This blog is retired.

« OK, here’s a cool CAPTCHA tool I can actually get behind
The best defense is a good offense. Or is it? »

MOD Textual Confirmation Rises From Pit of Despair

True Story:

I became so irritated from using phpBB2 Advanced Visual Confirmation, which ended up causing me more trouble that it was worth, that I finally did something about it.

After thinking that I had wrapped a spammer-proof wall of security around my forum, I discovered that spammers were having an easier time decrypting my captcha images than my authorized members were. In fact, I often ended up having to manually register new users who I thought weren’t smart enough to decipher the image that was sitting right there in front of their face. It was only after I tried (and failed) to register one particular user 5 times that the truth hit me:

When it comes to default captcha decoding skills: Computers win, humans lose.

The default phpBB2 captcha is very very simple. There’s no screwed characters, fancy backgrounds, etc. The most basic spambot can plow through this level of protection in milliseconds. Real users stumble.

Here’s how I know…

I’ve collected some good information from you guys and I want to thank everyone who posted. Based upon your input, I recently installed phpBB. I have about 150 users. I’m getting anywhere between 1 - 10 spammer signup attempts per day right now. As part of my experiment, I went into the code of usercp_register.php and added a little mod that logs everyone who attempts to register.

Here’s what I found out…

Although no bot fails to decode the captcha, about 10% of the real users cannot decode the captcha; the most common mistake seems to be entering all lower case when the visual confirmation requires all upper case. I’m inclined to turn off visual verification and probably will soon.

The end result? Captcha continues to be a bad implementation of a good idea. That’s why I created Textual Confirmation.

This entry was posted by author on Sunday, September 9th, 2007 at 11:55 am and is filed under phpBB, Usability, bbAntiSpam, Explanations, Tools.

3 Responses to “MOD Textual Confirmation Rises From Pit of Despair”

  1. jurgen Says:
    February 10th, 2009 at 7:09 am

    Hi! I also run a phpbb. Currently, my way of killing spambots is banning their IP ranges after they’ve posted, but when I read you changed usercp_register.php to log all IP’s that attempt to register, I became really, really interested. I would love to know the code you added to the php script, since I’m not really a skilled coder myself, but could use some help in the fight against spambots! Please post it or send me an e-mail.
    Thx!

  2. Sky Says:
    April 9th, 2009 at 6:32 am

    Can anyone explain what happend with the automatic mail to bbspam.com?

    See that part of the mail:

    This message was created automatically by mail delivery software.

    A message that you sent has not yet been delivered to one or more of
    its recipients after 25 hours.

    The message has not yet been delivered to the following addresses:

    host mail.bbspam.com[1.2.3.4]:
    connection to mail exchanger failed with timeout

    Must I change the mail addy - how can I do that?

  3. Oleg Says:
    April 22nd, 2009 at 5:43 am

    Here is the explanation:
    http://bbantispam.com/forum/viewtopic.php?t=606