code or it won't let me proceed posting. The bot, however, has no problem with the captcha and continues to post anyway.

Is it possible I'm doing something wrong that lets it in, or is this a problem with captcha (i.e. a bot has figured out how to get around it)?

Categories: Drupal 4.6.x

Comments

Cerel’s picture

Cerel commented

Captcha is not the ultimate solution against spam.

Sooner or later people will manage to go around it by implementing characters recognition tehcnology into their bots.

Go look at those pages to see the progress people are doing to defeat some captchas :

So, it's not impossible that the spamm bot defeated the drupal captcha, you may try other solutions (limiting the number of posts during an interval, limiting to number of posts done by an ip during one day, limiting the number of links in the posts).

On a final note, remember that there is no solution 100% reliable.

zwhalen’s picture

zwhalen commented

Hmm, thanks. I've also heard something about switching around the ids on form fields to nonsense words, supposedly making it harder for some bots to figure out where to put what. It seems like that might work in some (though not necessarily all) situations.

So, in general, would you say that the best approach is to diversify? I also have bad_behaviour running and systematically ban IP addresses that generate spam. Neither are 100% effective, obviously, but I hoped that captcha would make more of a dent on its own.

Zdenda’s picture

Zdenda commented

I have found this aproach on Jakub Vrana's site He use another submit in his form

<?php
echo "<input type='submit' name='robot' value='Jsem robot' style='display: none;' />\n";
echo "<input type='submit' value='Vložit příspěvek' />\n";
if (!isset($_POST["robot"])) {
    mysql_query("INSERT INTO diskuse (jmeno, zprava, vytvoreno) VALUES ('$_POST[jmeno]', '$_POST[zprava]', NOW())");
}
?>

and because robots are sending all forms data, their messages were filtered out....
translation : jmeno = name; zprava = message; vytvoreno = created ; Jsem = I am; Vložit příspěvek = add comment

Cerel’s picture

Cerel commented

Interesting indeed, but what happens if the user hits the "enter" key without clicking the button ?

Whaut submit is triggered ? The first one, or the visible one ? I would be nice to check that to make sure users aren't flagged as bots.

dayzman1’s picture

dayzman1 commented

I know I'm digging up an old post, but I think it was an intriguing discussion.

It is an interesting alternative, but I don't think that is a good idea. I think there is a possible risk that other modules with break apart if you play around with the ids etc. Also, changing the ids is nothing but an ad hoc fix. The spam bot can easily detect that you have changed the ids and fix theirs accordingly.

I think what you need is a more sophisticated challenge so that it itself is a computationally harder problem. Only that will be more sustainable.