My site is frequently comment spammed by bots. So I installed captcha validation to stop it. When I enable anonymous access to TextImage, captcha, and comments the spambot manages to post comments regardless. However, these comments are with no subject and no content at all. I've included screenshots of the log, a detailed log as well as actual comments. I've also included raw HTTP access logs. Apatche is responding with a HTTP Code 302 when it should be HTTP Code 403.

I'm using the latest drupal 4.7.4 with the stable release versions of Captcha and TextImage.

CommentFileSizeAuthor
captcha_probs.zip300.54 KByousif

Comments

poorhouse’s picture

poorhouse commented

Just to say, you're not alone. Captcha seems to have done wonders in blocking the thousands of spammy comments with links in etc. but now and then maybe up to 100 comments with no content get in.

For those using the spam module they get caught by that anyway, but I can't work out myself how they even get that far! I am using the maths question captcha if it makes a difference. Sorry I can't be any actual help though, I am baffled at present myself.

TheWhippinpost’s picture

TheWhippinpost commented

The problem with open source themes - particularly popular ones - is the footprint they leave; things like class and/or ID values are often enough to sniff-out worthy targets.

... and if I were a bot-maker looking for a good source of Drupal-based sites, why I'd just send them right along here first!

ksoonson’s picture

ksoonson commented

Sorry that this is not a solution for you but I wanted to say that you are not alone.

I also get spammed even though I upgraded to the latest stable version of captcha/textimage...etc.

wundo’s picture

wundo commented
Status: Active » Closed (fixed)
daveatkins’s picture

daveatkins commented
Version: 4.7.x-1.x-dev » 5.x-3.1
Component: Code » Image Captcha (image_captcha)
Category: bug » support
Priority: Critical » Normal

The spammers have gotten through captcha, but I also have the spam module installed and it correctly identifies the comments as spam (based on logs)...but the comments are still published. I think I have it configured somewhere so that captcha overrides spam. How can I set it so that in order for a comment to post it must 1) pass captcha AND 2) pass spam?

Here is what I see in the spam logs:

spam_content_filter: 40% probability of being spam for comment "rental"

I cannot find where to set the probability threshold and/or how to best have captcha and spam working together.

soxofaan’s picture

soxofaan commented

First: it's not because spam is posted to your site that "spammer have gotten through CAPTCHA". CAPTCHA is a tool to block spam bots, it can't stop human spam posters. And depending on what type of challenge you use, it's even possible for bots with a random guess to get though from time to time.

Second: CAPTCHA does not interact with the spam module directly, there is no built-in overriding or something from the point of view of the CAPTCHA module. It's been a while I used the spam module, so I don't know if and how that one interacts with the CAPTCHA module.

In any case: if the CAPTCHA module receives a wrong answer, it will block the form submission (with the standard Drupal function form_set_error()), if the answer is correct, it will do nothing and other modules, like the spam module should be able to do their job.

So in principle, you should be able to achieve "in order for a comment to post it must 1) pass captcha AND 2) pass spam"
but I don't know the spam module enough for full advise

I think you should also try your luck with the spam module developers.

(or check out this webservice based combination of spam-filtering and CAPTCHA: http://mollom.com/ )