Chinese Spams pass through ReCaptcha system

171 views
Skip to first unread message

Franck

unread,
Sep 8, 2010, 3:07:46 AM9/8/10
to reCAPTCHA, franck....@decisionnews.com
Hello,

We've setup reCaptcha system on our website, but we still get spams
from Chinese IP addresses on our comment form (example of IP
address: 59.58.112.229) ,
(exemple of our website URL :
http://www.nutraingredients-usa.com/Research/Grapefruit-extract-shows-anti-diabetes-potential?nocount).

It seems that the captcha has been correctly resolved by this person.
Is there any fix to apply in order to prevent that type of spam ?

We ask ourselves if ti's possible to change the default challenge
timeout ?
It seems that it's been setup to 18000 by default and we want to
change it to 120seconds maximum ?!


Thanks in advance for your help.

P JH

unread,
Sep 8, 2010, 4:50:14 AM9/8/10
to reca...@googlegroups.com
On Wed, Sep 8, 2010 at 8:07 AM, Franck <franck....@gmail.com> wrote:
> It seems that the captcha has been correctly resolved  by this person.
> Is there any fix to apply in order to prevent that type of spam ?

reCAPTCHA (or indeed any CAPTCHA) cannot, by itself, prevent humans
from solving them correctly and posting spam. CAPTCHAs should be
considered *part* of the solution to preventing spam, not the *only*
possible solution.

It's like complaining that the lock on your front door doesn't stop
burglars from breaking your kitchen window to get into your house -
locks aren't the only thing you can use to stop burglars.

> We ask ourselves if ti's possible to change the default challenge
> timeout ?
> It seems that it's been setup to 18000 by default and we want to
> change it to 120seconds maximum ?!

No - that is not configurable.

--
PJH

Franck

unread,
Sep 8, 2010, 5:10:39 AM9/8/10
to reCAPTCHA, Franck Leprette
First of all, thank for your answer.

It could be interesting to allow users to change the timeout challenge
setting.
If a challenge is only available for 2 minutes instead of 5 hours, it
would be harder for spammers to "crack" it.


What kind of solutions can be added to recaptcha in order to prevent
such spam messages ?



On Sep 8, 10:50 am, P JH <pauljherr...@gmail.com> wrote:

P JH

unread,
Sep 8, 2010, 5:15:15 AM9/8/10
to reca...@googlegroups.com
On Wed, Sep 8, 2010 at 10:10 AM, Franck <franck....@gmail.com> wrote:
> What kind of solutions can be added to recaptcha in order to prevent
> such spam messages ?

Moderation of new messages.

Preventing the same user entering more than one message per unit of time.

Peer review whereby other visitors can mark messages as spam (either
for review by moderators, or by some scoring system where messages
with a certain 'spam score' get hidden.)

Bad-behavior <http://www.bad-behavior.ioerror.us/> (though this won't
stop humans, it's a useful adjunct to captchas)

I'm sure there are other things that can be done - those are just the
few I could think of off the top of my head.

--
PJH

Mark Ketchum

unread,
Sep 18, 2010, 4:08:40 PM9/18/10
to reCAPTCHA
Another option, roughly equivalent to revising the time-out on the
reCaptcha, is to put a time-out on the whole form using a hash field
(that would also provide some CSRF protection which is another spammer
tactic).

Some web-app frameworks (e.g. Zend) provide such in their form class.

On Sep 8, 2:15 am, P JH <pauljherr...@gmail.com> wrote:
Reply all
Reply to author
Forward
0 new messages