I'm using captcha 7.x-1.0-beta2+16-dev and Drupal 7.22.

I have seen some log entries lately and in the past of spam bots requesting the same captcha image multiple times in order to get the easiest to answer version of the captcha. For example if I call:
http://mysite.com/image_captcha?sid=5&ts=1365221990 multiple times, I will get an image with the same solution but generated multiple times.

It might be better to just return a "304 Not Modified" header in this case to tell client browsers to use what is already in there cache, or to force a new solution to be generated?

Is there some other way may be to prevent spammers from cherry picking image captchas?

Thank you very much!

Files: 
CommentFileSizeAuthor
#2 1962962_randomseeding.patch1.66 KBsoxofaan
PASSED: [[SimpleTest]]: [MySQL] 718 pass(es).
[ View ]

Comments

The "get another distortion on reload" behavior was intended as a feature, but as you point out, it mainly lowers the bar for automated CAPTCHA solving and is probably not that useful for legitimate human users.

Detecting re-requesting the same image is a bit tricky.
First, for the "304 Not Modified" trick, you need the conditional request (containing date information of the previous request). Spam bot can easily circumvent this by not providing a date of previous request.
Also, only allowing one request for the image to work and failing on subsequent request is also tricky. IIRC, it was implemented in earlier versions like this, but it gave issues in some situations/environments, I remember something about certain browsers requesting the image twice for some reason.

Anyway, a possible alternative approach is always using the same distortion for the same challenge.

Status:Active» Needs review
StatusFileSize
new1.66 KB
PASSED: [[SimpleTest]]: [MySQL] 718 pass(es).
[ View ]

here is a patch