1
tedsmith
How are spammers bypassing the CAPTCHA?
  • 2011/10/7 7:38

  • tedsmith

  • Home away from home

  • Posts: 1151

  • Since: 2004/6/2 1


Hi

Was having spammers ruin my site using Xoops 2.4.4 so I upgraded to 2.5.3 the other day so that I had some CAPTCHA options to ensure only humans registered.

However, the spammers are still getting through! If you look at my 'Recent Members' block n my site (www.lost-doggies.com) for 7/10/11 I think all of them are spammed accounts added since two days ago when I added CAPTCHA

How are they getting past it and how can I stop them? They surely aren't manually registering, and I don't really want to have approve registrations myself because I am often away for a few days at a time and I don't want genuine members to have to wait to upload their lost dog reports.

2
Dante7237
Re: How are spammers bypassing the CAPTCHA?
  • 2011/10/7 14:17

  • Dante7237

  • Friend of XOOPS

  • Posts: 294

  • Since: 2008/5/28


They may very well be manually registering.. Most captchas have been broken by software means as well.

There is no ultimate protection other than vigilance.
The more I know, the more I know that I really didn't wanna know.

3
timgno
Re: How are spammers bypassing the CAPTCHA?
  • 2011/10/7 14:42

  • timgno

  • Module Developer

  • Posts: 1504

  • Since: 2007/6/21


which version you have a profile?

you can try to disable the first step to save and enter a mandatory field in the second step

4
trabis
Re: How are spammers bypassing the CAPTCHA?
  • 2011/10/7 18:49

  • trabis

  • Core Developer

  • Posts: 2269

  • Since: 2006/9/1 1


If your server has CURL php extension, you can enable 'stopforumspam' in protector preferences. It will filter 90% of the spammers that break captchas.

You can also add extra protection by checking if the user(spammer) accessed register.php directly (without clicking on register link)
You can edit profile/preloads/core.php and add this extra method:
function eventCoreHeaderStart($args)
    {
        if (empty(
$_SERVER['HTTP_REFERER'])) {
           
$_SESSION['noref'] = true;
        }

        if (
$_SERVER['REQUEST_METHOD'] != 'POST') return true;
        if (!isset(
$_SESSION['noref'])) return true;
        if (!isset(
$_POST['email'])) return true;
        
$_POST = array();
    }


This code will empty $_POST when direct access is detected and spammer will not be able to commit any data. This approach will filter 90% of the remaning 10%. You may still get spammer accounts, but they will probably be done by real users.

Login

Who's Online

254 user(s) are online (145 user(s) are browsing Support Forums)


Members: 0


Guests: 254


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits