Welcome to Geeklog, Anonymous Thursday, March 28 2024 @ 02:54 pm EDT

Geeklog Forums

CAPTCHA Cracked, Now Getting 50 Spam User Submissions Per Hour

Page navigation


Status: offline

mystral-kk

Site Admin
Admin
Registered: 03/19/06
Posts: 100
Location:Japan
Quote by: ::Ben

Thank you for the reCaptcha plugin. I got 2 questions:

1. How to enable the reCaptcha on a custom registration page?
2. Is it possible to move the reCaptcha from the top to the bottom of the form?

Ben



Question 1. Add the lines below to CUSTOM_userForm() function after you create Template object (e.g. just after "$user_templates->set_file('memberdetail', 'memberdetail.thtml'Wink ;"Wink



Text Formatted Code

if (is_callable('plugin_templatesetvars_recaptcha')) {
    plugin_templatesetvars_recaptcha('registration', $user_templates);
}
 


Question 2. reCAPTCHA, like other CAPTCHA's, should be displayed where you write {captcha} template variable in the template file. With the Modern Curve theme, {captcha} is written at line 22 (users/registration.thtml) before the buttons and reCAPTCHA is displayed there.


-- mystral-kk, "Every cloud has a silver lining."
 Quote

Status: offline

mystral-kk

Site Admin
Admin
Registered: 03/19/06
Posts: 100
Location:Japan

Ben, I forgot to say that you have to put {captcha} template variable in your "path_layout/custom/memberdetail.thtml" file. You can put it anywhere between <form> and </form> tags.


-- mystral-kk, "Every cloud has a silver lining."
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 09/27/05
Posts: 1468
Location:Canada
Hi mystral-kk,

I notice that reCAPTCHA not working for the forum (it doesn't display the reCAPTCHA at all). I am looking into this right now (the forum worked fine for the regular CAPTCHA plugin).

reCAPTCHA works for Registration and comment posting and I am now getting only a fraction of new spammy users Big Grin
One of the Geeklog Core Developers.
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 09/27/05
Posts: 1468
Location:Canada
Okay,

I figured out the issue with the forum. It doesn't work with recaptcha because the forum looks for specific functions from the captcha plugin before it sets the template variable. I have updated createtopic.php of the latest forum version to work with both plugins. For those who want it, email me and I will send it to you (this fix will be included in the next version of the forum).

Also mystral-kk I see what Ben was talking about with the recaptcha appearing at the top of the forum. This happens in the forum unless you update the HTML of the submissionform_main.thtml file of the forum. The reason this happens is that some themes and plugins are setup in a way where the captcha is added to the table row. The captcha plugin handled this by having separate template files for each captcha type (ie registration, forum, article, etc..) and it had the table row information in the corresponding template file. This works fine unless you have a multi theme site or if the Geeklog theme has been updated to use something other than table rows (like Modern Curve).

With recaptcha it inserts a div only (plus the capthca stuff in the div). This is fine in a lot of cases except when you need to add some extra css to place the recaptcha if it is enabled. For example the forum still uses tables. I had to hardcode the extra table row in to the template file and it will appear whether the recaptcha plugin is turned on or off. I also had to add an extra div around the captcha template variable so I could float it to the right. A partial fix to the extra div issue is have the recaptcha plugin insert its own div with a class based on the type. This way in the css file of each Geeklog theme/plugin you could add your own styling for the recaptcha plugin based on the type (forum, registration, article, etc..)

What do you think?

Tom



One of the Geeklog Core Developers.
 Quote

Status: offline

::Ben

Forum User
Full Member
Registered: 01/14/05
Posts: 1569
Location:la rochelle, France
I'm testing a new version of the captcha plugin on geeklog.fr and notice no spam since 24H. You can see it in action on the registration page or on the contact page.

I will clean the code and make a new release on monday.

Ben

PS : Nothing is unbreakable... just a matter of time Mr. Green
I'm available to customise your themes or plugins for your Geeklog CMS
 Quote

Status: offline

mystral-kk

Site Admin
Admin
Registered: 03/19/06
Posts: 100
Location:Japan
Quote by: Laugh

Okay,

I figured out the issue with the forum. It doesn't work with recaptcha because the forum looks for specific functions from the captcha plugin before it sets the template variable. I have updated createtopic.php of the latest forum version to work with both plugins. For those who want it, email me and I will send it to you (this fix will be included in the next version of the forum).

Also mystral-kk I see what Ben was talking about with the recaptcha appearing at the top of the forum. This happens in the forum unless you update the HTML of the submissionform_main.thtml file of the forum. The reason this happens is that some themes and plugins are setup in a way where the captcha is added to the table row. The captcha plugin handled this by having separate template files for each captcha type (ie registration, forum, article, etc..) and it had the table row information in the corresponding template file. This works fine unless you have a multi theme site or if the Geeklog theme has been updated to use something other than table rows (like Modern Curve).

With recaptcha it inserts a div only (plus the capthca stuff in the div). This is fine in a lot of cases except when you need to add some extra css to place the recaptcha if it is enabled. For example the forum still uses tables. I had to hardcode the extra table row in to the template file and it will appear whether the recaptcha plugin is turned on or off. I also had to add an extra div around the captcha template variable so I could float it to the right. A partial fix to the extra div issue is have the recaptcha plugin insert its own div with a class based on the type. This way in the css file of each Geeklog theme/plugin you could add your own styling for the recaptcha plugin based on the type (forum, registration, article, etc..)

What do you think?



As you know, I made the reCAPTCHA plugin in haste, so I didn't test it thoroughly with all item types. I just read functions.inc of the CAPTCHA plugin and learned how it works. Anyway, I think it would be better to change the template file of the Forum plugin (maybe submissionform_main.thtml?), because it is costly to deal with this issue on the CAPTCHA's side every time a new CAPTCHA plugin is created.



-- mystral-kk, "Every cloud has a silver lining."
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 09/27/05
Posts: 1468
Location:Canada
Quote by: ::Ben

I'm testing a new version of the captcha plugin on geeklog.fr and notice no spam since 24H. You can see it in action on the registration page or on the contact page.

I will clean the code and make a new release on monday.

Ben

PS : Nothing is unbreakable... just a matter of time Mr. Green




How true. I like the idea Ben. In the plugin is it possible to have captcha, or the slider, or both to display? It would be nice to have all these combined into one plugin and then the user can select which options he wants to use.
One of the Geeklog Core Developers.
 Quote

Status: offline

mystral-kk

Site Admin
Admin
Registered: 03/19/06
Posts: 100
Location:Japan

It would be ideal to change Ben's CAPTCHA plugin into one like the Spam-X plugin in that it is a meta plugin, extensible by sub modules so that the user can choose how to provide a CAPTCHA from static images, dynamic images, external service like reCAPTCHA, and so on.


-- mystral-kk, "Every cloud has a silver lining."
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 09/27/05
Posts: 1468
Location:Canada
Quote by: mystral-kk

As you know, I made the reCAPTCHA plugin in haste, so I didn't test it thoroughly with all item types. I just read functions.inc of the CAPTCHA plugin and learned how it works. Anyway, I think it would be better to change the template file of the Forum plugin (maybe submissionform_main.thtml?), because it is costly to deal with this issue on the CAPTCHA's side every time a new CAPTCHA plugin is created.


[/p]


I updated submissionform_main.thml to make it work. I also emailed you my updates to the recaptcha plugin. The update adds a div to make styling a little easier.
One of the Geeklog Core Developers.
 Quote

Jeff Rivett

Anonymous
I switched to the ReCAPTCHA plugin and it works perfectly for me. No spammer registration attempts are getting past ReCAPTCHA.

I left the CAPTCHA plugin enabled, and that doesn't seem to be a problem. Also it makes it easy to check the captcha log, which shows this for every attempt since I switched to ReCAPTCHA:
"Detected an attempt to bypass CAPTCHA (no session id) in registration"

Maybe that's a clue as to a possible weakness in the CAPTCHA plugin?

Anyway, thanks!
 Quote

Status: offline

mystral-kk

Site Admin
Admin
Registered: 03/19/06
Posts: 100
Location:Japan
Quote by: Laugh


I updated submissionform_main.thml to make it work. I also emailed you my updates to the recaptcha plugin. The update adds a div to make styling a little easier.



Thanks, Tom. Based on your improvements, I made v1.0.1 and submitted it to geeklog.net.



-- mystral-kk, "Every cloud has a silver lining."
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 09/27/05
Posts: 1468
Location:Canada
Quote by: Anonymous

I switched to the ReCAPTCHA plugin and it works perfectly for me. No spammer registration attempts are getting past ReCAPTCHA.

I left the CAPTCHA plugin enabled, and that doesn't seem to be a problem. Also it makes it easy to check the captcha log, which shows this for every attempt since I switched to ReCAPTCHA:
"Detected an attempt to bypass CAPTCHA (no session id) in registration"

Maybe that's a clue as to a possible weakness in the CAPTCHA plugin?

Anyway, thanks!



Geeklog 2.1.0 comes with it's own log viewer (which long over due). reCAPTCHA and CAPTCHA plugins work internally pretty much the same way. I think the spammers just figured out how to read the CAPTCHA images we use. I still get spammers getting through reCAPTCHA but a lot less than before. I have seen some reports on the net that reCAPTCHA lets through up to 17% of the spammers. That is a fairly high number which I don't currently see on my sites. reCAPTCHA positive feature is that it is maintained by Google and that they can update it as spammers figures thing out. This is also it's negative feature since most spammers will be targeting reCAPTCHA.

I like Ben's slider idea in his updated CAPTCHA plugin.

Ben, I notice it locks the submit button. Does this work with plugins that use CAPTCHA as well? Can we use a combination of the CAPTCHA and the slider?

Here is a feature request. Make it easy to add in new CAPTCHA like security measures by just adding a class to the captcha directory (sort of like how SPAM-X works). If possible also make it easy to have them work in combination of each other.
Big Grin

Another request would be to add some sort of configurable speed control. For example for the CAPTCHA entry to work there must be x number seconds between displaying the form and submitting. Most spam bots problem submit the form in a second or 2 where it will take a user a while to fill out a form before submitting it.



One of the Geeklog Core Developers.
 Quote

Status: offline

::Ben

Forum User
Full Member
Registered: 01/14/05
Posts: 1569
Location:la rochelle, France
Does this work with plugins that use CAPTCHA as well?

Yes. The contact page use the contact plugin. I think that images for catpcha are no more a good solution. Speed limit can be a nicefeature. For the available version, like in the next, I use a simple hidden blank field... Powerfull Cool No one spam since 48H.
Sorry, but I will have no time to make more improvements before the release tomorrow.

Ben
I'm available to customise your themes or plugins for your Geeklog CMS
 Quote

Status: offline

Laugh

Site Admin
Admin
Registered: 09/27/05
Posts: 1468
Location:Canada
Hey Ben,

I tried out your new release today and had the slider working for the registration and forum but it wasn't working for the comments. I slid the slider on the comment edit form and hit submit but it just returned the comment edit form again and didn't submit it for moderation.

I am not sure why it is not working...

Tom
One of the Geeklog Core Developers.
 Quote

Jeff Rivett

Anonymous
Quote by: Anonymous

I left the CAPTCHA plugin enabled, and that doesn't seem to be a problem.


I was wrong about that. Leaving CAPTCHA enabled alongside ReCAPTCHA causes ReCAPTCHA to fail and produces the log error "You have attempted to bypass the CAPTCHA processing at this site...". I disabled CAPTCHA and now ReCAPTCHA works fine. I check the logs using the Monitor 1.1 plugin (https://www.geeklog.net/article.php/2013062908235210). But spammer registrations are still not getting through, which is a relief.
 Quote

Status: offline

masodo

Forum User
Chatty
Registered: 11/13/12
Posts: 35
Location:Indiana US
I just installed CAPTCHA plugin 3.5.2 by ::Ben from Geeklog.fr.

Nice work ::Ben - thank you for taking prompt action against this latest wave of attacks by getting this updated plugin up and running.

I auto installed it with no problems - replacing the previous version of Captcha (3.1 I think) on Geeklog 1.8.1 on BlogDogIt.com

I like the slider concept and look forward to offering this cutting edge solution to BlogDogIt users.

I was going to just switch from Static Images to the GD Lib option - which seemed to shut them down for the hour or so it was configured - so I came here looking for an explanation as to what the "GD Lib" option even IS... but after finding this discussion I decided to jump on this "Squint-Free" solution.

I also posted a little something about this on BlogDogIt.com: Not Yer Pappy's Capcha Big Grin

Fingers crossed... Wink
 Quote

Status: offline

winnerdk

Forum User
Full Member
Registered: 04/24/05
Posts: 339
Location:Panama City, Republic of Panama
OK guys, I just installed the reCaptcha plugin and spam user submissions dropped to zero.

Now I see Ben has updated and released a new version of Captcha.

I'm running GL 1.7.1sr1 on this website. Will this new release of Captcha work on my site?

And please don't bother lecturing me on the importance of upgrading. Every time I go down that path it turns into a few days of terror...

Don (OP)
 Quote

Status: offline

::Ben

Forum User
Full Member
Registered: 01/14/05
Posts: 1569
Location:la rochelle, France
Captcha use the scripts class, so the minimum is Geeklog 1.8.0

Ben
I'm available to customise your themes or plugins for your Geeklog CMS
 Quote

JoJmoto

Anonymous
I did not build my site and have no real idea how to install the new Captcha. I have obtained about 1000 new "Users" over the last week and a half. Is there someone who can contact me and walk me through what I need to do to fix this issue?

My Site is www.Southeastmx.com

I think it was built using PhP or something... sorry, I just run the place, didn't know I would have to take lessons in website building..

My email address is Southeastmx@live.com
 Quote

Status: offline

::Ben

Forum User
Full Member
Registered: 01/14/05
Posts: 1569
Location:la rochelle, France
JoJmoto I can install the new version of the captcha plugin if you site is powered by Geeklog 1.8.0 or higher or switch to reCaptcha plugin (Geeklog 1.5.0 or higher). Please contact me in private.

Thanks,

Ben
I'm available to customise your themes or plugins for your Geeklog CMS
 Quote

Page navigation

All times are EDT. The time is now 02:54 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content