Loading ...
Sorry, an error occurred while loading the content.

Re: [hackers-il] Wiki pulled down due to excessive spam

Expand Messages
  • Shoshannah Forbes
    ... oops.. correct link: http://www.brains-n-brawn.com/default.aspx?vDir=aicaptcha he has links to other articles about computers solving CAPTCHAs. ...
    Message 1 of 22 , May 24 1:46 PM
    • 0 Attachment
      On 24/05/2005, at 23:16, Shoshannah Forbes wrote:
      > There are also ways to beat it using only computers. See here:
      > http://haacked.com/archive/2005/01/31/2060.aspx

      oops.. correct link:
      http://www.brains-n-brawn.com/default.aspx?vDir=aicaptcha
      he has links to other articles about computers solving CAPTCHAs.
      ---
      Shoshannah Forbes
      http://www.xslf.com
    • Tal Kelrich
      On Tue, 24 May 2005 23:16:02 +0300 ... There are audio Captchas that deal with the problem, clearer Captchas exist, and most sites allow one to bypass the
      Message 2 of 22 , May 25 4:10 AM
      • 0 Attachment
        On Tue, 24 May 2005 23:16:02 +0300
        Shoshannah Forbes <xslf@...> wrote:

        >
        > On 24/05/2005, at 08:53, amos@... wrote:
        >
        > > In most wiki's I'm aware off, wacky character images (the ones
        > > which look as if you see them through a badly damaged bottom of
        > > whisky-bottle) are the most common "human authentication" way
        > > today. I suspect this has become prevelant because spam bots became
        > > clever enough to give a working temporary e-mail address and be
        > > able to register automatically.
        >
        > They are called "CAPTCHA" and are a serious usability problem for
        > people with vision related disabilities.
        > Hell, even without vision problems, I had enough of those reject me
        > after what I though was an "l" turned out to be an "i" or a "1" or
        > other similar problems.

        There are audio Captchas that deal with the problem, clearer Captchas
        exist, and most sites allow one to bypass the system entirely by mailing
        an administrator

        > BTW, spammers have figured out how to bypass those- they set up a
        > "free porn site", that in order to enter, you need to answer a
        > CAPTCHA- pulled from another site.
        > then the CAPTCHA and the answer are fed back to the original site- and
        > they're in.

        That's a fairly easy fix, you make your tokens non-reuseable, dependent
        on session, quick aging, etc.
        then they can only attack it in real time.

        --
        Tal Kelrich
        PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69
        Key Available at: http://www.hasturkun.com/pub.txt
        ----
        "I may be synthetic, but I'm not stupid" -- the artificial person, from
        _Aliens_
        ----
      • Nadav Har'El
        ... None of these idea help, because spammers *can* attack it in real time - when a user goes into their porn site, they get a capcha from the wiki (or
        Message 3 of 22 , May 25 10:18 AM
        • 0 Attachment
          On Wed, May 25, 2005, Tal Kelrich wrote about "Re: [hackers-il] Wiki pulled down due to excessive spam":
          > > BTW, spammers have figured out how to bypass those- they set up a
          > > "free porn site", that in order to enter, you need to answer a
          > > CAPTCHA- pulled from another site.
          > > then the CAPTCHA and the answer are fed back to the original site- and
          > > they're in.
          >
          > That's a fairly easy fix, you make your tokens non-reuseable, dependent
          > on session, quick aging, etc.
          > then they can only attack it in real time.

          None of these idea help, because spammers *can* attack it in real time -
          when a user goes into their porn site, they get a capcha from the wiki
          (or whatever) site, and ask you to solve it for them.

          Also, consider a captcha which has a 10% chance of being solved by a
          good computer program. The attacker will need to run just 10 tries to
          succeed in one in good probability.

          So these CAPCHAs can help, but are certainly not the silver bullet against
          site abuse by robots.


          --
          Nadav Har'El | Wednesday, May 25 2005, 17 Iyyar 5765
          nyh@... |-----------------------------------------
          Phone +972-523-790466, ICQ 13349191 |How to become immortal: Read this
          http://nadav.harel.org.il |signature tomorrow and follow its advice.
        • Arik Baratz
          On 25/05/05, Nadav Har El wrote: [snip] ... I say let s use Captchas today, and worry about Captcha-cracking monkeys or whatever
          Message 4 of 22 , May 25 10:38 AM
          • 0 Attachment
            On 25/05/05, Nadav Har'El <nyh@...> wrote:
            [snip]
            > So these CAPCHAs can help, but are certainly not the silver bullet against
            > site abuse by robots.

            I say let's use Captchas today, and worry about Captcha-cracking
            monkeys or whatever becomes popular tomorrow - tomorrow. Shlomi - do
            you need help with this?

            -- Arik
          • Gadi Evron
            ... Sorry for not responding earlier. DDoS ing me is one of the stupidest thing anyone can do.. and unfortunately I am a member of this list and take them
            Message 5 of 22 , May 25 2:07 PM
            • 0 Attachment
              Shlomi Fish wrote:
              > Hi all!
              >
              > I had to disable the wiki due to an excessive amount of spam in the last
              > couple of days. It seems that one spammer is using a network of zombie
              > computers to spam our wiki. We are using rel="nofollow" and I monitor the RSS
              > feed, but he still continues.
              >
              > I hope this guy get caught and stuff. I can give some of the IPs that were
              > used to spam the wiki if that's any help.

              Sorry for not responding earlier.

              DDoS'ing me is one of the stupidest thing anyone can do.. and
              unfortunately I am a member of this list and take them DDoS'ing you
              rather personally.

              I will help, please provide me with as many IP's + timestamps.

              A tcpdump sample log would also be nice.

              Gadi.
            • Shoshannah Forbes
              ... Problem is, let s put it bluntly, that visual Captchas suck, and are a real pain for legitimate users (and they block legit users many times, not just
              Message 6 of 22 , May 25 3:01 PM
              • 0 Attachment
                On 25/05/2005, at 20:38, Arik Baratz wrote:

                > I say let's use Captchas today, and worry about Captcha-cracking
                > monkeys or whatever becomes popular tomorrow - tomorrow

                Problem is, let's put it bluntly, that visual Captchas suck, and are a
                real pain for legitimate users (and they block legit users many times,
                not just blind and hard of seeing users either).

                My point was that not only visual Captchas a usability and
                accessibility problem for legitimate users, they are not that effective
                for a "black hat" to brake, and with the wide spread use of them, this
                will happen sooner rather then later.

                So- are they really necessary? Is the gain really worth the cost?
                --
                Shoshannah Forbes
                http://www.xslf.com
              • Arik Baratz
                ... Make them only a part of the user registration process, so a user has to deal with them only once. Have visually challanged people call someone by phone to
                Message 7 of 22 , May 25 3:23 PM
                • 0 Attachment
                  On 26/05/05, Shoshannah Forbes <xslf@...> wrote:
                  > On 25/05/2005, at 20:38, Arik Baratz wrote:
                  > > I say let's use Captchas today, and worry about Captcha-cracking
                  > > monkeys or whatever becomes popular tomorrow - tomorrow
                  >
                  > Problem is, let's put it bluntly, that visual Captchas suck, and are a
                  > real pain for legitimate users (and they block legit users many times,
                  > not just blind and hard of seeing users either).

                  Make them only a part of the user registration process, so a user has
                  to deal with them only once. Have visually challanged people call
                  someone by phone to register a user. Once you have a user, that's it.

                  > So- are they really necessary? Is the gain really worth the cost?

                  Well, if you want the wiki to stay down than they are not worth it,
                  but if we want it up for the time being then definitely. As long as
                  there is easier pray, that will work. A home-grown captcha on our page
                  will be even harder, because someone will need to fit a
                  captcha-guessing engine for OUR site, which is even more effort. I say
                  we have a year until we need to think of something else. The wiki can
                  stay down during that year, or it can stay up with minimal effort.
                  What do you think?

                  -- Arik
                • amos@amos.mailshell.com
                  On 5/26/05, Arik Baratz ... Which made me think - I don t know about developing a captcha in-house (there s probably some mathematics and heuristics developed
                  Message 8 of 22 , May 25 3:29 PM
                  • 0 Attachment
                    On 5/26/05, Arik Baratz
                    <arik.baratz.at.gmail.com@...> wrote:
                    > there is easier pray, that will work. A home-grown captcha on our page
                    > will be even harder, because someone will need to fit a
                    > captcha-guessing engine for OUR site, which is even more effort. I say

                    Which made me think - I don't know about developing a captcha in-house
                    (there's probably some mathematics and heuristics developed in this area)
                    but if the captcha is in Hebrew then I guess it will cut down the number of
                    possible spam bots who can get through it by 99% (the percentage of
                    hebrew-speaking people among the porn users).

                    > we have a year until we need to think of something else. The wiki can
                    > stay down during that year, or it can stay up with minimal effort.
                    > What do you think?

                    I'd vote for at least a trial of a captcha (maybe hebrew-based).
                    Don't let what I percieve to be more theoretical arguments shoot this
                    option down.

                    >
                    > -- Arik

                    --Amos
                  • Shoshannah Forbes
                    ... Visually challenged people are not the only ones that loose accessibility due to visual captcha s. There are also people with dyslexia, and even normal
                    Message 9 of 22 , May 25 3:43 PM
                    • 0 Attachment
                      On 26/05/2005, at 01:23, Arik Baratz wrote:
                      > Have visually challanged people call
                      > someone by phone to register a user. Once you have a user, that's it.

                      Visually challenged people are not the only ones that loose
                      accessibility due to visual captcha's. There are also people with
                      dyslexia, and even "normal" people with sum captcha's generated.

                      Although having a one time captcha is not that bad (but still a pain).

                      > Well, if you want the wiki to stay down than they are not worth it,
                      > but if we want it up for the time being then definitely.

                      Ah, so it is a binary thing? Either captcha or nothing at all? What
                      about email verification mentioned here before?


                      > A home-grown captcha on our page
                      > will be even harder, because someone will need to fit a
                      > captcha-guessing engine for OUR site, which is even more effort.

                      There are general captcha-beating scripts out there, that can probably
                      beat many home-grown captcha systems. For example:
                      http://www.puremango.co.uk/cm_breaking_captcha_115.php
                      http://sam.zoy.org/pwntcha/

                      ---
                      Shoshannah Forbes
                      http://www.xslf.com
                    • amos@amos.mailshell.com
                      On 5/26/05, Shoshannah Forbes ... When I brought the Captcha idea it was for registration only, not for every time a user wants to login or post something. ...
                      Message 10 of 22 , May 25 5:06 PM
                      • 0 Attachment
                        On 5/26/05, Shoshannah Forbes
                        <xslf.at.actcom.co.il@...> wrote:
                        >
                        > On 26/05/2005, at 01:23, Arik Baratz wrote:
                        > > Have visually challanged people call
                        > > someone by phone to register a user. Once you have a user, that's it.
                        >
                        > Visually challenged people are not the only ones that loose
                        > accessibility due to visual captcha's. There are also people with
                        > dyslexia, and even "normal" people with sum captcha's generated.
                        >
                        > Although having a one time captcha is not that bad (but still a pain).

                        When I brought the Captcha idea it was for registration only, not
                        for every time a user wants to login or post something.

                        >
                        > > Well, if you want the wiki to stay down than they are not worth it,
                        > > but if we want it up for the time being then definitely.
                        >
                        > Ah, so it is a binary thing? Either captcha or nothing at all? What
                        > about email verification mentioned here before?

                        No. But captcha's seems to be the strongest practical tool against
                        spammers.

                        I raised the captcha idea after arguing that many spam bots easely
                        circumvent the e-mail registration verification with temporary e-mail
                        addresses.

                        > There are general captcha-beating scripts out there, that can probably
                        > beat many home-grown captcha systems. For example:
                        > http://www.puremango.co.uk/cm_breaking_captcha_115.php

                        The first one simply relays on a basic bug in the captcha script logic
                        which allows multiple attempts - pretty similar to brute-force. It can be
                        easely fixed - limit the number of attempts to one or a very small number
                        (it doesn't make sense that a reasonable user will try the same captcha
                        more than about ten times).

                        > http://sam.zoy.org/pwntcha/

                        The "Escape from Captcha" link there indeed puts up some good arguments
                        against captcha - but not many solutions.

                        A couple of answers I though about what it says:

                        1. (Already suggested this): I gues that using Hebrew captcha should lock
                        out most of the robots and circumnavigation schemes.

                        2. A new idea - monitor the wiki:

                        a. Create multi-level user accounts (two is enough?) - users who already
                        edited some pages fine or were verified in some other way will become unlimited.
                        b. Large changes (complete page replacements, or additions which consist
                        mostly on many URL's) will have to be approved by an "unlimited user".

                        Just some ideas.

                        I'm trying not to loose the focus on what we want to achieve here:
                        on one hand accessibility to a WIKI (i.e. any non-melicious member of the
                        public should be able to participate) while avoiding automatic robots from
                        defacing the pages.

                        Cheers,

                        --Amos
                      • amos@amos.mailshell.com
                        ... I d be curios to hear war stories from this one if you may.... ... --A
                        Message 11 of 22 , May 25 8:37 PM
                        • 0 Attachment
                          On 5/26/05, Gadi Evron <ge.at.linuxbox.org@...> wrote:
                          > DDoS'ing me is one of the stupidest thing anyone can do.. and
                          > unfortunately I am a member of this list and take them DDoS'ing you
                          > rather personally.
                          >
                          > I will help, please provide me with as many IP's + timestamps.
                          >
                          > A tcpdump sample log would also be nice.

                          I'd be curios to hear war stories from this one if you may....

                          >
                          > Gadi.

                          --A
                        • Shoshannah Forbes
                          ... I am not sure how they do that- these registration schemes tend to send the password for the logging (or an authentication token) to the mail box. Even if
                          Message 12 of 22 , May 26 7:40 AM
                          • 0 Attachment
                            On 26/05/2005, at 03:06, amos@... wrote:

                            > I raised the captcha idea after arguing that many spam bots easely
                            > circumvent the e-mail registration verification with temporary e-mail
                            > addresses.

                            I am not sure how they do that- these registration schemes tend to send
                            the password for the logging (or an authentication token) to the mail
                            box. Even if they use a temp email, they still need to check the
                            mailbox to get the token/password.
                            ---
                            Shoshannah Forbes
                            http://www.xslf.com
                          • Arik Baratz
                            ... Step 1. Buy a domain, can be anything really (like 93763924bbb.com) Step 2. set up MX record for the domain to a machine Step 3. Install an SMTP server on
                            Message 13 of 22 , May 26 8:08 AM
                            • 0 Attachment
                              On 26/05/05, Shoshannah Forbes <xslf@...> wrote:

                              > I am not sure how they do that- these registration schemes tend to send
                              > the password for the logging (or an authentication token) to the mail
                              > box. Even if they use a temp email, they still need to check the
                              > mailbox to get the token/password.

                              Step 1. Buy a domain, can be anything really (like 93763924bbb.com)
                              Step 2. set up MX record for the domain to a machine
                              Step 3. Install an SMTP server on the machine that drops every
                              incoming email message in a file
                              Step 4. Parse the files as RFC-2822 messages, and look for a URL in the body
                              Step 5. Visit every URL (i.e. perform the HTTP GET request and discard
                              the result)

                              And then run your robot and have it sign up for users and spam away.

                              Again, we can make it more complicated by (for example) having a
                              JavaScript algorithm on the confirm page that performs some action on
                              the client-side and sends the result or do other tricks to see if
                              there's a real browser on the other side of the connection. It's an
                              arms race, really.

                              --- Arik
                            • Tal Kelrich
                              On Thu, 26 May 2005 18:08:40 +0300 ... Better yet, give them a link for I do not confirm, delete this user now , should be clearly marked, though -- Tal
                              Message 14 of 22 , May 26 8:49 AM
                              • 0 Attachment
                                On Thu, 26 May 2005 18:08:40 +0300
                                Arik Baratz <arik.baratz@...> wrote:

                                > Again, we can make it more complicated by (for example) having a
                                > JavaScript algorithm on the confirm page that performs some action on
                                > the client-side and sends the result or do other tricks to see if
                                > there's a real browser on the other side of the connection. It's an
                                > arms race, really.
                                >

                                Better yet, give them a link for "I do not confirm, delete this user
                                now", should be clearly marked, though


                                --
                                Tal Kelrich
                                PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F CAE6 FEC1 9AAC 12B9 AA69
                                Key Available at: http://www.hasturkun.com/pub.txt
                                ----
                                Noise proves nothing. Often a hen who has merely laid an egg cackles as
                                if she laid an asteroid. -- Mark Twain
                                ----
                              Your message has been successfully submitted and would be delivered to recipients shortly.