Loading ...
Sorry, an error occurred while loading the content.

Re: [hackers-il] Wiki pulled down due to excessive spam

Expand Messages
  • Arik Baratz
    ... http://en.wikipedia.org/wiki/Captcha I haven t seen a MediaWiki plugin that does that, but there are free php implementations. -- Arik
    Message 1 of 22 , May 24 3:23 AM
    • 0 Attachment
      On 24/05/05, amos@... <amos@...> wrote:

      > I can't find such tools right now (forgot the term used to reffer to
      > this trick),

      http://en.wikipedia.org/wiki/Captcha

      I haven't seen a MediaWiki plugin that does that, but there are free
      php implementations.

      -- Arik
    • Shoshannah Forbes
      ... They are called CAPTCHA and are a serious usability problem for people with vision related disabilities. Hell, even without vision problems, I had enough
      Message 2 of 22 , May 24 1:16 PM
      • 0 Attachment
        On 24/05/2005, at 08:53, amos@... wrote:

        > In most wiki's I'm aware off, wacky character images (the ones which
        > look as if you see them through a badly damaged bottom of
        > whisky-bottle) are the most common "human authentication" way today.
        > I suspect this has become prevelant because spam bots became clever
        > enough to give a working temporary e-mail address and be able to
        > register automatically.

        They are called "CAPTCHA" and are a serious usability problem for
        people with vision related disabilities.
        Hell, even without vision problems, I had enough of those reject me
        after what I though was an "l" turned out to be an "i" or a "1" or
        other similar problems.


        BTW, spammers have figured out how to bypass those- they set up a "free
        porn site", that in order to enter, you need to answer a CAPTCHA-
        pulled from another site.
        then the CAPTCHA and the answer are fed back to the original site- and
        they're in.

        There are also ways to beat it using only computers. See here:
        http://haacked.com/archive/2005/01/31/2060.aspx
        ---
        Shoshannah Forbes
        http://www.xslf.com
      • Shoshannah Forbes
        ... oops.. correct link: http://www.brains-n-brawn.com/default.aspx?vDir=aicaptcha he has links to other articles about computers solving CAPTCHAs. ...
        Message 3 of 22 , May 24 1:46 PM
        • 0 Attachment
          On 24/05/2005, at 23:16, Shoshannah Forbes wrote:
          > There are also ways to beat it using only computers. See here:
          > http://haacked.com/archive/2005/01/31/2060.aspx

          oops.. correct link:
          http://www.brains-n-brawn.com/default.aspx?vDir=aicaptcha
          he has links to other articles about computers solving CAPTCHAs.
          ---
          Shoshannah Forbes
          http://www.xslf.com
        • Tal Kelrich
          On Tue, 24 May 2005 23:16:02 +0300 ... There are audio Captchas that deal with the problem, clearer Captchas exist, and most sites allow one to bypass the
          Message 4 of 22 , May 25 4:10 AM
          • 0 Attachment
            On Tue, 24 May 2005 23:16:02 +0300
            Shoshannah Forbes <xslf@...> wrote:

            >
            > On 24/05/2005, at 08:53, amos@... wrote:
            >
            > > In most wiki's I'm aware off, wacky character images (the ones
            > > which look as if you see them through a badly damaged bottom of
            > > whisky-bottle) are the most common "human authentication" way
            > > today. I suspect this has become prevelant because spam bots became
            > > clever enough to give a working temporary e-mail address and be
            > > able to register automatically.
            >
            > They are called "CAPTCHA" and are a serious usability problem for
            > people with vision related disabilities.
            > Hell, even without vision problems, I had enough of those reject me
            > after what I though was an "l" turned out to be an "i" or a "1" or
            > other similar problems.

            There are audio Captchas that deal with the problem, clearer Captchas
            exist, and most sites allow one to bypass the system entirely by mailing
            an administrator

            > BTW, spammers have figured out how to bypass those- they set up a
            > "free porn site", that in order to enter, you need to answer a
            > CAPTCHA- pulled from another site.
            > then the CAPTCHA and the answer are fed back to the original site- and
            > they're in.

            That's a fairly easy fix, you make your tokens non-reuseable, dependent
            on session, quick aging, etc.
            then they can only attack it in real time.

            --
            Tal Kelrich
            PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69
            Key Available at: http://www.hasturkun.com/pub.txt
            ----
            "I may be synthetic, but I'm not stupid" -- the artificial person, from
            _Aliens_
            ----
          • Nadav Har'El
            ... None of these idea help, because spammers *can* attack it in real time - when a user goes into their porn site, they get a capcha from the wiki (or
            Message 5 of 22 , May 25 10:18 AM
            • 0 Attachment
              On Wed, May 25, 2005, Tal Kelrich wrote about "Re: [hackers-il] Wiki pulled down due to excessive spam":
              > > BTW, spammers have figured out how to bypass those- they set up a
              > > "free porn site", that in order to enter, you need to answer a
              > > CAPTCHA- pulled from another site.
              > > then the CAPTCHA and the answer are fed back to the original site- and
              > > they're in.
              >
              > That's a fairly easy fix, you make your tokens non-reuseable, dependent
              > on session, quick aging, etc.
              > then they can only attack it in real time.

              None of these idea help, because spammers *can* attack it in real time -
              when a user goes into their porn site, they get a capcha from the wiki
              (or whatever) site, and ask you to solve it for them.

              Also, consider a captcha which has a 10% chance of being solved by a
              good computer program. The attacker will need to run just 10 tries to
              succeed in one in good probability.

              So these CAPCHAs can help, but are certainly not the silver bullet against
              site abuse by robots.


              --
              Nadav Har'El | Wednesday, May 25 2005, 17 Iyyar 5765
              nyh@... |-----------------------------------------
              Phone +972-523-790466, ICQ 13349191 |How to become immortal: Read this
              http://nadav.harel.org.il |signature tomorrow and follow its advice.
            • Arik Baratz
              On 25/05/05, Nadav Har El wrote: [snip] ... I say let s use Captchas today, and worry about Captcha-cracking monkeys or whatever
              Message 6 of 22 , May 25 10:38 AM
              • 0 Attachment
                On 25/05/05, Nadav Har'El <nyh@...> wrote:
                [snip]
                > So these CAPCHAs can help, but are certainly not the silver bullet against
                > site abuse by robots.

                I say let's use Captchas today, and worry about Captcha-cracking
                monkeys or whatever becomes popular tomorrow - tomorrow. Shlomi - do
                you need help with this?

                -- Arik
              • Gadi Evron
                ... Sorry for not responding earlier. DDoS ing me is one of the stupidest thing anyone can do.. and unfortunately I am a member of this list and take them
                Message 7 of 22 , May 25 2:07 PM
                • 0 Attachment
                  Shlomi Fish wrote:
                  > Hi all!
                  >
                  > I had to disable the wiki due to an excessive amount of spam in the last
                  > couple of days. It seems that one spammer is using a network of zombie
                  > computers to spam our wiki. We are using rel="nofollow" and I monitor the RSS
                  > feed, but he still continues.
                  >
                  > I hope this guy get caught and stuff. I can give some of the IPs that were
                  > used to spam the wiki if that's any help.

                  Sorry for not responding earlier.

                  DDoS'ing me is one of the stupidest thing anyone can do.. and
                  unfortunately I am a member of this list and take them DDoS'ing you
                  rather personally.

                  I will help, please provide me with as many IP's + timestamps.

                  A tcpdump sample log would also be nice.

                  Gadi.
                • Shoshannah Forbes
                  ... Problem is, let s put it bluntly, that visual Captchas suck, and are a real pain for legitimate users (and they block legit users many times, not just
                  Message 8 of 22 , May 25 3:01 PM
                  • 0 Attachment
                    On 25/05/2005, at 20:38, Arik Baratz wrote:

                    > I say let's use Captchas today, and worry about Captcha-cracking
                    > monkeys or whatever becomes popular tomorrow - tomorrow

                    Problem is, let's put it bluntly, that visual Captchas suck, and are a
                    real pain for legitimate users (and they block legit users many times,
                    not just blind and hard of seeing users either).

                    My point was that not only visual Captchas a usability and
                    accessibility problem for legitimate users, they are not that effective
                    for a "black hat" to brake, and with the wide spread use of them, this
                    will happen sooner rather then later.

                    So- are they really necessary? Is the gain really worth the cost?
                    --
                    Shoshannah Forbes
                    http://www.xslf.com
                  • Arik Baratz
                    ... Make them only a part of the user registration process, so a user has to deal with them only once. Have visually challanged people call someone by phone to
                    Message 9 of 22 , May 25 3:23 PM
                    • 0 Attachment
                      On 26/05/05, Shoshannah Forbes <xslf@...> wrote:
                      > On 25/05/2005, at 20:38, Arik Baratz wrote:
                      > > I say let's use Captchas today, and worry about Captcha-cracking
                      > > monkeys or whatever becomes popular tomorrow - tomorrow
                      >
                      > Problem is, let's put it bluntly, that visual Captchas suck, and are a
                      > real pain for legitimate users (and they block legit users many times,
                      > not just blind and hard of seeing users either).

                      Make them only a part of the user registration process, so a user has
                      to deal with them only once. Have visually challanged people call
                      someone by phone to register a user. Once you have a user, that's it.

                      > So- are they really necessary? Is the gain really worth the cost?

                      Well, if you want the wiki to stay down than they are not worth it,
                      but if we want it up for the time being then definitely. As long as
                      there is easier pray, that will work. A home-grown captcha on our page
                      will be even harder, because someone will need to fit a
                      captcha-guessing engine for OUR site, which is even more effort. I say
                      we have a year until we need to think of something else. The wiki can
                      stay down during that year, or it can stay up with minimal effort.
                      What do you think?

                      -- Arik
                    • amos@amos.mailshell.com
                      On 5/26/05, Arik Baratz ... Which made me think - I don t know about developing a captcha in-house (there s probably some mathematics and heuristics developed
                      Message 10 of 22 , May 25 3:29 PM
                      • 0 Attachment
                        On 5/26/05, Arik Baratz
                        <arik.baratz.at.gmail.com@...> wrote:
                        > there is easier pray, that will work. A home-grown captcha on our page
                        > will be even harder, because someone will need to fit a
                        > captcha-guessing engine for OUR site, which is even more effort. I say

                        Which made me think - I don't know about developing a captcha in-house
                        (there's probably some mathematics and heuristics developed in this area)
                        but if the captcha is in Hebrew then I guess it will cut down the number of
                        possible spam bots who can get through it by 99% (the percentage of
                        hebrew-speaking people among the porn users).

                        > we have a year until we need to think of something else. The wiki can
                        > stay down during that year, or it can stay up with minimal effort.
                        > What do you think?

                        I'd vote for at least a trial of a captcha (maybe hebrew-based).
                        Don't let what I percieve to be more theoretical arguments shoot this
                        option down.

                        >
                        > -- Arik

                        --Amos
                      • Shoshannah Forbes
                        ... Visually challenged people are not the only ones that loose accessibility due to visual captcha s. There are also people with dyslexia, and even normal
                        Message 11 of 22 , May 25 3:43 PM
                        • 0 Attachment
                          On 26/05/2005, at 01:23, Arik Baratz wrote:
                          > Have visually challanged people call
                          > someone by phone to register a user. Once you have a user, that's it.

                          Visually challenged people are not the only ones that loose
                          accessibility due to visual captcha's. There are also people with
                          dyslexia, and even "normal" people with sum captcha's generated.

                          Although having a one time captcha is not that bad (but still a pain).

                          > Well, if you want the wiki to stay down than they are not worth it,
                          > but if we want it up for the time being then definitely.

                          Ah, so it is a binary thing? Either captcha or nothing at all? What
                          about email verification mentioned here before?


                          > A home-grown captcha on our page
                          > will be even harder, because someone will need to fit a
                          > captcha-guessing engine for OUR site, which is even more effort.

                          There are general captcha-beating scripts out there, that can probably
                          beat many home-grown captcha systems. For example:
                          http://www.puremango.co.uk/cm_breaking_captcha_115.php
                          http://sam.zoy.org/pwntcha/

                          ---
                          Shoshannah Forbes
                          http://www.xslf.com
                        • amos@amos.mailshell.com
                          On 5/26/05, Shoshannah Forbes ... When I brought the Captcha idea it was for registration only, not for every time a user wants to login or post something. ...
                          Message 12 of 22 , May 25 5:06 PM
                          • 0 Attachment
                            On 5/26/05, Shoshannah Forbes
                            <xslf.at.actcom.co.il@...> wrote:
                            >
                            > On 26/05/2005, at 01:23, Arik Baratz wrote:
                            > > Have visually challanged people call
                            > > someone by phone to register a user. Once you have a user, that's it.
                            >
                            > Visually challenged people are not the only ones that loose
                            > accessibility due to visual captcha's. There are also people with
                            > dyslexia, and even "normal" people with sum captcha's generated.
                            >
                            > Although having a one time captcha is not that bad (but still a pain).

                            When I brought the Captcha idea it was for registration only, not
                            for every time a user wants to login or post something.

                            >
                            > > Well, if you want the wiki to stay down than they are not worth it,
                            > > but if we want it up for the time being then definitely.
                            >
                            > Ah, so it is a binary thing? Either captcha or nothing at all? What
                            > about email verification mentioned here before?

                            No. But captcha's seems to be the strongest practical tool against
                            spammers.

                            I raised the captcha idea after arguing that many spam bots easely
                            circumvent the e-mail registration verification with temporary e-mail
                            addresses.

                            > There are general captcha-beating scripts out there, that can probably
                            > beat many home-grown captcha systems. For example:
                            > http://www.puremango.co.uk/cm_breaking_captcha_115.php

                            The first one simply relays on a basic bug in the captcha script logic
                            which allows multiple attempts - pretty similar to brute-force. It can be
                            easely fixed - limit the number of attempts to one or a very small number
                            (it doesn't make sense that a reasonable user will try the same captcha
                            more than about ten times).

                            > http://sam.zoy.org/pwntcha/

                            The "Escape from Captcha" link there indeed puts up some good arguments
                            against captcha - but not many solutions.

                            A couple of answers I though about what it says:

                            1. (Already suggested this): I gues that using Hebrew captcha should lock
                            out most of the robots and circumnavigation schemes.

                            2. A new idea - monitor the wiki:

                            a. Create multi-level user accounts (two is enough?) - users who already
                            edited some pages fine or were verified in some other way will become unlimited.
                            b. Large changes (complete page replacements, or additions which consist
                            mostly on many URL's) will have to be approved by an "unlimited user".

                            Just some ideas.

                            I'm trying not to loose the focus on what we want to achieve here:
                            on one hand accessibility to a WIKI (i.e. any non-melicious member of the
                            public should be able to participate) while avoiding automatic robots from
                            defacing the pages.

                            Cheers,

                            --Amos
                          • amos@amos.mailshell.com
                            ... I d be curios to hear war stories from this one if you may.... ... --A
                            Message 13 of 22 , May 25 8:37 PM
                            • 0 Attachment
                              On 5/26/05, Gadi Evron <ge.at.linuxbox.org@...> wrote:
                              > DDoS'ing me is one of the stupidest thing anyone can do.. and
                              > unfortunately I am a member of this list and take them DDoS'ing you
                              > rather personally.
                              >
                              > I will help, please provide me with as many IP's + timestamps.
                              >
                              > A tcpdump sample log would also be nice.

                              I'd be curios to hear war stories from this one if you may....

                              >
                              > Gadi.

                              --A
                            • Shoshannah Forbes
                              ... I am not sure how they do that- these registration schemes tend to send the password for the logging (or an authentication token) to the mail box. Even if
                              Message 14 of 22 , May 26 7:40 AM
                              • 0 Attachment
                                On 26/05/2005, at 03:06, amos@... wrote:

                                > I raised the captcha idea after arguing that many spam bots easely
                                > circumvent the e-mail registration verification with temporary e-mail
                                > addresses.

                                I am not sure how they do that- these registration schemes tend to send
                                the password for the logging (or an authentication token) to the mail
                                box. Even if they use a temp email, they still need to check the
                                mailbox to get the token/password.
                                ---
                                Shoshannah Forbes
                                http://www.xslf.com
                              • Arik Baratz
                                ... Step 1. Buy a domain, can be anything really (like 93763924bbb.com) Step 2. set up MX record for the domain to a machine Step 3. Install an SMTP server on
                                Message 15 of 22 , May 26 8:08 AM
                                • 0 Attachment
                                  On 26/05/05, Shoshannah Forbes <xslf@...> wrote:

                                  > I am not sure how they do that- these registration schemes tend to send
                                  > the password for the logging (or an authentication token) to the mail
                                  > box. Even if they use a temp email, they still need to check the
                                  > mailbox to get the token/password.

                                  Step 1. Buy a domain, can be anything really (like 93763924bbb.com)
                                  Step 2. set up MX record for the domain to a machine
                                  Step 3. Install an SMTP server on the machine that drops every
                                  incoming email message in a file
                                  Step 4. Parse the files as RFC-2822 messages, and look for a URL in the body
                                  Step 5. Visit every URL (i.e. perform the HTTP GET request and discard
                                  the result)

                                  And then run your robot and have it sign up for users and spam away.

                                  Again, we can make it more complicated by (for example) having a
                                  JavaScript algorithm on the confirm page that performs some action on
                                  the client-side and sends the result or do other tricks to see if
                                  there's a real browser on the other side of the connection. It's an
                                  arms race, really.

                                  --- Arik
                                • Tal Kelrich
                                  On Thu, 26 May 2005 18:08:40 +0300 ... Better yet, give them a link for I do not confirm, delete this user now , should be clearly marked, though -- Tal
                                  Message 16 of 22 , May 26 8:49 AM
                                  • 0 Attachment
                                    On Thu, 26 May 2005 18:08:40 +0300
                                    Arik Baratz <arik.baratz@...> wrote:

                                    > Again, we can make it more complicated by (for example) having a
                                    > JavaScript algorithm on the confirm page that performs some action on
                                    > the client-side and sends the result or do other tricks to see if
                                    > there's a real browser on the other side of the connection. It's an
                                    > arms race, really.
                                    >

                                    Better yet, give them a link for "I do not confirm, delete this user
                                    now", should be clearly marked, though


                                    --
                                    Tal Kelrich
                                    PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69
                                    Key Available at: http://www.hasturkun.com/pub.txt
                                    ----
                                    Noise proves nothing. Often a hen who has merely laid an egg cackles as
                                    if she laid an asteroid. -- Mark Twain
                                    ----
                                  Your message has been successfully submitted and would be delivered to recipients shortly.