bots defeating securimage #66
Comments
|
It's possible these are humans solving the captcha, in which case little will work to stop that. Changing the font in addition to the other changes would help a lot if they were trained bots to solve the captcha. If they're acting from many of the same IP's or using Tor, you might consider blocking those for certain things. If you aren't using audio, delete securimage_play.php as audio might be an easier attack vector than the image itself. Feel free to reach out via email to look more into this. |
|
Other possibilities:
Maybe check logfiles if bots beat the image or audiofile. (maybe cut http access to .php file that generates audio and see if that makes a difference) Given the assumption a spambot(net) is optimized for securimage image solving but still quite simple (not using trained neural networks for instance), this would make it a little bit harder to analyze the image:
(5. Maybe the lines should be as thick and long as the character lines and looking a bit like a letter too (curves and/or straight parts). But as they are melt together with noise and the real letters it would also for humans hard to solve the captcha.) Beside that, do NOT use uploaded background images (the default or uploaded) as replacement of random generated backgrounds. (explanation for each can be given) |
|
Hi, Unfortunatelly, when I deleted the file (no audio clues needed on my site), the spam doesn't stop. P.S.: I'd prefer things like securimage to google recaptcha as it seems recaptcha tracks users, which I see as bad and unnecessary |
|
@panfanky It's not the audio, that article is super old and no longer relevant. For now, try using a different TTF file. I hope to have this addressed further this weekend with changes to image rendering. |
|
We are having the same issue. Some thing is getting past it. |
|
I will try tonight to merge some changes from a newer branch into 3.x that should stop this. |
|
Sorry for the delay. I have just pushed release 3.6.7 available from composer or at phpcaptcha.org/download/ In order to take advantage of the newer features, I'd suggest turning on the options Switching to another font from the default AHGBold.ttf will help a great deal as well. Ideally, text, noise, and line colors should all be the same. Background images likely do not help at all. Here is a sample config.inc.php: |
|
Hello Drew, thank you very much for updating me on this. I have downloaded the latest version from your website as well as implement the config file with the settings you mentioned below. I am using it on all of our forms as of today. https://interskill.com/contact-support.html is one of them.
I will keep you updated if the bots return!
Thank you,
[cid:image001.jpg@01CD5F54.A0F0CE40]
Pablo Mosca, IT Manager
Interskill Learning, America, Europe and Australia
O: 770-573-4964<tel:770-573-4964>
C: 469-422-8309<tel:469-422-8309>
Chat with me instantly<http://messenger.providesupport.com/messenger/1vjjg30y8234o1h8qp7ek7pudx.html>
Leading e-learning solutions in IBM Mainframe.
Find out more at: www.interskill.com<http://www.interskill.com/> | Twitter<https://twitter.com/Interskill> | LinkedIn<http://www.linkedin.com/company/interskill-learning/> | Blog<http://interskill-learning.blogspot.com/>
…________________________________
Interskill Learning 11770 Haynes Bridge Roade Suite 205 PMB 526, Alpharetta, Georgia 30009-197<tel:30009-197>. All information transmitted herein is governed by our standard Privacy PolicyTerms Conditions, available here:http://www.interskill.com/terms-and-conditions.html
From: Drew Phillips [mailto:notifications@github.com]
Sent: Friday, March 09, 2018 12:37 AM
To: dapphp/securimage <securimage@noreply.github.com>
Cc: Pablo Mosca <pmosca@interskill.com>; Comment <comment@noreply.github.com>
Subject: Re: [dapphp/securimage] bots defeating securimage (#66)
Sorry for the delay. I have just pushed release 3.6.7 available from composer or at phpcaptcha.org/download/
In order to take advantage of the newer features, I'd suggest turning on the options use_text_angles, use_random_baseline, use_random_spaces, and optionally use_random_boxes.
Switching to another font from the default AHGBold.ttf will help a great deal as well.
Ideally, text, noise, and line colors should all be the same. Background images likely do not help at all.
Here is a sample config.inc.php:
<?php
return array(
'image_width' => 275,
'image_height' => 100,
'code_length' => mt_rand(4, 6),
'num_lines' => mt_rand(2, 4),
'noise_level' => 4,
'perturbation' => 0.68,
'use_transparent_text' => false,
'use_text_angles' => true,
'use_random_spaces' => true,
'use_random_baseline' => true,
'use_random_boxes' => true,
);
For the last week the changes have been working pretty well for me on forms that recently started getting bot submissions.
I'll be interested to hear any results.
Thanks!
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#66 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AjcAuY6NCM-ZNbxOUxQDapijYPIcbTZAks5tciMSgaJpZM4Lm5B->.
|
|
Drew, sorry but a bot made it throw already.
First Name: ZilliamknillFX
Last Name: ZilliamknillFX
Email: buncolip@yandex.com<mailto:buncolip@yandex.com>
Phone: 87625548214
Company: google
Type of Issue: Forgot_UserName
Description: http://viagrawithoutdoctor.org - buy viagra without prescription
<a href="http://viagrawithoutdoctor.org">viagrawithoutdoctor.org
</a>
Thank you,
[cid:image001.jpg@01CD5F54.A0F0CE40]
Pablo Mosca, IT Manager
Interskill Learning, America, Europe and Australia
O: 770-573-4964<tel:770-573-4964>
C: 469-422-8309<tel:469-422-8309>
Chat with me instantly<http://messenger.providesupport.com/messenger/1vjjg30y8234o1h8qp7ek7pudx.html>
Leading e-learning solutions in IBM Mainframe.
Find out more at: www.interskill.com<http://www.interskill.com/> | Twitter<https://twitter.com/Interskill> | LinkedIn<http://www.linkedin.com/company/interskill-learning/> | Blog<http://interskill-learning.blogspot.com/>
…________________________________
Interskill Learning 11770 Haynes Bridge Roade Suite 205 PMB 526, Alpharetta, Georgia 30009-197<tel:30009-197>. All information transmitted herein is governed by our standard Privacy PolicyTerms Conditions, available here:http://www.interskill.com/terms-and-conditions.html
From: Drew Phillips [mailto:notifications@github.com]
Sent: Friday, March 09, 2018 12:37 AM
To: dapphp/securimage <securimage@noreply.github.com>
Cc: Pablo Mosca <pmosca@interskill.com>; Comment <comment@noreply.github.com>
Subject: Re: [dapphp/securimage] bots defeating securimage (#66)
Sorry for the delay. I have just pushed release 3.6.7 available from composer or at phpcaptcha.org/download/
In order to take advantage of the newer features, I'd suggest turning on the options use_text_angles, use_random_baseline, use_random_spaces, and optionally use_random_boxes.
Switching to another font from the default AHGBold.ttf will help a great deal as well.
Ideally, text, noise, and line colors should all be the same. Background images likely do not help at all.
Here is a sample config.inc.php:
<?php
return array(
'image_width' => 275,
'image_height' => 100,
'code_length' => mt_rand(4, 6),
'num_lines' => mt_rand(2, 4),
'noise_level' => 4,
'perturbation' => 0.68,
'use_transparent_text' => false,
'use_text_angles' => true,
'use_random_spaces' => true,
'use_random_baseline' => true,
'use_random_boxes' => true,
);
For the last week the changes have been working pretty well for me on forms that recently started getting bot submissions.
I'll be interested to hear any results.
Thanks!
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#66 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AjcAuY6NCM-ZNbxOUxQDapijYPIcbTZAks5tciMSgaJpZM4Lm5B->.
|
|
Drew, it seems that after these changes the spamming has increased. Over the weekend we saw a very large increase.
Thank you,
[cid:image001.jpg@01CD5F54.A0F0CE40]
Pablo Mosca, IT Manager
Interskill Learning, America, Europe and Australia
O: 770-573-4964<tel:770-573-4964>
C: 469-422-8309<tel:469-422-8309>
Chat with me instantly<http://messenger.providesupport.com/messenger/1vjjg30y8234o1h8qp7ek7pudx.html>
Leading e-learning solutions in IBM Mainframe.
Find out more at: www.interskill.com<http://www.interskill.com/> | Twitter<https://twitter.com/Interskill> | LinkedIn<http://www.linkedin.com/company/interskill-learning/> | Blog<http://interskill-learning.blogspot.com/>
…________________________________
Interskill Learning 11770 Haynes Bridge Roade Suite 205 PMB 526, Alpharetta, Georgia 30009-197<tel:30009-197>. All information transmitted herein is governed by our standard Privacy PolicyTerms Conditions, available here:http://www.interskill.com/terms-and-conditions.html
From: Drew Phillips <notifications@github.com>
Sent: Friday, March 09, 2018 12:37 AM
To: dapphp/securimage <securimage@noreply.github.com>
Cc: Pablo Mosca <pmosca@interskill.com>; Comment <comment@noreply.github.com>
Subject: Re: [dapphp/securimage] bots defeating securimage (#66)
Sorry for the delay. I have just pushed release 3.6.7 available from composer or at phpcaptcha.org/download/
In order to take advantage of the newer features, I'd suggest turning on the options use_text_angles, use_random_baseline, use_random_spaces, and optionally use_random_boxes.
Switching to another font from the default AHGBold.ttf will help a great deal as well.
Ideally, text, noise, and line colors should all be the same. Background images likely do not help at all.
Here is a sample config.inc.php:
<?php
return array(
'image_width' => 275,
'image_height' => 100,
'code_length' => mt_rand(4, 6),
'num_lines' => mt_rand(2, 4),
'noise_level' => 4,
'perturbation' => 0.68,
'use_transparent_text' => false,
'use_text_angles' => true,
'use_random_spaces' => true,
'use_random_baseline' => true,
'use_random_boxes' => true,
);
For the last week the changes have been working pretty well for me on forms that recently started getting bot submissions.
I'll be interested to hear any results.
Thanks!
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#66 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AjcAuY6NCM-ZNbxOUxQDapijYPIcbTZAks5tciMSgaJpZM4Lm5B->.
|
|
Hey Drew, |
|
Hi @futureweb, Sorry those settings turned out to be difficult for users. I'll give them more trials and see if I can fix that. I'd say almost any font that you could find other than the one included would be a big step up for bots as long as it's not too similar in appearance. Whatever bot is out there solving against the default settings was trained against that font so changing it up should help. I definitely went through quite a few in testing, some look great in print but are not at all suitable for captchas (either too easy/too difficult to read, or look terrible). Thank you for your feedback! |
|
Still having issue with bots. Any other ideas? |
The default captcha is cutting down spam a bit, but some is getting through. The following has some advice... dapphp/securimage#66 https://www.phpcaptcha.org/documentation/setting-options/ ... but regardless of that I find the math problems as a sender less annoying to solve. Lets give this a try for a bit.
|
So it is now 2020 and the world has come a long way since Securimage 0.3 was first released around 2005. Its mighty 297 lines (including GPL, comments, and whitespace) were enough to keep almost any form spam under control. Here we are today with cars driving us, bots carrying on pointed arguments with unwitting humans, facial recognition, and of course, Deepfakes. There are a few awesome open source projects for defeating Securimage specifically, and plenty more are available for other captchas. While it may be possible to spend some time tweaking defaults to keep away the pre-trained bots, word image captchas are no longer a valid turing test for stopping form spam. At this time I would suggest other alternatives unless you have very specific needs (no 3rd party, no cookies, etc) and have several hours to spend figuring out how to make this all work in 2020. As I've been trying to go through the issues and pull requests and do a bit of maintenance, there will probably be few more developments on this project. There may be some pieces worth salvaging for other projects, and the 4.0.1+/nextgen branch is a better starting point for any use than master going forward. Thanks to everyone over the years for their use, contributions, and interest. This project has been quite great over the years. As a result of it I've spoken to hundreds of people from all over the world, had great discussions, challenges, established some priceless contacts. As has always been the case, please feel free to use and modify, modify, and distribute the code freely under its license. To a better future with intelligent computers have taught humans how to live together in peace, as one. |
|
@dapphp Why do you left great script. Try do something similar but modern style. What about Captcha styled on Matrix screen? There is a lot to types of modern captchas even with face ID or other biometrics. You can use black mail list as well to stop spam or blocking users by IP. We can make huge spam DB with lot of details about spammers. |
Or more real examples for captcha:
2 (super idea!). for example they r developing it, but its not opensource https://www.arkoselabs.com/ such companies like Microsoft, EpicGames and so on - using this solution. but we need open source😥 |
|
I confirm the problem... |
I have securimage on dozens of websites, which has worked well for a long time, but in the past week, many are getting tons of spam. I have tried increasing the number of lines, upped the perturbation, switched a couple to use the math problem, but the spam continues.
Any suggestions on other tweaks to stymie the bots?
The text was updated successfully, but these errors were encountered: