Skip to content

CAPTCHA busting -- A sucker born every minute

I have a small phpBB2 forum attached to this site, that I used briefly to support some of my side projects. phpBB has had a checkered past in terms of security, having been the victim of many exploits. To be fair that's one of the costs of having been one of the first and most widely successful php based community projects. The number of phpBB deployments is staggering even to this day. With so many forums out there, spammers quickly figured out that if they could write a bot to create an account and auto post messages, they'd be able to spread their spam messages far and wide. I was getting so much spam, I ultimately disabled the ability of people to authenticate their own accounts, and despite this change, still see as many as ten new signups for the forum every day. Who would bother to sign up for an account they can't use? There had to be a way of determining the bots from the humans who wanted to post to my forum.

CAPTCHA, as the conventional wisdom of the day was concerned, would provide a useful deterrent to this annoyance -- bots arent' smart enough to decipher the captcha images and extract the right combination of numbers and letters depicted in the image, and type them back to into the form in order to unlock the account. Without the account, the spammers couldn't have their bots post their spam messages. While phpBB introduced a CAPTCHA capability relatively late in the game, it is now something you get out of the box, and there is at least one mod that improves on the quality of the CAPTCHA image, which is to say, makes it harder to read.

The problem is that CAPTCHA's are there to defeat dumb machines, but not dumb humans. And as the old saying goes, there's a sucker born every minute who is more than happy to help your local spammer defeat the CAPTCHA image on your site. How might you ask? Well, the scam works something like this: John Q. Sucker visits some site that informs him he's getting something for free -- it could be a free ipod, porn, or an xbox 360. All that is important is that this person believes they will be getting access to this free stuff once they register.

They visit the spammer's site, and are presented a CAPTCHA image in order to register, only, this image didn't come directly from the spammer's site -- it came from YOURS. The spammer writes a simple bot that goes to your site and hits the registration page. It takes the CAPTCHA image your site provided, and presents it to John Q. Sucker on the spammer's site.

Continue reading "CAPTCHA busting -- A sucker born every minute"