In the last couple of weeks (April 22, 2011) I have noticed a lot of comment form spamming on my Drupal websites that use the Captcha module, is there a patch available to block automated submissions that use this module?

Details - The title is always the same: "Interesting information about activation"
The body of the comment is always the same: "I think this board is the proper place to ask you about the activation proccess. My link is not working properly, do you know why it is happening?"
The link included, always follows the same format: [your domain]/?#### (13 hex digits + one number, 27 characters total)

This is a wide spread attack ... Google for "Interesting information about activation" to find 28,000+ Drupal sites that have fallen prey to this.

Has any one else encountered this? I have my suspicions that this may be a core issue rather than Captcha issue - I'll continue my research.

My site: Captcha-6.x-2.4; Drupal core: 6.20

Comments

Heine’s picture

Vulnerable to what exactly? Leaving comments?

VBranston’s picture

Reply to Heine's query.
Vulnerable to form spamming by bots, I'm reasonably sure the comment form is not the only form being hit by this. Isn't CAPTCHA supposed to help prevent the vulnerability to spamming by bots?

wundo’s picture

Status: Active » Postponed (maintainer needs more info)

Yes, CAPTCHA is prevents sites from being spammed, but depending how you configured CAPTCHA you may be not adding the challenges to the proper form, or you challenge is not strong enough for the spambot that is spamming you, could you please provide us more information about your Drupal installation?

jonathan1055’s picture

I've just discovered that one of my sites has been hit by this. I had 1400+ spam posts to new forum topics and comments from mid-April. Prior to that, captcha was excluding all spam the and forums were totally clean. The site is not moderated so I was only alerted to it by my hosting company's automated e-mail saying my monthly bandwidth was 80% used. Normal I only hit 20%. Many of the comments were 'Interesting information about activation' but also a huge number in the Russian alphabet and many others with a subject of just one word - a string of around 14 to 20 random letters.

I do not know how the automated spam bot got past captcha - I've just tested it with an anonymous user and it working fine, so there must have been some loophole which was not discovered before. I'm on D6.20 and captcha 6.x-2.4 with Image Captcha. I will help if I can. I've closed my board to new submission and am getting rather bored of deleting 100 nodes at a time, even though I'm using the excellent Content Management Filter (CMF) module. Are there any other reports of this problem?

Jonathan

jonathan1055’s picture

Forgot to say that it could possibly be linked to upgrading from Captcha 2.3 to 2.4. I'm not saying that it is definitely linked, but I upgraded to 2.4 around the middle of April (my FTP software has 14/04/2011 against the folder)

Google for "Interesting information about activation" to find 28,000+ Drupal sites ...

Google now returns 2.9 million hits for this exact phrase! (using advanced search)

anewman1980’s picture

I was recently surprised to have a big user registration attack from Russia, despite using Captcha and having it enabled on the registration form. Lucky I had the admin approval required setting on. I also use logintoboggan module so not sure if that could be responsible too? This is on Drupal 7.

Looking through the millions of Google search results, it seems PhpBB and Smf have received similar posts. The last part of the URL appears to be random as I have seen it entered into signatures too. The aim of these posts is unclear - one would assume posting the link is of some benefit to the hacker after users follow it, but I can't see any that is obvious. The only thing I can think is Kudos from the high number of Google search hits for the term. The posts generally seem to invite confused responses highlighting that they must have already activated.

jonathan1055’s picture

That's useful info. I'm not using logintoboggan, and mine were all forum posts and comments, as I have user registration closed and only create users via admin.

What I would have liked to see from my dblog is whether any posted attempts were blocked by captcha during this period (which would imply that someone has found a way to trick captcha) or whether every spam attempt was allowed through, which implies a bigger fault with the captcha upgrade. However, due to the huge volume of spam posts each with a record in the log, the data for earlier days had already been cleared down.

I took a look a the differences in all files from 2.3 to 2.4 but having not looked at this modules code before it was impossible for me to spot any potential problem. There was quite a bit of work, and even a db field name change, which had to be replicated in the object throughout the code.

hles’s picture

Hey guys,

Just to mention that two of my websites have just been hit by spam during two days, even though they use the captcha module. Fortunately, they were not "heavily" spammed (50 comments and/or mails sent via the contact form in 2-3 days) and comments approval were activated.

Some info:
Drupal 6.22, Captcha 2.4, Math challenge.

I'm no expert in captchas, but does a challenge displaying "2 + 3" as an image instead of text would make it more difficult for spam bots to bypass the challenge?

soxofaan’s picture

Status: Postponed (maintainer needs more info) » Closed (duplicate)

duplicates/related reading:
#519314: Spam bot getting through?
#1191774: Captcha module has been cracked!

@hles: the math CAPTCHA is a very basic/simple challenge (and should be more considered as an example implementation or debug/fallback option, not to be intended for production). If you just take random guesses (possible values are between 1 and 20), you have already a success rate of 5%. Obfuscating the challenge in an image will not help against this attack.

soxofaan’s picture