Spam Bots and CAPTCHAs

I know 3 types of spam in WordPress, and speculate one more:

* comment spam
* trackback (or pingback) spam
* registration spam
* plugin spam

(more…)

Good job! You’ve built a great web site that’s going to attract a lot of visitors. But before you start counting all of that money you plan to make, take a moment to meet Mr. FUD.

Yep, good old Fear, Uncertainty, and Doubt is about to step into your life if you’re thinking about adding a CAPTCHA gateway to your registration or message forms. Here are two reasons why:

(more…)

I always wondered why the support forums of phpBB and PHP-Nuke are free of spam. Yes, there is a number of moderators, but bots work faster than people and they are never tired. Recently I stumbled upon the “don’t spam here” list of XRumer (the best spam bot) and realized it all:

The industry-leading spam bots don’t spam the developers’ forums! That’s why the developers don’t know that the spam problem is so important to users. That’s why the developers don’t improve the spam protection.

I’ve looked through the black (hmm… white?) list and decided to highlight some sites:

(more…)

The post “Evil Idea: Make money from spammers!” has raised a number of comments. The intermediate verdict is: “A bad idea if put into practice, not a bad idea in theory”. Probably I know the first step to refactor the idea. Let’s try this way:

(more…)

Evil spammers and renegade programmers aren’t who you think they are. Sure, both types of Internet abusers can trace their origins back to random individuals who weren’t commercially organized and whose actions didn’t really cause a huge ripple effect across the ‘Net. But all of that has changed.

Today’s virus attacks are written by professional software developers who charge fees to buyers who want to release their own spam, virus or Trojan horse attack. Developers sell plug-and-play “instant virus outbreaks” and root kits that can be purchased and downloaded online. Organized crime cartels from around the world have sunk their claws into the Internet and they’re making billions of dollars per year running their spam networks and phishing sites.

(more…)

In my last post I told you about some BB anti-spam protection schemes out there that rely upon third-party spam reports to build a list of know spammers who frequent the forum community and blogosphere. I also wrote about why this method of protecting your site from spam wasn’t as good an idea as it seemed from a technical point of view. Today I want to tell you about a few legal issues you may face if you choose to utilize a blacklist.

One of the biggest legal obstacles is that UK webmasters are subject to fines and penalties if they transmit sensitive user data to any organisation that is not subject to the UK Data Protection Act.

(more…)

Wouldn’t it be great if you could get access to an automatically maintained list of forum spammers and simply check each new member against it before you allowed someone to register or create a new post? Well you kind of can do that, to some extent, but you may not want to. Here’s why…

(more…)

Many people, including me, believe that security by obscurity gives a false sense of security. Any security tool must be available in source code, even to bad guys. But Advanced Textual Confirmation (ATC) is encoded. Why?

It’s all about the business. If I deliver the tool as is, some “alternatively smart” programmer can copy/paste the code in a few minutes and start selling the clone. This is my worry: “alternatively smart” programmers.

To satisfy those who are against security by obscurity, I’m diclosing the ATC internals is this post. Warning: to understand the text in full, you have to be a web programmer.

(more…)

True Story:

I became so irritated from using phpBB2 Advanced Visual Confirmation, which ended up causing me more trouble that it was worth, that I finally did something about it.

After thinking that I had wrapped a spammer-proof wall of security around my forum, I discovered that spammers were having an easier time decrypting my captcha images than my authorized members were. In fact, I often ended up having to manually register new users who I thought weren’t smart enough to decipher the image that was sitting right there in front of their face. It was only after I tried (and failed) to register one particular user 5 times that the truth hit me:

When it comes to default captcha decoding skills: Computers win, humans lose.

(more…)

Just stumbled upon the article “Using AI to beat CAPTCHA and post comment spam”. There is a number of projects related to breaking CAPTCHAs and a number of articles on the topic, but this article strikes me most, because of:

(more…)