1
limecity
SPAM attack
  • 2007/6/25 17:55

  • limecity

  • Friend of XOOPS

  • Posts: 1602

  • Since: 2003/7/6 0


How in the world did I get spam through the contact module which has the captcha feature.

Is this a security bug or something?
hhttp://www.mounthiking.com
all your hiking gears and gadgets


2
sato-san
Re: SPAM attack
  • 2007/6/25 18:12

  • sato-san

  • Quite a regular

  • Posts: 224

  • Since: 2005/7/1 1


You can take the liaise or formulaire modules from here.

3
vaughan
Re: SPAM attack
  • 2007/6/25 18:31

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


i've been saying for quite a while that all the hype about captcha is just that: "hype".

captcha is practically useless at stopping bots, and we have to figure out other methods of prevention.

many bots are now using OCR (Optical character recognition) to crack captcha images etc, and other bots use other methods in order to get past it (nothing related to a security issue in xoops), it's just simply a means of automatic/manual user intervention on the bot's programming.

4
instantzero
Re: SPAM attack

Quote:

vaughan wrote:
(nothing related to a security issue in xoops)

WRONG !
It's possible to post comments on almost anything.

Have a look to what Protector is doing.

5
vaughan
Re: SPAM attack
  • 2007/6/25 19:08

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


right & wrong herve. yes it's a cliche.

but wouldn't matter if the core was secure enough and comments weren't allowed from anonymous or whatever.

i said it's not because of a XOOPS security issue, because it makes no difference due to the fact that CAPTCHA is practically to the point of being useless, and can't be relied on to protect your sites from BOTS anymore.

6
Dave_L
Re: SPAM attack
  • 2007/6/25 19:09

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Quote:
captcha is practically useless at stopping bots, and we have to figure out other methods of prevention.


I disagree.

On a couple of (non-XOOPS) sites, we were getting a moderate amount of "bot spam". I implemented a simple CAPTCHA. It consists of a four-digit number displayed as an image. I didn't even bother to distort the characters in the image. That stopped 100% of the spam.

Granted, my sites are not high-traffic, and maybe the sophisticated bots don't visit them. But in my case, the CAPTCHA served its purpose very well.

-----

In response to limecity, more information is needed. Are you talking about an isolated spam that could have been posted by a real person?

I'm not familiar with how this particular CAPTCHA works. Perhaps it has a weakness.

7
vaughan
Re: SPAM attack
  • 2007/6/25 19:25

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


well yes to a point it can help with the less sophisticated bots. but look where we are now, and then look 6 months down the line when the sophisticated bots will be even more on the increase.

we have to start thinking ahead of ourselves and develop for the future, and whilst captcha is ok in some respects, it will only get worse down the line. By worse I mean that using user-intervention methods will start to become more a hindrence and nuisance to humans than the bots. we need some methods of prevention that works in the background and doesn't reduce usability for the user.

user-agent checking, IP checking (bots change IP & user-agent frequently) so a setting to dis-allow changing of IP address during registration would also help eliminate some bots. some bots bypass the registration form completely and use CURL as a method of input.

well 1 method of preventing those bots, could be to issue a string variable to the PHP SESSION and also the $_POST form. then compare the strings on submission. of course if the bot is using curl then the $_POST string would be empty because the form hasn't been called. so then we can assume some kind of automatic registration is being used. if a user registers, they will use the form, so both PHP SESSION string & $_POST string would be equal, hence we at least then know that the form is being used.

hidden fields in the form that a human can't fill in can help with some bots too.

also set a session time for registration. it is impossible for a human to fill out the registration form in under 10 seconds. so if the form is submitted within that time, then we know a human didn't do it.

but overall we want to do this with as little disruption to human usability as possible.

8
Dave_L
Re: SPAM attack
  • 2007/6/25 19:39

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


I agree that CAPTCHA's are not the ultimate tool, although I still think they're useful.

The "SESSION/POST" method you describe is already implemented in the XoopsSecurity class, and can be enabled by setting the fifth parameter in the XoopsForm constructor to "true". This feature is available in both 2.0.16 and 2.2.5-RC2. At least, I think that feature does the same thing you describe.

9
instantzero
Re: SPAM attack

Quote:

vaughan wrote:
right & wrong herve. yes it's a cliche.

but wouldn't matter if the core was secure enough and comments weren't allowed from anonymous or whatever.

i said it's not because of a XOOPS security issue, because it makes no difference due to the fact that CAPTCHA is practically to the point of being useless, and can't be relied on to protect your sites from BOTS anymore.


Bots (or not bots) are not the problem.
My clients have as much spam from bots than from humans.

The first problem is that many modules that use the XOOPS comments have a problem with comments (see the last correction I have made in News 1.54 in comment_new.php) but there are also some problems in the Core.

On some websites, some modules are receiving spams whereas there's no articles or no posts !

So there is a problem in the Core.
That's also why I was talking of Protector.

Concerning the CAPTCHA, like Dave, I had a reduce of 100% when I installed a CAPTACHA like this one :
http://xoops.instant-zero.com/modules/liaise/?form_id=2

CAPTCHA are not always useful, not because of the way they are acting but because of their implementation.
I invite you to read and try this CAPTCHA :
http://www.puremango.co.uk/cm_php_captcha_script_113.php

From the website :
Quote:

it also focuses on the security of the implementation. A lot of CAPTCHAs are relatively secure against OCR attacks, but fail to account for other attacks, such as session re-use.


The main problem with such CAPTCHA, that's their accessibility.
There are some new CAPTCHAs, I saw one where you have some short and simple riddles like "How much 5-2".
This will run for a limited time but at least, it's accessible.

10
vaughan
Re: SPAM attack
  • 2007/6/25 19:56

  • vaughan

  • Friend of XOOPS

  • Posts: 680

  • Since: 2005/11/26


Quote:

Dave_L wrote:
I agree that CAPTCHA's are not the ultimate tool, although I still think they're useful.

The "SESSION/POST" method you describe is already implemented in the XoopsSecurity class, and can be enabled by setting the fifth parameter in the XoopsForm constructor to "true". This feature is available in both 2.0.16 and 2.2.5-RC2. At least, I think that feature does the same thing you describe.


yes, i must admit i never delved into the xoopssecurity class that much, but just had a quick glance through it & it seems to do as I described.

if (!$GLOBALS['xoopsSecurity']->check()) {
        echo 
implode(''$GLOBALS['xoopsSecurity']->getErrors());
        exit();
    }


above in registerform.php should be doing that job.


oh, maybe captcha or something on the activation screen might hinder some too. click the activation link in the email, then it takes you to the your account has been activated page, what if we add captcha or something there too before the activation is completed.. bots aren't programmed to look for captchas on that page because the account activated page is never a form that needs user input.. might be an idea.

Login

Who's Online

307 user(s) are online (251 user(s) are browsing Support Forums)


Members: 0


Guests: 307


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits