Capcha or daily captcha?

[dolph]

Hi, I've seen that some site, especially directories, use daily captha (the same code all day long). Is this safe, or should I go for the normal one? Also, is there a good captcha class around?

[imvain2]

By far the best captcha is no captcha.

There are better, more efficient and visitor friendly ways of accomplishing the same thing.

[Smeagol]

I agree with your first statement imvain2, but would you care to enlighten us newbies as to what better, more efficient and user freindly ways you refer too.

[imvain2]

sorry.

One of my favorite ways is to simply add a text field and with css hide that field. Always leave that field empty then in your server code look to see if that field is empty or not. If it is not empty, that means some sort of program has filled in that field.

Another way that I commonly use is a simple question answer system. Where you ask a simple question that is common sense or very basic. Things like how many legs does a common cat have, or what is 1+5 or what color is a white house. These are things that seem stupid to a human, but are very difficult for a program to parse then answer.

Another method that I add on top of them is simply look for the below codes, because I don't expect anyone to provide these within my contact/login/create account forms. If anyone is giving links or bbcode, they should email them to me. So I display a note to the screen simply stating that the system has determined the message that you are entering in to contain spam. I have noticed that 99% of all my form spam included one of these codes.

Code:

[url
<a

[Smeagol]

Thanks for sharing imvain2. Us newbies really appreciate it.

[DaveSawers]

Quote:

Originally Posted by imvain2

Another method that I add on top of them is simply look for the below codes, because I don't expect anyone to provide these within my contact/login/create account forms...

All input to all form fields should be rigorously checked to ensure that the contents contain only the sort of things you are expecting and will accept. This is to prevent SQL injection and other attacks.

[imvain2]

Quote:

Originally Posted by DaveSawers

All input to all form fields should be rigorously checked to ensure that the contents contain only the sort of things you are expecting and will accept. This is to prevent SQL injection and other attacks.

You are correct, I run all form fields through a function that removes and cleans up the code.

But this was specifically for anti spam methods.

[deepsand]

Quote:

Originally Posted by imvain2

By far the best captcha is no captcha.

There are better, more efficient and visitor friendly ways of accomplishing the same thing.

Well, unless you are going to have the visitor interact with a human, which visitors will most definitely not consider to be either efficient or user friendly, you are stuck with using a machine; which, by definition is CAPTCHA.

What actually puts off users are those CAPTCHA systems which require that they correctly identify and type a string of visually distorted character images. There are other CAPTCHA systems which are both easier and quicker for the user to negotiate, and more secure.

Such methods entail having the user perform a simple mental task, such as performing basic arithmetic, or identifying that image or text which does/does not share an easily identifiable trait with another image or group of images. The former can be optionally strengthened by having the question displayed as an image, rather than as text.

[dolph]

the reason I asked my question is that I am using 123ContactForm for my "contact us" forms. I did not enable any Captcha, but I got overwhelmed with spam. So I am thinking about enabling some of their Captcha options, but I don't know what to choose.

[innominds]

I don't recommend using daily captha.
I don't think it serves the purpose even in directories.

[MrGamm]

Most of the Captchas out there are way too difficult for someone to decipher. (I have left some websites and probably never returned because they were just too difficult)

I mean the actual visitors to your website, not the spammers.

Make your own... (Or at least make it easy)

I would rather have people actually get into the website and have to deal with one or two pieces of spam, instead of alienating half of the world with cryptic visual puzzles...

[deepsand]

Quote:

Originally Posted by MrGamm

I would rather have people actually get into the website and have to deal with one or two pieces of spam, instead of alienating half of the world with cryptic visual puzzles...

Spam is not the only problem; transactional sites need to ensure as best possible that an human is initiating the transaction.

What specific measures would you recommend for each type of site, transactional and non-transactional?

[MrGamm]

Quote:

Originally Posted by deepsand

Spam is not the only problem; transactional sites need to ensure as best possible that an human is initiating the transaction.

What specific measures would you recommend for each type of site, transactional and non-transactional?

Well Deepsand... Anything which is not trivial... such as transferring money or making a purchase...

PCI compliance... SSL... Ip logging... Geographic Logging... password strength checks... and even perhaps an extra layer of custom encryption... denying roaming... cookies... serializing forms... non-shared server space... notifications to the registrant of all happenings... throttle protection and logging... security breach announcements which go to the vendors rather than the public on discovery (at least enough time to get patches out) ... Hey... I know... maybe vendors should offer awards for finding software vulnerabilities? I mean how many people (really) are going to give up a nice tasty secret for free?

You're never going to get past the keystroke recorders... or the guys who take tiny stabs at random accounts... but... that's a start right?

I mean... I am amazed at what passwords you can attach to a web service account... I've even guessed a password after visiting someones myspace page... Maybe if everyone started with the easy stuff we could avoid bio-metrics, rfid's and the like...

I remember seeing one service which promised to call you... and ask you in person if you would like to initiate a large transaction... maybe a phone call before your account is drained of a few thousand would be nice?

I'm going to go and log into my friends paypal account now with the password "mypass" and make a large purchase... Hmmmnnn....

Looks like a few hundred thousand are thinking the same...

http://www.bing.com/search?q=my+payp...acked&filt=all

Paypal, the Safer, Easier way to lose your money...

[deepsand]

Quote:

Originally Posted by MrGamm

Well Deepsand... Anything which is not trivial... such as transferring money or making a purchase...

PCI compliance... SSL... Ip logging... Geographic Logging... password strength checks... and even perhaps an extra layer of custom encryption... denying roaming... cookies... serializing forms... non-shared server space... notifications to the registrant of all happenings... throttle protection and logging... security breach announcements which go to the vendors rather than the public on discovery (at least enough time to get patches out)

Apparently you are unaware of spinners; these are robots which rapidly complete legitimate transactions - some may violate a site's ToS, but that is of no material consequence with respect to blocking the transaction - in a manner that defeats even the usual CAPTCHA methods.

Spinners are commonly employed where a finite quantity of a particular commodity, one that has both sufficient value and an established secondary market, so as to make resale profitable, such as tickets for entertainment events, is publicly sold on-line. Spinners can establish completely new accounts, and place an order, in a fraction of the time required for a human with a pre-existing account to complete a transaction.

None of what you have here mentioned serve to determine whether or not the user is human, and will thus not deter spinners.

I have above noted several alternative CAPTCHA techniques that are both user friendly and, if properly designed and implemented, quite robust in the face of spinners.

[MrGamm]

Quote:

Originally Posted by deepsand

Apparently you are unaware of spinners; these are robots which rapidly complete legitimate transactions - some may violate a site's ToS, but that is of no material consequence with respect to blocking the transaction - in a manner that defeats even the usual CAPTCHA methods.

Spinners are commonly employed where a finite quantity of a particular commodity, one that has both sufficient value and an established secondary market, so as to make resale profitable, such as tickets for entertainment events, is publicly sold on-line. Spinners can establish completely new accounts, and place an order, in a fraction of the time required for a human with a pre-existing account to complete a transaction.

None of what you have here mentioned serve to determine whether or not the user is human, and will thus not deter spinners.

I have above noted several alternative CAPTCHA techniques that are both user friendly and, if properly designed and implemented, quite robust in the face of spinners.

I am not sure if I understand "spinners"... in the marketing world that refers to taking an article and reworking the content with different verbs and nouns, ect...

Completely Automated Public Turing test to tell Computers and Humans Apart.

I always thought any sort of visual test was the only thing you were going to get away with... I mean there are the math questions which are a simplified captcha... but it's still a captcha... having a website speak the captcha is no different... (not everybody has speakers, believe it or not)

The truth is Deep... there are websites which employ humans to pass the captchas all day long... "Work from home... solve a Captcha"

By your definition of a spinner... everything which I have mentioned works towards ensuring that a transaction is indeed being made by a single "account" or "user"... everything I have mentioned works to prevent somebody spamming the website with illegitimate orders...

Throttle protection... Ip logging... (they work hand in hand...)
Validating passwords against registered accounts... (It's not my problem if you want to bypass proper registration... why reserve tickets to people without credit cards, downpayments, ect...)

How exactly is one with a single credit card going to reserve or buy up all the tickets for a single event?

[deepsand]

Quote:

Originally Posted by MrGamm

IBy your definition of a spinner... everything which I have mentioned works towards ensuring that a transaction is indeed being made by a single "account" or "user"... everything I have mentioned works to prevent somebody spamming the website with illegitimate orders

To the contrary, none of the measures mentioned by you serve to distinguish between human and machine.

And, the issue is not "spamming" the site with "illegitimate" orders, but rather that of gaining an unfair advantage by using a spinner to place real orders, orders that are legitimate outside of the fact that the method employed violates a ToS.

1. PCI compliance - irrelevant; deals with post-transactional security of card data
2. SSL - irrelevant; deals with security of communication
3. Ip logging - untenable; human buyers can legitimately be anywhere; machines can give the appearance of being at any desired logical location
4. Geographic Logging - same as above
5. password strength checks - spinners establish legitimate new accounts, choosing their own passwords
6. an extra layer of custom encryption - irrelevant; see no. 2
7. denying roaming - untenable; see no. 3
8. cookies - irrelevant
9. serializing forms - irrelevant
10. non-shared server space - irrelevant
11. notifications to the registrant of all happenings - ineffective; the "registrant" is the spinner
12. throttle protection - ineffective; spinners automatically adjust their throughput rate to defeat such
13. logging - ineffective; is reactive, rather than proactive

[MrGamm]

Deep...

PCI compliance is a security standard to prevent people breaking into a system... whether they are breaking into a system for a cross site scripting attack to harvest legitimate user accounts or simply to reserve all those tickets you want...

I think this is where my coversations with you end... permanently... thanks for the insights...

I hear the Dungeons and Dragons convention is coming to your town... best reserve your ticket...

Okay you've upset me...

2. Is not irrelevant... I am not passing my credit card info across the web... whether I pass it across the web via a machine... or whether I pass it as a human being... it doesn't f'ng matter...
3. Then lets throw away all the paper trails all around the world. I think it would be a great way to beef up security.
4. Same as above. Look into things like Address Verification... Be my guest to go straight to Visa and tell them what they are doing is irrelevant...
5. Maybe you'll be able to block a few humans from making poor passwords which allow spinners to crack weak accounts...
6. See above...
7. It is perfectly a good practice to deny access to somebody else if they break an connection with the server and resume different client, or from a different network...
8. If you don't pass along the cookie... it's not you... even moreso over ssl...
9. Completely relevant... it prevents spammers from highjacking a form and throttling it...
10. Completely relevant... don't share space with insecure websites...
11. Then protect your own system from allowing a single registrant from registering all the tickets...
12. ENTIRELY EFFECTIVE... if a single registrant is throttling your machine with orders... it doesn't matter how much they let up... you're still preventing them from continuing..
13. I agree... I don't think logging serves any purpose at all... I think we should return to the honor system... this will surely prevent spinners from doing their work as we simply ask people if they really did register all 6,000 tickets at 5:00pm through 5:15pm...

Deep... I don't really think you have a right to be so asinine... but you obviously do... so please do not poison the web with what you think... do some research and try applying yourself...

IN the end... if your willing to allow someone register 5,000 tickets with 5,000 anonymous accounts without accepting any form of payment... then what good is the system to begin with?

Why bother? I say all the power to the spinners... either that... or make it first come first serve event... anything else doesn't make any sense at all... if your going to give something away for free... then deal with it...

[deepsand]

You've completely ignored what spinners are. They are not malicious applications designed to perform illegitimate actions; rather, they are applications designed to emulate a human user, but at a rate faster than humanly possible, so as to effect many legitimate transactions in the same amount of time required for a human to effect a single one.

Of all of the countermeasures you name, the only one which might serve to distinguish between human and machine is that dealing with the matter of speed; and, as noted, spinners can be, and have been, designed to both determine the threshold speed at which they can operate without their being detected and their session terminated, as well as varying their throughput rate so as to better avoid detection.

Regarding PCI, and its definition within the context of transactions as here under discussion, see http://en.wikipedia.org/wiki/PCI_DSS.

As for Dungeons & Dragons, I leave such for your own amusement.

Good luck with your attitude.

[MrGamm]

Deep... I've ignored what you've said because your lost in some sort of theoretical world...

Everything you've said about security is in use and it works... what you think is wrong... these things work...

If you have a nihilist view about security... then I really could care less about your "monster who is reserving all your tickets"

There is no point speaking with you...

[deepsand]

Do you really not understand what I've said? Or, are you simply being argumentative?

Try very carefully re-reading what I've said re. spinners.

They are applications specifically designed to emulate human activity, for the purpose of effecting legitimate transactions, and in a manner that is detectable, by definition, only by the use of CAPTCHA.

[MrGamm]

Yes... I understand... there are captcha solvers... whether that be humans or machines is entirely irrelevant to your ticket reservation process...

No matter what you do to try and prevent people from reserving too many tickets, you are missing the obvious... they are not verifying who the person is through payment. You make it sound like if I had 5,000 facebook friends who were willing to lend a free hand manually reserving free tickets that it wouldn't make a difference because it's the machines who are working against you rather than the policies and procedures of the ticket master...

This does not mean all of the items mentioned so far are not excellent security measures to prevent a system being compromised or used in ways in which it was not intended to be used, because they are.

Hey... if your giving away the service for free... does it really matter if it's a "human" using it or not? I think that's rather unfair to the machines...

I just don't think your paying attention... http://www.solona.net/wordpress/tag/captcha-solving

[deepsand]

No, you do not understand.

Each transaction is effected using a legitimate credit/debit/T&E card; all of the usual credentials required for succesfully executing a card based transaction are presented and verified. The only difference is that a human did not perform any of the data entry functions directly related to the transaction. And, it is not feasible that transactions should be paused pending a human attempting to contact the would be buyer.

Absent human verification, CAPTCHA is, by definition, the only other means of attempting to identify spinners.

Despite your portrayal to the contrary, the use of spinners is not confined to the on-line purchase of tickets; such was, as stated, but a common example. Another current use is with bidding systems, such as eBay and PPC programs, such as AdWords.

Finally, I've yet to see your suggestions re. suitable forms of CAPTCHA that might be used in both transactional and non-transactional environments.

[MrGamm]

Quote:

No, you do not understand.

Each transaction is effected using a legitimate credit/debit/T&E card; all of the usual credentials required for succesfully executing a card based transaction are presented and verified. The only difference is that a human did not perform any of the data entry functions directly related to the transaction.

Well Deep... I would say each transaction was legitimate.

You are crazy...

But you know what... You are right... I suggest you get on the horn with the ticket master and demand people pay in person... sign their names with a quill... that sort of thing...

Maybe we can put an end to chargebacks...

I've got a real problem for you... I have two checks which will bounce if I go and cash them... a human signed them... what can I do to put an end to humans signing bad checks... do you think there are any machines out there which could help me?

I know... Maybe you could insist to the ticket master that only one credit card owner in each city be allowed one ticket to ensure that too many people in the same city don't buy up all of your tickets? Oh wait... that wouldn't work for you because obviously a real smart spinner would just steal credit cards from various cities, at least 5,000 different cities to buy up all your tickets... Do I have the way you see it correct now?

Let's just hope when the Ticket Master goes with the Quill pen signature method that the spinners don't bring mexicans up from over the border to reserve all your tickets in advance...

Quote:

Finally, I've yet to see your suggestions re. suitable forms of CAPTCHA that might be used in both transactional and non-transactional environments.

There is no suitable captcha system to prevent crime... there never will be... I never said there was one... I simply gave my run down of good security practices...

I have yet to see anything come from you which is actually relevant to the real world. I don't think you live in it...

As for Adsense... people clicking on ads all day... that your own damn fault for buying advertisements and not paying attention to your return on investment...

[deepsand]

Quote:

Originally Posted by MrGamm

Well Deep... I would say each transaction was legitimate.

That is not for you to say. Your scope of authority in such matters is limited to that(those) site(s) which you are the owner of.

Quote:

Originally Posted by MrGamm

You are crazy...

Quote:

Originally Posted by MrGamm

But you know what... You are right... I suggest you get on the horn with the ticket master and demand people pay in person... sign their names with a quill... that sort of thing...

Maybe we can put an end to chargebacks...

I've got a real problem for you... I have two checks which will bounce if I go and cash them... a human signed them... what can I do to put an end to humans signing bad checks... do you think there are any machines out there which could help me?

I know... Maybe you could insist to the ticket master that only one credit card owner in each city be allowed one ticket to ensure that too many people in the same city don't buy up all of your tickets? Oh wait... that wouldn't work for you because obviously a real smart spinner would just steal credit cards from various cities, at least 5,000 different cities to buy up all your tickets... Do I have the way you see it correct now?

Nope; you're not even close.

Quote:

Originally Posted by MrGamm

There is no suitable captcha system to prevent crime

Crime? The only one talking about "crime" is you.

Quote:

Originally Posted by MrGamm

As for Adsense... people clicking on ads all day... that your own damn fault for buying advertisements and not paying attention to your return on investment...

Non sequitur, assumes facts not in evidence, irrelevant to subject at hand.

Quote:

Originally Posted by MrGamm

I have yet to see anything come from you which is actually relevant to the real world. I don't think you live in it...

This from the man with the tin foil hat?

[MrGamm]

Coming from the man who thinks the machines are out to buy up all his tickets without any human intervention...

Tell me deep... what's the average credit score of your autonomous warrior robot army?

[deepsand]

Quote:

Originally Posted by MrGamm

Coming from the man who thinks the machines are out to buy up all his tickets without any human intervention...

Wrong again.

This from one who knows that there are humans willing and able to use machines to gain an unfair advantage, to "game" the system.

Quote:

Originally Posted by MrGamm

... what's the average credit score of your autonomous warrior robot army?

If you understood the issue, you'd know that such is irrelevant.

[MrGamm]

Deep I understand the issue... you have decided that machines are gaming the system...

I've already told you it's the system itself... it's the policies which are the problem... either that of you just think the world is against you with a robot army...

It's not the machines...

[deepsand]

In your unsubstantiated opinion.

[dontmindme]

Do you have some stats for comparison? I've heard about the empty text field trick, but how much does that reduce your spam in comparison to regular captcha?

Quote:

Originally Posted by imvain2

sorry.

One of my favorite ways is to simply add a text field and with css hide that field. Always leave that field empty then in your server code look to see if that field is empty or not. If it is not empty, that means some sort of program has filled in that field.

Another way that I commonly use is a simple question answer system. Where you ask a simple question that is common sense or very basic. Things like how many legs does a common cat have, or what is 1+5 or what color is a white house. These are things that seem stupid to a human, but are very difficult for a program to parse then answer.

Another method that I add on top of them is simply look for the below codes, because I don't expect anyone to provide these within my contact/login/create account forms. If anyone is giving links or bbcode, they should email them to me. So I display a note to the screen simply stating that the system has determined the message that you are entering in to contain spam. I have noticed that 99% of all my form spam included one of these codes.