Please change your captcha system

[escrowms]

I'm not sure which one is installed here but it creates problem for those who have weak eyes like me.

I have to try 5 times to find out right characters.



I know i can use zoom in browser or use my glasses but still i would like to say that this sites current captcha system is very old. You guys should upgrade it to recaptcha or something else.

[mashby]

Or eliminate it altogether.

[Arantor]

The problem with changing it on this site is that there is not really any alternative we can actually *use* on this site. Btw, it's the same one that's actually in SMF that you can download and use yourself.

ReCAPTCHA is weak and has been broken for some time, and the best method (anti spam questions) can't be used here because it doesn't support multiple languages.

(Oh and it goes away at 10 posts)

[prozacer]

I am totally agree!
I uses "Listen to the letters" everytime to post my comment.

[kat]

Not that it stops the little turdy spamtards, anyway...

It's bit of a shame that Microsoft beefed-up their security, after Windows 98.

Up until W2000, I could remotely fry people's mobos...

[Colin]

We should look at the statistics though and see how much it is really doing to prevent spam. If it is degrading the newer users experience then it should not be deployed.

[Burke ♞ Knight]

Be that as it may be, stopping even 25% or so of spam bots is better than stopping none.

[kat]

I'd suggest that if it stops one genuine member from joining and posting, though, it's a 100% failure.

[MrPhil]

No "hard shell defense" designed to keep bots from signing up is going to be 100% effective, at least not without being more than 0% effective in stopping genuine members from joining (including those with vision problems who can't solve visual puzzles). If you don't want to stop some genuine members, you have to accept that something less than 100% of the spammers will be stopped (super smart bots and human spam farm signups). At that point, the battle has to shift to the automated watching of post content and poster behavior. Suspicious posts need to be held for moderator approval.

[dimspace]

posted in another spam thread but relevant here.

Just some followup on this regarding ReCaptcha
==================================
First up, my forum has as first line of defence Bad Behaviour
THen the standard registration defence of smf captcha
And then we have Stop forum spam which checks emails and ips against a database and stops more spammers

Generally about 2-3 a day get through the registration and get picked up by stop forum spam and sent to a manual approval queue.

Installed the ReCaptcha mod on monday of this week to see how that compared to smf captcha.

Tuesday 17 spammers made it through registration and got picked up by "stop forum spam"
Wednesday 23
Thursday 19
Friday 26

This morning I logged on, 34 members waiting approval, all indicated as spammers by Stop forum spam

Conclusion, either I have been targetted co-incidentally by a huge spamming campaign.
Or recaptcha is nowere near as effective as the built in smf captcha

Likely the latter and that they have automated ways of getting around recaptcha

[MrPhil]

If you look at other discussions about CAPTCHA systems on this forum, you will find many saying that reCAPTCHA is totally broken. Did you turn off Bad Behaviour and Stop Forum Spam, and just run with reCAPTCHA? Or did you only replace SMF CAPTCHA with reCAPTCHA?

Of course, if you've mentioned your forum anywhere, and especially if you've boasted about how good its spam defenses are, it's entirely possible that spammers are attacking you en masse.

[dimspace]

no they are turned on. we do get a fair few spam attacks thanks to twitter. and yes, recaptcha is borked

personally i think the smf captcha is as good as any, when its not set with loads of noise so it cant be read

[Phoenix_IV]

I can't get the audio version to work. Neither with Firefox nor with Opera.

Captcha's are okay, but in this one the (small) letters are very often unreadable because of one of the stripes and some letters look very similar.
E.g. I always messed up 'u', 'v' and 'a'. Maybe you can remove those if possible?

[Arantor]

2.1's is a bit better because all the fonts are changed.

I might see about integrating my custom CAPTCHA in future though.

[Sir Osis of Liver]

Hee, hee. This reminds me of a busywork project I tinkered with on/off for a couple of years.  Go here and you'll see it. 

Good news is, it's 100% effective against bots.

Bad news is, it's been a while since I did it, and I no longer have any idea how it works.

[Arantor]

It was 100% effective against bots because it's unique. The readonly text field doesn't prevent bots. They just have to realise there's a CAPTCHA image and to OCR it (which is not even remotely a challenge, there are CAPTCHA solving bots doing neural network learning OCR in JavaScript these days), and populate the text field.

The wider deployment something is, the more it is worth automating a solution against it.

[Sir Osis of Liver]

Well, yes, it helps that it's a one-off.   But if you view source, you'll see that the code is mostly gibberish, and iirc, all the variables are randomized (md5, I think), including the text field that's submitted to the form handler, and the actual verification code.  Everything is hashed, and everything changes each time the pad refreshes, so every reload is unique.  No idea how easy it might be to beat.

[Arantor]

As a one-off, it's basically invulnerable to automation, because it's a one-off. If it were to be widely deployed it would be very vulnerable very quickly (because a bot can request the page, request the image, decode the image, build the request)... just like it does currently.

[sCali]

I'd suggest that if it stops one genuine member from joining and posting, though, it's a 100% failure.

I absolutely agree with that. I had fix the spam issue by using a random Q&A, it stopped all the automatic registration and all I had left were manual spammers which were very easy to boot off.

[Kindred]

as has alreayd been discuseed several HUNDRED times - we can not currently use the questions feature here on simplemachines.org since it does not (yet) support multi-language questions and we have a large international contingent who read limited, if any English.

[Arantor]

I would note that I am working on multi-language Q&A for 2.1, I've just hit a roadblock with making a decent interface for it

[Kindred]

That's why I said "currently"

[kat]

I wonder if just using numerical figures would do the job?

I realise that they're not, perhaps, 100% language-neutral. But, they'd be more-so than words and fingz, innit?

[Arantor]

No, it wouldn't.

Two problems. Firstly, bots are smart enough to solve that easily enough. The less smart ones will just throw the question at Google and see what happens. (And Google Calculator will give the answer readily enough)

Secondly, you'd be surprised how people have trouble with this. One forum I know used to have a question of "5 - 8 = ?" and the number of people who didn't realise the answer was -3 and were insistent that the answer was 3 was actually surprising (and sad)

[kat]

I meant just displaying numbers, such as "6789 3856".

The reason I wondered, is that some of the download sites, such as ZippyShare and PutLocker seem to use numbers, now.

Those numbers aren't text, though. They're photographs of numbers.

Maybe, something like...

[Kindred]

but what if it's a russian keyboard that doesn't have latin letters?

And, I would assume that some systems (chinese?) use other than arabic numerals....

[kat]

Maybe what was said about "Language-specifics" could be employed?

You'd need way fewer files, for this, than you would for words, shirley?

(I'm just kinda throwing things around, really).

As I said, I've seen this kinda thing on some sites and it's SOOOO much better than the usual stuff.

[Kindred]

actually, I think that the concept of supporting questions in multiple languages is the best idea...   we know that questions work - we just need to make them work for sites which support more than a single langage

I don't think that image matching is really the way to go, since that would then exclude the visually impaired/blind...
(and, if you have some sort of audio answer, then the spam processors can parse it)

Questions can be read by screen readers, but, if properly phrased, are not answerable by bots.

[Arantor]

Well, that's what reCAPTCHA is doing at the moment, it's offering up an 8-9 digit number with deformation (which it knows) and the house number from a photo from Street View (which it is presumably using for the purposes of identifying numbers, since it knows where the picture was taken and it's using it as crowd sourced geotagging)

But some of those are not a lot better than the CAPTCHA we already have.

[kat]

I suspect people have been working on all sorts of ideas, for ages, now.

Pity the bastards that design the bots seem quite clever, innit?

[Arantor]

Cleverness is only one half of the argument. The other is the small factor that it's possible to buy CAPTCHA solving services that will get human solvers to solve 1000 CAPTCHAs for the region of $1. Since most systems are hard-shell only, once you have an account, it's effectively free to spam.

But do note that there are some clever folks on the good side of the fence too

[kat]

Ah, yeah. I'd forgotten about the "humans"...

Bugger.

[mashby]

but what if it's a russian keyboard that doesn't have latin letters?

And, I would assume that some systems (chinese?) use other than arabic numerals....

Russian keyboard
Chinese keyboard

And actually, this is likely used by the Russians and the Chinese (and us as well).

[Arantor]

There are plenty of layouts that don't conform to QWERTY (Dvorak and AZERTY are the more well known ones) but that's not really the problem here

[Akyhne]

Those images are impossible to read. Using letter reading instead.

But since all kinds of captchas with letters are broken, why not do something different? 

[Arantor]

You mean like the Q&A that's been in 2.0 for years and is improved with multi-language support in 2.1?

[Akyhne]

No, something completely different.

[Arantor]

Which is good then that I already added additional measures into SMF 2.1 then, isn't it?

[Akyhne]

What are they, if i may ask?

[Arantor]

I'd rather not. It's a well known fact that spam bots examine the source and attempt to beat our defences, the more attention I call to them, the quicker they're going to defeat them.

[Akyhne]

You misunderstand me, I guess. I just want to know if it's a letter verification system or something quite different.

[Arantor]

You misunderstand me, too. The CAPTCHA hasn't changed (and with very good reasons that I don't feel the need to justify to you), but there are other methods that are encouraged like the Q&A and the other defences.

[falconsonika]

Seriously it create very much problem. I also faced this problem . Please remove this or change it.

[Kindred]

please read all of the above comments and answers.