awwwww, crud, the spambot has cracked reCaptcha!
63 views
Skip to first unread message
FrustratedInTexas
Nov 20, 2009, 1:54:18 AM11/20/09
to reCAPTCHA
check this:
http://www.google.com/#hl=en&q=%22love,sex,emotions%22+xrumer&start=10&sa=N&fp=3bc67ad073d855ce
That's ONE spambot user, making >50,000 posts in only the last few
days, and every forum that I hit the REGISTER button on had reCaptcha
there blocking the stinking spambots. The "love,sex,emotions" is what
the 'bot has set in the signature line, so I'm pretty sure they're all
the same low-life. I'm seeing it on all types of forums, so it's not
an exploit in any one particular forum package. vBulletin, phpBB, and
SMF for certain of the handful I've looked at already. Of the few
forums that I know have been hit by this bot, they all originated from
a hackbox host in Latvia, CIDR 94.142.128.0/21
After the spam tidal wave a year ago, nearly every forum I know has
switched from a simple captcha to reCaptcha because it appeared to be
a solid wall to the 'bots. I guess that's no longer true... <sigh>.
It's back to playing "Whack-a-Mole" until I come up with a different
solution to the spambot problem. I don't want to wait until it turns
into a flood, this time around. I guess I'll use a photo challenge,
and make them type in a description of the photo (one word, 5 or 6
letters, and a photo of something obvious). Unfortunately, that's an
English-only solution for us, which non-English speakers are unlikely
to figure out. I'm not obnoxious enough to think that English is the
only language of the Internet. We do have a handful of people that
have a different milk-language.
The OCR function of Xrumer 5.0a was very crude, but it appears that
the scumbags in Russia have been working diligently over the last year
to make our life a real hell again.
http://www.google.com/#hl=en&q=%22love,sex,emotions%22+xrumer&start=10&sa=N&fp=3bc67ad073d855ce
That's ONE spambot user, making >50,000 posts in only the last few
days, and every forum that I hit the REGISTER button on had reCaptcha
there blocking the stinking spambots. The "love,sex,emotions" is what
the 'bot has set in the signature line, so I'm pretty sure they're all
the same low-life. I'm seeing it on all types of forums, so it's not
an exploit in any one particular forum package. vBulletin, phpBB, and
SMF for certain of the handful I've looked at already. Of the few
forums that I know have been hit by this bot, they all originated from
a hackbox host in Latvia, CIDR 94.142.128.0/21
After the spam tidal wave a year ago, nearly every forum I know has
switched from a simple captcha to reCaptcha because it appeared to be
a solid wall to the 'bots. I guess that's no longer true... <sigh>.
It's back to playing "Whack-a-Mole" until I come up with a different
solution to the spambot problem. I don't want to wait until it turns
into a flood, this time around. I guess I'll use a photo challenge,
and make them type in a description of the photo (one word, 5 or 6
letters, and a photo of something obvious). Unfortunately, that's an
English-only solution for us, which non-English speakers are unlikely
to figure out. I'm not obnoxious enough to think that English is the
only language of the Internet. We do have a handful of people that
have a different milk-language.
The OCR function of Xrumer 5.0a was very crude, but it appears that
the scumbags in Russia have been working diligently over the last year
to make our life a real hell again.
ArcNeXuS
Nov 20, 2009, 2:12:04 PM11/20/09
to reCAPTCHA
regarding spam...post . hell again.
why not just have the first recaptcha page redirect to second
recaptcha... thats gotta make it tougher for hte bot.. and if your
using php .. might want to look into some kind of encryption for the
leading pages... same with asp and html ...
Paul Herring
Nov 20, 2009, 3:10:57 PM11/20/09
to reca...@googlegroups.com
Looks like they're targetting sites using pre-packaged software.
Break in vBulletin? On *a* version? They abuse it.
Break in PhpBB? On *a* version? They abuse it.
I'm more inclined to think that there's a problem with the BB software
not working properly with reCAPTCHA and subsequently being exploited,
rather than reCAPCHA itself being cracked.
Or I'd like to hope that 50,000 attempts either (a) from an IP or (b)
to an IP in a short space of time would be blocked.
(Though from the search result [and to change tack...], it would
appear that someone has managed to post a hell of a lot after actually
'passing' the captcha, which wouldn't preclude the perpetrator being a
human.Not all (or even a majority) of the posts required a captcha to
be solved to spam; it was only required for registration.)
> --
>
> You received this message because you are subscribed to the Google Groups "reCAPTCHA" group.
> To post to this group, send email to reca...@googlegroups.com.
> To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/recaptcha?hl=.
>
>
>
--
PJH
http://shabbleland.myminicity.com/
http://www.chavgangs.com/register.php?referer=9375
http://www.kongregate.com/?referrer=Shabble
Break in vBulletin? On *a* version? They abuse it.
Break in PhpBB? On *a* version? They abuse it.
I'm more inclined to think that there's a problem with the BB software
not working properly with reCAPTCHA and subsequently being exploited,
rather than reCAPCHA itself being cracked.
Or I'd like to hope that 50,000 attempts either (a) from an IP or (b)
to an IP in a short space of time would be blocked.
(Though from the search result [and to change tack...], it would
appear that someone has managed to post a hell of a lot after actually
'passing' the captcha, which wouldn't preclude the perpetrator being a
human.Not all (or even a majority) of the posts required a captcha to
be solved to spam; it was only required for registration.)
>
> You received this message because you are subscribed to the Google Groups "reCAPTCHA" group.
> To post to this group, send email to reca...@googlegroups.com.
> To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/recaptcha?hl=.
>
>
>
--
PJH
http://shabbleland.myminicity.com/
http://www.chavgangs.com/register.php?referer=9375
http://www.kongregate.com/?referrer=Shabble
Jerry Johnson
Nov 20, 2009, 3:14:17 PM11/20/09
to reca...@googlegroups.com
is recaptha no longer working?
Paul Herring
Nov 20, 2009, 3:36:11 PM11/20/09
to reca...@googlegroups.com
On Fri, Nov 20, 2009 at 8:14 PM, Jerry Johnson <jerryh...@gmail.com> wrote:
> is recaptha no longer working?
Still working on my site. It it not on yours?
> is recaptha no longer working?
FrustratedInTexas
Nov 21, 2009, 1:54:30 AM11/21/09
to reCAPTCHA
On Nov 20, 1:36 pm, Paul Herring <pauljherr...@gmail.com> wrote:
the bot 8 seconds to crack the captcha. The bot only has to get the
one word correct: the one that reCaptcha knows about. It got it on
our sites on the first try.
I *highly* doubt it's being done manually, as the registration came in
from a server farm in Latvia, probably acting as a proxy so that it
can intercept the reCaptcha request & response. Also, that Google
count of spam posts is now up to near 200,000 today, from 50,000
yesterday. Dunno 'bout you, but I can't type that fast; that's about
100 per minute in a 24 hour span. What I'm seeing at the sites I've
looked at, the 'bot made exactly ONE post, then split the scene and
went on to the next forum, undoubtedly planning to return at some
later date. It tried to log in again late today, but I'd already
added a "deny from" for that CIDR as well as deleting the 'member' and
the unwanted advertising post for their spam tool.
The registration form on SMF is dead simple, and it's virtually
impossible for them to have 'exploited' it. I remember looking at
other forum packages, and they're all very basic PHP code for the
registration page(s), and there's little there to bypass or hack. I
can see in the server logs that reCaptcha has been stopping multiple
attempts per day from various addresses, until now. There's nothing
in the log that looks any different on that one registration versus a
genuine human registering. No XSS code, nada.
This is the first time in about a year that we've had a spammer, other
than one that manually registered from China a month or two ago.
If they're getting around it by doing a combination of OCR plus a fast
dictionary attack at reCaptcha, then the folks at reCaptcha should see
it in their logs. We've had multiple attempts over the last 2 weeks
from that server farm in Latvia, from 94.142.134.195, 94.142.129.98,
94.142.130.9 and 94.142.128.140. The last one was the successful bot.
> On Fri, Nov 20, 2009 at 8:14 PM, Jerry Johnson <jerryhost....@gmail.com> wrote:
> > is recaptha no longer working?
>
> Still working on my site. It it not on yours?
reCaptcha is working fine, but looking at our server log it only took
> > is recaptha no longer working?
>
> Still working on my site. It it not on yours?
the bot 8 seconds to crack the captcha. The bot only has to get the
one word correct: the one that reCaptcha knows about. It got it on
our sites on the first try.
I *highly* doubt it's being done manually, as the registration came in
from a server farm in Latvia, probably acting as a proxy so that it
can intercept the reCaptcha request & response. Also, that Google
count of spam posts is now up to near 200,000 today, from 50,000
yesterday. Dunno 'bout you, but I can't type that fast; that's about
100 per minute in a 24 hour span. What I'm seeing at the sites I've
looked at, the 'bot made exactly ONE post, then split the scene and
went on to the next forum, undoubtedly planning to return at some
later date. It tried to log in again late today, but I'd already
added a "deny from" for that CIDR as well as deleting the 'member' and
the unwanted advertising post for their spam tool.
The registration form on SMF is dead simple, and it's virtually
impossible for them to have 'exploited' it. I remember looking at
other forum packages, and they're all very basic PHP code for the
registration page(s), and there's little there to bypass or hack. I
can see in the server logs that reCaptcha has been stopping multiple
attempts per day from various addresses, until now. There's nothing
in the log that looks any different on that one registration versus a
genuine human registering. No XSS code, nada.
This is the first time in about a year that we've had a spammer, other
than one that manually registered from China a month or two ago.
If they're getting around it by doing a combination of OCR plus a fast
dictionary attack at reCaptcha, then the folks at reCaptcha should see
it in their logs. We've had multiple attempts over the last 2 weeks
from that server farm in Latvia, from 94.142.134.195, 94.142.129.98,
94.142.130.9 and 94.142.128.140. The last one was the successful bot.
hostm...@enigmedia.com
Nov 21, 2009, 1:32:02 PM11/21/09
to reCAPTCHA
I wouldn't be too sure that it's a bot...read this post:
http://www.searchpartner.pro/blog/post/2009/05/01/Anonymous-uses-brute-human-force-to-overwhelm-reCaptcha.aspx
http://www.searchpartner.pro/blog/post/2009/05/01/Anonymous-uses-brute-human-force-to-overwhelm-reCaptcha.aspx
i-imagine
Nov 21, 2009, 2:40:37 PM11/21/09
to reCAPTCHA
Brute force can now also be purchased on the cheap - good point. One
can find "services" advertising to break captchas with just a couple
of searches...
Paul Herring's point above is bolstered by counting how many times the
"phrase in question" has made it on major sites, like Facebook or
Myspace. Try the narrowed search and you will only get one or two
results that might have made it into their listings. They must be
doing something right or different than the links that return the
search term. By the way - many of those links do not use recaptcha.
Yes, it does look like a widespread "spamfestation" however it remains
to be seen if it was "by bot or by bought".
Joe Carver
====
reCAPTCHA in Coppermine Photo Gallery
http://forum.coppermine-gallery.net/index.php/topic,60626.0.html
My sites with reCAPTCHA
http://gallery.josephcarver.com/natural/
http://www.i-imagine.net/artists/index.php
can find "services" advertising to break captchas with just a couple
of searches...
Paul Herring's point above is bolstered by counting how many times the
"phrase in question" has made it on major sites, like Facebook or
Myspace. Try the narrowed search and you will only get one or two
results that might have made it into their listings. They must be
doing something right or different than the links that return the
search term. By the way - many of those links do not use recaptcha.
Yes, it does look like a widespread "spamfestation" however it remains
to be seen if it was "by bot or by bought".
Joe Carver
====
reCAPTCHA in Coppermine Photo Gallery
http://forum.coppermine-gallery.net/index.php/topic,60626.0.html
My sites with reCAPTCHA
http://gallery.josephcarver.com/natural/
http://www.i-imagine.net/artists/index.php
Paul Herring
Nov 21, 2009, 3:32:14 PM11/21/09
to reca...@googlegroups.com
On Sat, Nov 21, 2009 at 7:40 PM, i-imagine <jcarver...@gmail.com> wrote:
> Paul Herring's point above is bolstered by counting how many times the
> "phrase in question" has made it on major sites, like Facebook or
> Myspace.
Um, which point? ;)
> Paul Herring's point above is bolstered by counting how many times the
> "phrase in question" has made it on major sites, like Facebook or
> Myspace.
The fact that to post the spam didn't require a captcha, merely the
registration of the account?
PopSmith
Nov 21, 2009, 9:57:37 PM11/21/09
to reCAPTCHA
I would recommend using BotScout (http://www.botscout.com/) in
addition to reCAPTCHA. BotScout is a free service that keeps a
database of known bots and prevents them from signing up on your site.
It also helps reduce the amount of signups from "human farms" in China
etc.
The other recommendation I have to reduce/eliminate the amount of bots
is to blacklist ALL .ru domains unless you have a Russian site. Lots
of bots use a .ru domain in their email.
addition to reCAPTCHA. BotScout is a free service that keeps a
database of known bots and prevents them from signing up on your site.
It also helps reduce the amount of signups from "human farms" in China
etc.
The other recommendation I have to reduce/eliminate the amount of bots
is to blacklist ALL .ru domains unless you have a Russian site. Lots
of bots use a .ru domain in their email.
Paul Herring
Nov 22, 2009, 6:44:34 AM11/22/09
to reca...@googlegroups.com
On Sun, Nov 22, 2009 at 2:57 AM, PopSmith <iamth...@gmail.com> wrote:
> I would recommend using BotScout (http://www.botscout.com/) in
> addition to reCAPTCHA. BotScout is a free service that keeps a
> database of known bots and prevents them from signing up on your site.
> It also helps reduce the amount of signups from "human farms" in China
> etc.
http://www.bad-behavior.ioerror.us/ is another similar service.
> I would recommend using BotScout (http://www.botscout.com/) in
> addition to reCAPTCHA. BotScout is a free service that keeps a
> database of known bots and prevents them from signing up on your site.
> It also helps reduce the amount of signups from "human farms" in China
> etc.
hunt
Nov 23, 2009, 4:46:52 AM11/23/09
to reCAPTCHA
This may be a stupid suggestion, but why not block all known spam IP
address at the Web Server or Firewall level, if these machines cant
access your server they can't send spam, am I right?
if you do not have access to the server management console ask your
administrator.
address at the Web Server or Firewall level, if these machines cant
access your server they can't send spam, am I right?
if you do not have access to the server management console ask your
administrator.
i-imagine
Nov 23, 2009, 8:02:24 AM11/23/09
to reCAPTCHA
On Nov 21, 3:32 pm, Paul Herring <pauljherr...@gmail.com> wrote:
> Um, which point? ;)
>
=====
Perhaps I should have used the plural...specifically here.
"Looks like they're targetting sites using pre-packaged software.
Break in vBulletin? On *a* version? They abuse it.
Break in PhpBB? On *a* version? They abuse it.
I'm more inclined to think that there's a problem with the BB software
not working properly with reCAPTCHA and subsequently being exploited,
rather than reCAPCHA itself being cracked."
You have made some more great points since that message, but
webmasters who don't maintain their software and follow the
fundamentals are asking for trouble no matter what they might use to
fend off the spammers.
=====
And for other readers looking to harden their sites against the tide
of spam. Here are a couple of my suggestions......
- use the AJAX method of reCaptcha delivery
- look at services like Askimet
Joe Carver
=====
> Um, which point? ;)
>
=====
Perhaps I should have used the plural...specifically here.
"Looks like they're targetting sites using pre-packaged software.
Break in vBulletin? On *a* version? They abuse it.
Break in PhpBB? On *a* version? They abuse it.
I'm more inclined to think that there's a problem with the BB software
not working properly with reCAPTCHA and subsequently being exploited,
rather than reCAPCHA itself being cracked."
webmasters who don't maintain their software and follow the
fundamentals are asking for trouble no matter what they might use to
fend off the spammers.
=====
And for other readers looking to harden their sites against the tide
of spam. Here are a couple of my suggestions......
- use the AJAX method of reCaptcha delivery
- look at services like Askimet
Joe Carver
=====
Charles Sweeney
Nov 23, 2009, 4:59:56 PM11/23/09
to reCAPTCHA
PopSmith wrote:
> I would recommend using BotScout (http://www.botscout.com/) in
> addition to reCAPTCHA. BotScout is a free service that keeps a
> database of known bots and prevents them from signing up on your site.
Yes, the "chasing your own arse" or "closing the door after the horse
> I would recommend using BotScout (http://www.botscout.com/) in
> addition to reCAPTCHA. BotScout is a free service that keeps a
> database of known bots and prevents them from signing up on your site.
has bolted" method. Just as quickly as you log a known bot, it will
appear again under a different guise.
> The other recommendation I have to reduce/eliminate the amount of bots
> is to blacklist ALL .ru domains unless you have a Russian site. Lots
> of bots use a .ru domain in their email.
US) but I wouldn't suggest blocking all US domains/IPs.
In the case of email spam, it might be better to allow it, then deal
with it once received. I use the excellent Mailwasher (http://
www.mailwasher.net/) and delete hundreds of "allowed" spam daily. No
trouble.
In the case of forum posts, unless you're getting thousands of bot
posts, human verification before allowing a post to be published, will
do the trick. If you have a hugely busy forum, then employ some of
that cheap labour that is often talked about and human-verify the
posts!
If it's for a signup to a service. Ask the user to verify their email
address (click a link in an email). Should stop most/all bots.
There's a host of other things you can do, not for this thread/group.
--
Charles Sweeney
http://FormToEmail.com
PHP mail script with reCAPTCHA
Charles Sweeney
Nov 23, 2009, 5:07:03 PM11/23/09
to reCAPTCHA
hunt wrote:
> This may be a stupid suggestion, but why not block all known spam IP
> address at the Web Server or Firewall level, if these machines cant
> access your server they can't send spam, am I right?
You are right, it's not a stupid question, this method of blocking
> This may be a stupid suggestion, but why not block all known spam IP
> address at the Web Server or Firewall level, if these machines cant
> access your server they can't send spam, am I right?
known IPs, domains etc is very common and very futile. As soon as you
block one they will start again under a different guise. It is a
waste of time.
Are you going to spend half your day entering IP addresses into your
firewall? Even if you automated the process, if you could, you are
still stuck with the reality stated above.
The likes of Spamhaus have been using this principle for years, with
no success. Spam is as bad as it ever was, if not worse.
Reply all
Reply to author
Forward
0 new messages