ismayil.khayredi
...@gmail.com> wrote:
> On 10/15/12 8:26 PM, Ismayil Khayredinov wrote:
>> ...xrumer fakes the email and email validation.
>> How would it fake the email validation without knowing the site secret?
>> Do you just mean they have access to email accounts?
> Not sure how exactly they handle it, but it looks like the email accounts
> are created temporarily for the sake of verification and then shut down. A
> lot of them use gmail accounts, which apparently they can create
> automatically with an averaging captcha bypass rate. Alternatively they
> seem to be using catchall email addresses. So by 'fake' I only mean that
> they somehow get access to the validation link via a bogus email.
>> 'all' and accidentally passes return value of true, this would
>>> completely unarm
>>> uservalidationbyemail.
>> Are you thinking maybe this should be an event for safety purposes?
> I think a different hook name would suffice.
>> 2. Create a hook for 'login', 'user' and check the difference between
>>> e.time_created and
>>> ue.last_login. If the difference is less than X seconds (usually 15)
>>> than the user is a
>>> bot. No human can fill out the registration form and validate their
>>> email within 15 seconds.
>> I disagree. I often have my e-mail open in the background and can switch
>> to it and click the link right away. I guess I'd say if they validate under
>> 15 seconds, ideally you'd throw another captcha or some click-through in
>> the way, for zippy humans :)
> Hmmm. You are probably right on this one.
> An alternative solution would be to add a hidden input with a timestamp of
> when the registration form was accessed, and compare against it.
>> 3. Add a field to your registration form with a randomly generated name
>>> attribute. The
>>> label would read something like 'Are you a bot?' with 'Yes'/'No' options
>>> and 'Yes'
>>> selected by default. Most hacking scripts a-la xrumer won't be able to
>>> answer the question
>>> correctly.
>> They wouldn't just return the default option value?
> Well, according to forum owners this works quite successfully. Xrumer
> seems to leave the default value on fields it doesn't recognize. I would
> even avoid wrapping the label in <label> tags, so that they can't pick up
> the actual question.
>> Steve
>> --
>> http://community.elgg.org/**profile/steve_clay<http://community.elgg.org/profile/steve_clay>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Elgg development" group.
>> To post to this group, send email to elgg-development@googlegroups.**com<elgg-development@googlegroups.com>
>> To unsubscribe from this group, send email to
>> elgg-development+unsubscribe@**googlegroups.com<elgg-development%2Bunsubscr ibe@googlegroups.com>
>> Elgg: http://elgg.org/
>> Remember, bug reports should be filed at http://trac.elgg.org/elgg!
> --
> *Ismayil Khayredinov*
> hypeJunction
> web development and services
> ismayil.khayredi...@gmail.com
> +420 774 693 672
> ismayil.khayredinov
> *"Hope is a state of mind, not of the world. Hope, in this deep and
> powerful sense, is not the same as joy that things are going well, or
> willingness to invest in enterprises that are obviously heading for
> success, but rather an ability to work for something because it is good"* -
> Vaclav Havel
> --
> You received this message because you are subscribed to the Google
> Groups "Elgg development" group.
> To post to this group, send email to elgg-development@googlegroups.com
> To unsubscribe from this group, send email to
> elgg-development+unsubscribe@googlegroups.com
> Elgg: http://elgg.org/
> Remember, bug reports should be filed at http://trac.elgg.org/elgg!
