xoops forums

tedsmith

Home away from home
Posted on: 2011/10/7 7:38
tedsmith
tedsmith (Show more)
Home away from home
Posts: 1151
Since: 2004/6/2 1
#1

How are spammers bypassing the CAPTCHA?

Hi

Was having spammers ruin my site using Xoops 2.4.4 so I upgraded to 2.5.3 the other day so that I had some CAPTCHA options to ensure only humans registered.

However, the spammers are still getting through! If you look at my 'Recent Members' block n my site (www.lost-doggies.com) for 7/10/11 I think all of them are spammed accounts added since two days ago when I added CAPTCHA

How are they getting past it and how can I stop them? They surely aren't manually registering, and I don't really want to have approve registrations myself because I am often away for a few days at a time and I don't want genuine members to have to wait to upload their lost dog reports.

Dante7237

Friend of XOOPS
Posted on: 2011/10/7 14:17
Dante7237
Dante7237 (Show more)
Friend of XOOPS
Posts: 288
Since: 2008/5/28
#2

Re: How are spammers bypassing the CAPTCHA?

They may very well be manually registering.. Most captchas have been broken by software means as well.

There is no ultimate protection other than vigilance.
The more I know, the more I know that I really didn't wanna know.

timgno

Module Developer
Posted on: 2011/10/7 14:42
timgno
timgno (Show more)
Module Developer
Posts: 1504
Since: 2007/6/21
#3

Re: How are spammers bypassing the CAPTCHA?

which version you have a profile?

you can try to disable the first step to save and enter a mandatory field in the second step

trabis

Core Developer
Posted on: 2011/10/7 18:49
trabis
trabis (Show more)
Core Developer
Posts: 2269
Since: 2006/9/1 1
#4

Re: How are spammers bypassing the CAPTCHA?

If your server has CURL php extension, you can enable 'stopforumspam' in protector preferences. It will filter 90% of the spammers that break captchas.

You can also add extra protection by checking if the user(spammer) accessed register.php directly (without clicking on register link)
You can edit profile/preloads/core.php and add this extra method:
function eventCoreHeaderStart($args)
    {
        if (empty(
$_SERVER['HTTP_REFERER'])) {
           
$_SESSION['noref'] = true;
        }

        if (
$_SERVER['REQUEST_METHOD'] != 'POST') return true;
        if (!isset(
$_SESSION['noref'])) return true;
        if (!isset(
$_POST['email'])) return true;
        
$_POST = array();
    }


This code will empty $_POST when direct access is detected and spammer will not be able to commit any data. This approach will filter 90% of the remaning 10%. You may still get spammer accounts, but they will probably be done by real users.