Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Comment Spam: new trends, failing counter-measures and why it's a big deal

From: "php0t" <very () unprivate com>
Date: Mon, 13 Feb 2006 19:46:56 +0100
http://en.wikipedia.org/wiki/Captcha#Defeating_Captchas
might be a good place to start.  pwntcha is supposedly quite

successful.

  Thanks for the tip. Shame on me for not clicking the Wikipedia link
last time.
I will comment on the links I found worth while.

1) http://www.puremango.co.uk/cm_breaking_captcha_115.php
Different subject: it explains how to defeat poor implementations of it
that don't get rid of the session.

2) http://www.puremango.co.uk/acdc_breakcaptcha.php
Gonna look into it, seems promising in the aspect of letting me supply
an image of my choice.

3) http://web.archive.org/web/20050329185234/http://sam.zoy.org/pwntcha/
(quote) "Q. Please give me a copy of PWNtcha so that I can test it on my
own CAPTCHA and see how efficient it is! 
A. PWNtcha does not work that way. It is not an intelligent program that
tries to decode a random CAPTCHA. Such a program would be nearly
impossible to do. PWNtcha is simply a toolkit of image manipulation
functions, and a list of known CAPTCHAs with the associated list of
image operations to apply in order to decode each of them. If I have
never seen your CAPTCHA, then PWNtcha does not know about it, and there
is absolutely no way it could decode it."


  I've been saying from the start that I'm aware of the fact that there
are *some* programs that can defeat *some* captchas, just like this one.
Also, it doesn't offer what (2) did, probably because of the quote
above.
  Still, it's a page that is quite useful: it explains the weaknesses of
the certain implementations.
  I guess we can all learn from all these, some examples:

1) destroy the session when not needed any more
2) change the picture on a wrong attempt
3) take measures against 'brute force'
4) don't use constant parts (font, background, colors)
5) use rotation, deformation, maybe letters in 3D (adding extra edges
;])
6) layer more words on each other
7) if you sense too much spam, change a few things
etc
etc
etc
  I probably left out a lot of things that should be considered, so
additional ideas are very welcome.

php0t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: