[pwm-general] Spambots getting through reCAPTCHA protection in pwm
138 views
Skip to first unread message
samuli....@gmail.com
May 18, 2010, 3:33:48 AM5/18/10
to pwm-g...@googlegroups.com
Hi,
I published my Pwm instance to the Internet a while back and within ~48
hours a spambot had managed to register a new user account to LDAP and
filled our Trac's front page with funky Chinese text. I assume this was
a spambot as
- it did not descend to other Wiki pages
- it did not mess with any tracker items
- the overall layout of the front page was retained
- some parts of the page were untouched (e.g. parts of the wiki
formatting)
Although each individual service using the LDAP accounts can be
protected against spam, I'd rather fix the issue at the source
(=registration). Could some additional verification measures (different
CAPTCHA's, hidden fields, emails loops) be added to pwm?
Any suggestions or thoughts?
Samuli
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.
I published my Pwm instance to the Internet a while back and within ~48
hours a spambot had managed to register a new user account to LDAP and
filled our Trac's front page with funky Chinese text. I assume this was
a spambot as
- it did not descend to other Wiki pages
- it did not mess with any tracker items
- the overall layout of the front page was retained
- some parts of the page were untouched (e.g. parts of the wiki
formatting)
Although each individual service using the LDAP accounts can be
protected against spam, I'd rather fix the issue at the source
(=registration). Could some additional verification measures (different
CAPTCHA's, hidden fields, emails loops) be added to pwm?
Any suggestions or thoughts?
Samuli
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pwm-general?hl=en.
Jason Rivard
May 18, 2010, 8:34:24 AM5/18/10
to pwm-general
Are you using the built-in recaptcha captcha? Was the bot able to
bypass recaptcha?
The next release, (in SVN now, will be released soon as a beta build)
has some additional form validation to prevent XSS attacks, but
probably wouldn't help much against a targeted bot.
bypass recaptcha?
The next release, (in SVN now, will be released soon as a beta build)
has some additional form validation to prevent XSS attacks, but
probably wouldn't help much against a targeted bot.
samuli....@gmail.com
May 18, 2010, 8:54:23 AM5/18/10
to pwm-g...@googlegroups.com
Yep, was using the built-in reCAPTCHA in pwm. I verified both visual and
audio captchas and they seemed to work properly. Does the pwm intruder
detection monitor new user registration also? If so, tightening the
lockout limits/timeout values might help.
Samuli
audio captchas and they seemed to work properly. Does the pwm intruder
detection monitor new user registration also? If so, tightening the
lockout limits/timeout values might help.
Samuli
Jason Rivard
May 18, 2010, 9:23:22 AM5/18/10
to pwm-general
Hmmm.. perhaps another captcha service should be investigated.
Intruder detection for src ip address is tripped during new user
registration when:
-form validation fails (email address isn't duplicated properly, etc)
-duplicate (existing) username is used
This probably doesn't help too much, but perhaps lowering the limits
would help at the risk of affecting legitimate users.
I could also see how a new user creation rate limit might help, but
even this is problematic for the case when you might legitimately have
a large volume of registrations in a short period of time (due to
email or add or something..).
I'm open to suggestions (and code :)
Intruder detection for src ip address is tripped during new user
registration when:
-form validation fails (email address isn't duplicated properly, etc)
-duplicate (existing) username is used
This probably doesn't help too much, but perhaps lowering the limits
would help at the risk of affecting legitimate users.
I could also see how a new user creation rate limit might help, but
even this is problematic for the case when you might legitimately have
a large volume of registrations in a short period of time (due to
email or add or something..).
I'm open to suggestions (and code :)
samuli....@gmail.com
May 18, 2010, 11:00:12 AM5/18/10
to pwm-g...@googlegroups.com
Perhaps a reasonable solution would be to monitor failed reCAPTCHA
validations per IP? Potential intruder IP could be locked after a set
number of tries for a defined period of time. If another set of attempts
fails, the time limit could then be increased.
Also, some services (Trac, Mediawiki) have math captcha add-ons (e.g.
"what is 4+89") which could probably be added to pwm pretty easily. Also
adding extra form fields that humans know how to keep empty might help.
I'm not sure how effective these are, but I'm sure they'd catch more
spambots than reCAPTCHA alone. These should be opt-out/opt-in, of course.
If you like, I can take a look if there's something available in Java
which I (with a little help) could then integrate to pwm. What do you think?
Samuli
validations per IP? Potential intruder IP could be locked after a set
number of tries for a defined period of time. If another set of attempts
fails, the time limit could then be increased.
Also, some services (Trac, Mediawiki) have math captcha add-ons (e.g.
"what is 4+89") which could probably be added to pwm pretty easily. Also
adding extra form fields that humans know how to keep empty might help.
I'm not sure how effective these are, but I'm sure they'd catch more
spambots than reCAPTCHA alone. These should be opt-out/opt-in, of course.
If you like, I can take a look if there's something available in Java
which I (with a little help) could then integrate to pwm. What do you think?
Samuli
Reply all
Reply to author
Forward
0 new messages