Spam prevention
-
This is a captcha I encountered on a web site’s contact form:
Other than it always claiming the answer is wrong, regardless of the calculation it posts, I was a bit curious to its effectiveness against bots, so I decided to run that screenshot through OCR:
(3+3)-0= 6 Correct captcha is required
-
Obviously the correct answer was
+6
.
-
What if the answer is
(3+3)-0=
just like the old captchas where you had to read and write a word?
-
@jbert said in Spam prevention:
What if the answer is
(3+3)-0=
just like the old captcha's where you had to read and write a word?This is a smarter CAPTCHA obviously. Any old robot can OCR the image (proof given above), it's the humans that read and comprehend it to be a request to evaluate a mathematical expression that's the key here!
-
@tsaukpaetra
No, no, it's 12 (base 4)
-
No robot has been able to solve my unbreakable captcha.
Simply remove the server-side handler for the form. Boom, no more spam ever.
-
Possibly the greatest feature about this captcha is that it appears to do its checking in Javascript. When I turned that off, the site submitted the form just fine* with no complaints about me not providing the correct answer to the captcha. So a bot doesn’t even need to do OCR: any bot that doesn’t do Javascript can spam them all it likes.
* That’s to say: on my first attempt, I didn’t enter an email address, and the SMTP server that the PHP talks to refused to send the message, meaning it got processed by the serverside script without a hitch. Providing a bogus email address got rid of the mailserver error too.
-
@jbert said in Spam prevention:
What if the answer is
(3+3)-0=
just like the old captcha's where you had to read and write a word?It includes an additional instruction that appears when the text field has the focus, but even providing the answer that it actually asks for, doesn’t work:
All the calculations it presents you with, are in the form of (a + b) - c, by the way.
-
@gurth 4 + 3 - 1 = 6
Or am I missing something making me the WTF?
-
@blakeyrat I believe @Gurth was this time trying to literally do what it says, i.e. "Enter sum of the digits".
-
@jbert Oh I get it now.
-
@jbert said in Spam prevention:
@blakeyrat I believe @Gurth was this time trying to literally do what it says, i.e. "Enter sum of the digits".
Hit the nail on the head :)
I thought: “Maybe the person who made this is the kind of programmer who
would hang out at a place like TDWTFtakes everything literally — so perhaps the instructions actually tell the user to ignore the operators and just calculate the sum of the digits.” But no, that doesn’t seem to work either.
-
@gurth What if you enter the sum of the digits being added together, ignoring the one being subtracted entirely?
-
@erufael The original captcha was 3+3-0 though and 6 didn't work.
-
@jbert said in Spam prevention:
@erufael The original captcha was 3+3-0 though and 6 didn't work.
Maybe it's 3. There's 3 digits.
-
Maybe
"3" + "3" - "0" = 33
? JS typing can get you.
-
I’ve just been looking through the Javascript behind the site to try and figure out how it checks the captcha, but the stuff it does and/or the way it does it are way over my head :( Anyone else want to give it a try, go to http://www.belkits.com and click the Contact link at the top of the page.
-
@gurth said in Spam prevention:
I’ve just been looking through the Javascript behind the site to try and figure out how it checks the captcha, but the stuff it does and/or the way it does it are way over my head :( Anyone else want to give it a try, go to http://www.belkits.com and click the Contact link at the top of the page.
It's done server side unfortunately. Good way to avoid those pesky messages from customers if your form doesn't work though...
-
@cursorkeys I notice the captcha image is at a static link of http://www.dominotest.be/belkits/includes/captcha/captcha-image.php and changes every time you request it. What do you reckon the chances are that the captcha is different when the server validates it to what it was when the client requested it?
-
-
-
This post is deleted!
-
@cursorkeys said in Spam prevention:
It's done server side unfortunately. Good way to avoid those pesky messages from customers if your form doesn't work though...
Then why does the form submit and pass the message onto an SMTP server if you disable Javascript?
-
@gurth said in Spam prevention:
Then why does the form submit and pass the message onto an SMTP server if you disable Javascript?
Because it's done server-side but uses AJAX to do it?
To guess the obvious answer.
-
@onyx said in Spam prevention:
I suspect this means they got the message I sent them through the form, which was to tell them their captcha was broken and prevents the form from being sent unless you disable Javascript.
-
@blakeyrat said in Spam prevention:
@gurth said in Spam prevention:
Then why does the form submit and pass the message onto an SMTP server if you disable Javascript?
Because it's done server-side but uses AJAX to do it?
To guess the obvious answer.
Possibly, but in the message I sent, I didn’t answer the captcha at all. On my first attempt all I did was enter a message text, leaving all the other fields blank. That caused the SMTP error I mentioned, so for the second try all I did was add a fake email address. That appeared to go through, or at least, didn’t cause the SMTP error.
-
@gurth said in Spam prevention:
@cursorkeys said in Spam prevention:
It's done server side unfortunately. Good way to avoid those pesky messages from customers if your form doesn't work though...
Then why does the form submit and pass the message onto an SMTP server if you disable Javascript?
Ok, should have been more precise. The answer is:
@blakeyrat said in Spam prevention:
Because it's done server-side but uses AJAX to do it?
To guess the obvious answer.The Captcha is generated via call to a server-side function with client-generated seed:
'http://www.dominotest.be/belkits/includes/captcha/captcha-image.php?x=' + Math.random()
There is a jQuery form validator that checks your Captcha submission on key-up and when you hit submit (with JS enabled) with:
'http://www.dominotest.be/belkits/includes/captcha/captcha-processing.php'
If you disable JS then it's just going to submit the form when you press the button, but either the server-side submit validation is failing or, alternatively, it doesn't have any server-side submit validation and it's just broken there as well
Edit:
@gurth said in Spam prevention:all I did was add a fake email address. That appeared to go through, or at least, didn’t cause the SMTP error.
That'd be option two then, they don't validate the form again after submit.
-
I'll get right on that thennnnn