Captcha Overkill

fkelly · Posted: Sat May 23, 2009 7:31 am

A few weeks ago I was on the phone with one of the users of my bicycle club site as she tried to enter a news article. She is a very well educated and intelligent lady, a former reading teacher -- but not particularly facile with the computer. One of the purposes of having RN sites is that people such as this can put information on our sites with minimal administrator intervention ... I think.

So I coaxed her through clicking on submit news and explained how to enter the title and what to do in the wysiwyg box and what the toolbar icons there meant and how to paste something she had in Word in. After a few fits and starts all was good. She did the preview, then the submit. Then "oh d***ed Frank, it went away". I could see no submission in the waiting content area on my end so I asked specifically what she had seen. "Well there were some squiggly characters up on the screen and I didn't know what to do so I hit something". Lord knows what she hit but after trying the back key and other things I concluded the article was indeed lost somewhere in cyber space. In this case I just had her send me the article by email and I posted it but then I got to thinking ...

If you run a site and you don't allow anonymous to post (and that's the only sane option IMHO) then they have to be logged in to be able to submit news or a forum topic or do any other entry. And if you require CAPTCHA on the login then they have already passed that barrier once. Why require it for every entry?

After thinking it over I've just gone in and changed my rnconfig.php to only require captcha for anonymous. I believe other protections will keep anonymous from even getting this far (they shouldn't see submit news if the module is for registered users only for instance). But registered and logged in users will not have to pass captcha for every submission. One less annoyance.

I'll post back if I get spammed cause of this. I was going to post the section of rnconfig but it is very self-explanatory so I won't. You just need to change a bunch of variables to the value 1 instead of the default value of 3.

FireATST · Posted: Sat May 23, 2009 6:54 pm

humm, sometimes the simplest answers appear to be right in front of our faces. That is an excellent idea Fkelly. Will be interested to see the follow up on this.... Smile

Raven · Posted: Sun May 24, 2009 11:06 am

It depends on how you allow registering. For instance, this site allows anyone to register w/o a background check Laughing

. Probably a couple times a month (on average) a registered user will post spam and/or other crap. By only requiring anonymous to use the captcha then these registered users can easily automate their spamming and my issues would compound. So, there are definitely pro's and con's.

fkelly · Posted: Sun May 24, 2009 4:00 pm

I agree there are pros and cons. I run a much smaller site than you do. While I don't do a thorough background check on new users I do see and approve them (thanks to RNYA). Someone could get in using an "innocent looking" email address and then spam me ... no question. It is just a trade off. My users are not committed computer folks and the captcha is a big annoyance to them and discourages them from posting so I am trying it the way I stated in the initial post. If I get spammed a lot I may have to go back to the old captcha settings.

montego · Posted: Mon May 25, 2009 9:13 am

I'll be honest, the whole reason why I wanted to add the Captcha to the interior modules is to stop auto-spam with a twist. I was noticing an actual human being would physically create a new account, then log in, and then BAM, hit the auto-spam "button" and a whole slew of crap got into my new comments.

I even had someone once manually create five comments and then finally gave up... I am sure they got tired of having to enter in a captcha each time. lol.

TAd · Posted: Wed Mar 23, 2011 8:55 am

I require admin permission and only require the Captca to create an account. To be honest, I am not sure why I do that. Captcha has been defeated already from the articles I have read (albeit sometime ago, and I am sure it continues). So in a way all I am doing is annoying users (me) with the system, to some degree.

From my own personal experience, when Captcha is enabled, I often have to try multiple times to get passed it. I have 20/15 vision, I can see it, I am also not color blind. It is that Captcha data is often very obscure, words from languages that may hold no meaning for me (not easily recognizable). It can have letters that are sometimes ill formed or distorted, or it simply runs letters together. Often a combination of some or all these elements are implemented. Captcha makes me want to go have my eyes checked at times. Now obviously there are different "schemes" (for lack of a better term) for Captcha. Some I do find easier to read than others.

From Captcha Devs :

As you can see, some are easier to make out than others. But nearly all of them are easier to read than those I see most often. A simple Google search of images will demonstrate far better than I am able to articulate.

Google search: bad captcha click on Images. (link too long to post),
or Google "insert bad word" captcha and click on images. There are also good ones searching Captcha fail .

In my opinion, when it becomes more of a problem for real people, and not computers, I have to pass. This is where I miss the Spam Stopper Module. It looked for spamming in posts etc. and used to block them and ban them immediately for the times I was not available to do so. Sadly, when my site was offline, I had a backup HDD failure and lost it. Crying or Very sad

Now, I am not saying scrap Captcha, but Captcha is in need of some work. If any security tool becomes a burden to users, and they shut it off, one should figure out why that is (Vista UAC is a good example). You have to consciously maintain a balance between security and usability. If the tools available are not deemed usable, they will be shut off.

I appreciate this thread, as it provides me an oppurtunity to stop and think about security for a bit. As well as learn so new things! Now on to my search for a fix of the "link modification" request that seems to be open to Anonymous... Shocked

TAd · Posted: Wed Mar 23, 2011 8:58 am

I am sorry for bumping an old thread!! I just looked at the date of the last post (after I made my post).

Raven · Posted: Wed Mar 23, 2011 9:32 am

NP!

Guardian2003 · Posted: Fri Mar 25, 2011 9:42 pm

As Raven said, there are pro's and con's to using CAPTCHA.
I find the RN CAPTCHA very readable but then I always wear my reading glasses when at the PC and of course (if you really must) you can adjust the amount 'interference' within the Class file.

I don't actually get a lot of incoming data from visitors (News etc) so I'm happy to leave the CAPTCHA on but as montego stated, we have both seen cases where genuine humand have registered and then proceeded to spam parts of the site before finally giving up after a few submissions because it is simply too much effort.

@ TAd Spam Stopper (now renamed as Site Guardian due to added functionality) is actually being re-written right now.

TAd · Posted: Sat Mar 26, 2011 3:29 am

It is always interesting to see how different people all running websites, which have different content/purposes, deal with similar yet distinct hurdles.

I am glad it is being re-written/re-released, I made a comment on the CA forums about it as I am eager to get that kind of a system up and running again on my site! Very Happy

wHiTeHaT · Posted: Mon Mar 28, 2011 1:02 pm

I think it would be wise (in fkelly's scenario) to show an alert if captcha field is empty.
Or dont show the post button in the page @all but show the button after the captcha is accepted.

fkelly · Posted: Mon Mar 28, 2011 1:49 pm

Looking back at one of my previous posts it was almost 2 years ago (May 2009). I had CAPTCHA turned off on my bike club site then and I still do now. No spam because I approve waiting users individually. On a test site that I ran for a long time I accidentally turned approve users off for a while. Within a week I had people spamming the forums there. CAPTCHA doesn't stop it; approve users usually will ... the one that's built into RNYA.

When I'm feeling brain dead (or maybe I should say more brain dead than usual) I sometimes just browse through the wonderful tool Bob Marion bequeathed to us ... IP tracking. Everyday I see at least a few people trying to break into Your Account and assign themselves a username without my approval. I usually ban their IP when I see that pattern although I know it is kind of futile.

montego · Posted: Mon Mar 28, 2011 4:28 pm

Just another quick comment, the current captcha that is in RN has been around now for what 2 - 3 years? If it had been cracked, wouldn't we have all been suffering from tons of automated setups and spammy posts? I haven't seen them. Wink

Susann · Posted: Tue Mar 29, 2011 8:57 am

I have found in my logs entries where someone looked if my RN website uses a captcha. I´m glad I have it always enabled and no spam til today.
I have not had XRummer attacks in the past but I´m quite sure it will not work.
In my opinion a Captcha is only one method to prevent spam and automatic registration but there are severall other ways too.