Posted: Sat Jun 13, 2009 8:03 pm Post subject: Why the captchas required for posting?
I don't get it. Why have captchas required for posting when you can't post without logging in, which requires a captcha? If the spam bots are getting past the log in requirements, meaning they can correctly read and respond to the captchas required at log in, how is a second captcha that is exactly the same as the log in captcha going to help?
This redundancy would seem to me to do nothing more than reduce the overall usability of the site, while adding nothing to the overall security of the site.
It is definitely a two-edge sword. I manage another site with less traffic and the security is not set as high. I get about 10-20 spam posts to the forum each week. Currently, the next available user ID is about 5000, although there are only about 50 real people registered. That means about 99% of every user ever registered was do so to create spam.
I only manage the site, I am not the owner and they do not want the extra hassle. So far, I can deal with the little bit of extra work, but it may come to the point where I tell them it is too much hassle.
The bottom line is that the Internet is an unsafe place. On the other hand, you have a valid point that the CAPTCHA is the exact same one. Perhaps it would make sense to have different CAPTCHAs in different places. If the baddies figure out how to scan one type, they are in. If there are different types it does increase the security.
Actually I like it. A while ago, I was on the XFCE board.
Their forums are riddled w/ spams. So much that I gave up
on that board. I've seen spams on other boards, but no
where as much - toleratable (sp?), but still annoying.
It is definitely a two-edged sword. I can feel for ffreeloader and I don't like to have to deal with the extra security. I wish there was an easy solution. I am definitely open to suggestions.
It is definitely a two-edged sword. I can feel for ffreeloader and I don't like to have to deal with the extra security. I wish there was an easy solution. I am definitely open to suggestions.
Regards,
jimmo
PS. "tolerable"
So, are you saying that spam bots were getting past one captcha, but are failing to get past 2 identical captchas? If so, that's pretty interesting, in and of itself.
One suggestion is an Apache2 module that I have used against spammers, mod defensible. It does create extra dns traffic though as it uses DNSBL's to identify known sources of spam. I haven't tried it against spam bots, but I would imagine that most IP addresses identified with spam bots are also known to send spam. It's probably worth a try as it returns 403 messages to known spammer IP's thus stopping them before they can even connect.
Well, this double captcha just bit me. I tried to comment on one of the articles after logging in, and when trying to post my comments the captcha wouldn't accept the security code no matter how many times I tried entering it. And, yes, I entered the security code correctly. It gave me the same security code as when I logged in and it accepted then. It just wouldn't accept it the second time around.
I have been thinking about something like Sheng-Chieh suggested.However, using a list of different questions or making the the math questions text-only. I have read some places where they tried it with numbers and it was quickly compromised. However, using something like
"What do you get when you add five to one less than eight"
It is harder for computers to figure it out. On the other hand, it is probably hard for some humans to figure out.
I seemed to have missed something. ffreeloader you are saying that you have to put in the CAPTCHA twices? Once to log in and once to submit a new post? That's odd. It don't experience it, even if I am logged in as a normal user?
I have been thinking about something like Sheng-Chieh suggested.However, using a list of different questions or making the the math questions text-only. I have read some places where they tried it with numbers and it was quickly compromised. However, using something like
"What do you get when you add five to one less than eight"
It is harder for computers to figure it out. On the other hand, it is probably hard for some humans to figure out.
I seemed to have missed something. ffreeloader you are saying that you have to put in the CAPTCHA twices? Once to log in and once to submit a new post? That's odd. It don't experience it, even if I am logged in as a normal user?
Yes. That's what I'm saying. It doesn't happen too frequently when posting to the forum, but happens almost all the time when posting comments to articles. I will be logged into the site, and then when attempting to post a comment on an article a second captcha will show up. This is the second or third time the second captcha has failed to validate when given the correct security code.
When I started this thread I wasn't complaining about the use of captchas per se. I see them as a good thing, being a part of a layered defense. I was complaining about being required to use a captcha after having logged in. That's why I said I couldn't see the value in the second captcha.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.
Help us cut cost by not downloading the whole site!
Use of automated download sofware ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and therefore is expressedly prohibited.
For more details on this, take a look
here
Forum FAQ
Search
Usergroups
Profile
Log in to check your private messages
Log in
