Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
I wrote my own CAPTCHA in PHP and is successfully running on another forum. I'm retired now and finally reached the point where writing code bores me.
Kind of like a retired bus driver. You may be nostalgic about your career at first, but one day you realize you can't stand the sight of a bus. -- I'm that way with code now. The world will have to move on without my contributions.
I recall a story I was once told:
"Put your fingers into a glass of water and observe the water. Now take out one finger. Did it leave a hole in the water?"
The moral of this story is that my quitting writing code won't change the cyber-universe one iota.
I think that happens to most of us. After working in a given profession for many years, it becomes boring and one wonders why one ever opted for that profession in the first place
I suppose that's the way life goes, one thinks one matters to the world while in reality one is just a tiny wheel in a machine.
I think that happens to most of us. After working in a given profession for many years, it becomes boring and one wonders why one ever opted for that profession in the first place
I suppose that's the way life goes, one thinks one matters to the world while in reality one is just a tiny wheel in a machine.
Actually I really enjoyed my career in software and electronic hardware design, and have enjoyed running my own websites both before and after retiring. I never regretted my choice of career, I was good at it, it was good to me.
Currently I'm on a domain diet and phased out 3 domains in 2016, another will be phased out when I get my business shut down, and I'll just have two left: a cooking/recipe website I run as a hobby, and a domain I run mainly to host my various email addresses (no content on the site).
I was good at it but now I'm not interested in working for it, and not interested enough to do it as a hobby.
I guess that's a natural part of life. As we age our interests change too, and eventually passions just become memories. Currently I'm interested in doing art and writing fiction. And cooking!
I also saw a simple math questions posted on some Web pages. Those were much less annoying, but I am not sure about their effectiveness...
These can be very effective especially if it's a unique custom question or custom modification of the script. You have to remember these are "dumb" programs that only work because of commonality. If you have a commonly used forum software and a million sites are all using the same captcha you only need to program the bot to beat that particular captcha.
You would think that the computer gurus should be able to create a less annoying way to distinguish humans from robots ...
There is no captcha on my forum and I block about 99.9% of the bots. There is a variety of things implemented but these are mostly custom modifications. It's not that I'm some genius and doing something Google can't do but instead I'm able to customize it.
Simple example.... Gmail doe not recognize periods in emails, for gmail accounts joeschmoe@ and joe.schmoe@ are the same email address. The bots were capitalizing on this for registration because the forum software sees them as different email address, this allowed them to register multiple accounts without having to obtain different email from Gmail.
You would customize the script so any gmail accounts banned had the periods removed. Where the script checks the banned email accounts you remove the periods for newly registered accounts. That assumes they get by the part that will automatically reject a Gmail account that has 4 or more periods.
These can be very effective especially if it's a unique custom question or custom modification of the script. You have to remember these are "dumb" programs that only work because of commonality. If you have a commonly used forum software and a million sites are all using the same captcha you only need to program the bot to beat that particular captcha.
That was my own conclusion based on my software background and IT work. That's why the CAPTCHA I designed worked for the forum I designed it for. It's not worth cracking for just one forum. That's why ReCAPTCHA keeps failing or getting impossible to use. With so many sites it becomes attractive enough for some hacker to write the code to break it.
My current site registration relies on about 30-40 random questions like "3 + 2 = ?" which shows only 3 at random. For me to be hacked it takes a botmaster huge effort to get all possible of my questions. And when I get cracked I just change all the questions enough to waste all the hacker's work. I get zero spam.
Note that the site I'm referring to I'm the tech admin and server op, it's not really my site. In fact I wish they'd find somebody else for my job. Ah, the things you do for friends, and then wish you had a way to back out gracefully without letting down your friends. They don't know anybody else who could fill my job. Nor do I.
My current site registration relies on about 30-40 random questions like "3 + 2 = ?" which shows only 3 at random. For me to be hacked it takes a botmaster huge effort to get all possible of my questions. And when I get cracked I just change all the questions enough to waste all the hacker's work. I get zero spam.
The one thing you need to be careful with the questions is ambiguous questions, what color is the sky? Other issues are spelling etc.
I like to rely on passive prevention, two more examples.
In the drop down list for timezones on the registration UTC -12 is the first in the list, this is an uninhabitable timezone. There is a default set for humans and no human is going to change it to -12. The bots were often programmed to submit -12.
Another trick is hide an input field with CSS, be sure to have a hidden text warning not to fill it out in case someone is using text browser. The bot will often try to fill the field because it doesn't know if it's required.
You just need to look for patterns, I have custom fields on the registration page that are optional. The bots will often submit the username to these fields.... all of them.
My question would be like, "The sky is colored ____. (red, blue, black, yellow)." The forum I admin is international with a large non-English speaking membership. I have to give them all the choices or their poor English makes it impossible for many to register. Hey, it's working and I haven't changed the questions in over a year, not one forum spam yet.
Clever on the -12.
Not fill questions may help some, but my experience is a botmaster who collects ALL your verification questions, and only unleashes his botnet on you after he has your every question logged with the correct answer. He'd see the no-fill and -12 won't work. He has your forum cracked when he has your whole list.
I also have a secret weapon, one I coded myself: geo-awareness. For the most part I know what country members are coming from. (See CloudFlare. I use their data.) I can just ban the worst countries. That right there locked out a bunch of bad guys. They can't even "see" my site.
But for the most part I don't care any more. I'd gladly give my tech admin and server op jobs to somebody qualified and let them support my friends who co-own the forum. Then I will have written my last code, configured my last server, and I can forget any IT related stuff as part of my former life that matters no more.
I only linger on because there is no suitable replacement for me and I don't want to let my friends down. I'd be just as happy if the dedicated server provider went out of business. No server, no job, no forum, no more work for me.
After that the abbreviation IT would become merely the English pronoun "it" improperly capitalized.
This is my "secret" weapon and I don't mind sharing it because there is no way around it. This is specific for phpBB but it can be adapted for anything.
I have cron job that downloads spammer lists from stopforumspam.com. The lists appended with 1 is any IP/email address reported as spammer within last 24 hours and is downloaded every hour, the 7 is last days and downloaded daily. These are active lists so false positives are extremely unlikely.
Quote:
// Mod - Drop the spammers
$spammer_ip_lists = array(
'listed_ip_1.txt',
'listed_email_1.txt',
'listed_ip_7.txt',
);
foreach ($file as $line)
{
if (($user->ip == $line) || ($data['email'] == $line))
{
//Sends specific message that registration was blocked and to contact admin
$message = $user->lang['ACCOUNT_SPAMMER'];
$message = $message . '<br /><br />' . sprintf($user->lang['RETURN_INDEX'], '<a href="' . append_sid("{$phpbb_root_path}index.$phpEx") . '">', '</a>');
trigger_error($message);
}
}
}
}
If they make it through that I directly query the database for the email, false positives on the email are unlikely. if ($appears && $frequency >= 2) Sets how many time it can appear before the registration is blocked.
Quote:
//Second Check
if (!function_exists('get_remote_file'))
{
global $phpbb_root_path, $phpEx;
include($phpbb_root_path . 'includes/functions_admin.' . $phpEx);
}
Or at least I hope you recognize the value of indentation in structured code.
You missed the class on commenting your code.
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.
Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
