Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Captcha cracked?  (Read 5735 times)

0 Members and 1 Guest are viewing this topic.

ff

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 108
Captcha cracked?
« on: November 22, 2008, 08:29:34 am »

Last night 120 spam entries from one IP were entered at 120 pictures.
Captcha is on, but they're posted.

Am I the only one or is captcha (v. 3.0 cracked)?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Captcha cracked?
« Reply #1 on: November 22, 2008, 10:10:14 am »

We can't tell for sure, since you haven't provided a link to your gallery.

Anyway, bots appear to be able to overcome captcha, although that's a resources-intensive process that's probably not being used on a coppermine-driven gallery yet. Here's part of a conversation lead on a dev-only board:
I just finished reading this : http://blogs.iss.net/archive/CAPTCHA.html.

Since 1.5 offers captcha as a option under the comments settings in config i thought of coppermine when reading that article. And since the big fish in the pond such as mickeysoft and gmail also got their captcha method hacked. Do the more code skilled devs see any problem arising with using captcha in cpg ?

Should we be looking for a other way for users to safeguard comment posting or is it safe to continue using captcha ?

Cheers
Hein
It was only a question of time untill spammers where able to defeat captcha imo - I have anticipated that they would be able to compromise captchas sooner or later. The key in the article you refered to is this sentence:
Quote
Personally, I don’t think it’s really worth strengthening the algorithms used to create more complex CAPTCHA’s – instead, just deploy them as a small “speed-bump” to stop the script-kiddies and their unsophisticated automated attack tools. CAPACHA’s aren’t the right tool for stopping today’s commercially minded attackers.
This being said, consider captchas not as method that will stop spamming once and for all - it will just slow down the number of spam attacks by keeping the script kidies away (at least for a while).
That's why I have introduced comment moderation as well into cpg1.5.x. We might even consider adding the akismet mod into the core. Not because those methods will deliver the final blow to spammers - I agree to the author of the article that this fight has already been lost, but because it will allow our end users to achieve less spam comments.
Bottom line: captcha is not dead (yet), but it's certainly a valid idea to consider other technologies of spam prevention than captcha.
Logged

ff

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 108
Re: Captcha cracked?
« Reply #2 on: November 22, 2008, 10:24:42 am »

We can't tell for sure, since you haven't provided a link to your gallery.

Whoops http://www.xarno.nl/fotoalbum/ ;)

Quote
Anyway, bots appear to be able to overcome captcha, although that's a resources-intensive process that's probably not being used on a coppermine-driven gallery yet. Here's part of a conversation lead on a dev-only board:This being said, consider captchas not as method that will stop spamming once and for all - it will just slow down the number of spam attacks by keeping the script kidies away (at least for a while).
That's why I have introduced comment moderation as well into cpg1.5.x. We might even consider adding the akismet mod into the core. Not because those methods will deliver the final blow to spammers - I agree to the author of the article that this fight has already been lost, but because it will allow our end users to achieve less spam comments.
Bottom line: captcha is not dead (yet), but it's certainly a valid idea to consider other technologies of spam prevention than captcha.


Thanks :D
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Captcha cracked?
« Reply #3 on: November 22, 2008, 10:41:41 am »

I strongly doubt that a spammer used the techniques to break captcha on your gallery. No offense, but your page is not relevant enough search engine indexes (page rank 0) to be a valuable target for spammers to burn resources.
Logged

ff

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 108
Re: Captcha cracked?
« Reply #4 on: November 22, 2008, 05:35:09 pm »

I strongly doubt that a spammer used the techniques to break captcha on your gallery. No offense, but your page is not relevant enough search engine indexes (page rank 0) to be a valuable target for spammers to burn resources.

That's what I thougt :)
Just a baby/toddlers album.

Last week I received one message with the same content.
But last night there were 120 of those at 120 different images.
"wedding dresses wedding gowns bridal gowns lace front wigswedding invitationslace wigs full lace wigs cheap wedding invitations"

If they'd spammed our marriage album with this content I could understand it ;)

Maybe a testcase :D
Logged

ff

  • Coppermine frequent poster
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 108
Re: Captcha cracked?
« Reply #5 on: November 22, 2008, 05:38:07 pm »

(just google for this phrase and you'll find some more invested sites :( )
Logged
Pages: [1]   Go Up
 

Page created in 0.017 seconds with 19 queries.