Full Disclosure mailing list archives
RE: Comment Spam: new trends, failing counter-measures and why it's a big deal
From: "php0t" <very () unprivate com>
Date: Mon, 13 Feb 2006 19:46:56 +0100
http://en.wikipedia.org/wiki/Captcha#Defeating_Captchas might be a good place to start. pwntcha is supposedly quite
successful. Thanks for the tip. Shame on me for not clicking the Wikipedia link last time. I will comment on the links I found worth while. 1) http://www.puremango.co.uk/cm_breaking_captcha_115.php Different subject: it explains how to defeat poor implementations of it that don't get rid of the session. 2) http://www.puremango.co.uk/acdc_breakcaptcha.php Gonna look into it, seems promising in the aspect of letting me supply an image of my choice. 3) http://web.archive.org/web/20050329185234/http://sam.zoy.org/pwntcha/ (quote) "Q. Please give me a copy of PWNtcha so that I can test it on my own CAPTCHA and see how efficient it is! A. PWNtcha does not work that way. It is not an intelligent program that tries to decode a random CAPTCHA. Such a program would be nearly impossible to do. PWNtcha is simply a toolkit of image manipulation functions, and a list of known CAPTCHAs with the associated list of image operations to apply in order to decode each of them. If I have never seen your CAPTCHA, then PWNtcha does not know about it, and there is absolutely no way it could decode it." I've been saying from the start that I'm aware of the fact that there are *some* programs that can defeat *some* captchas, just like this one. Also, it doesn't offer what (2) did, probably because of the quote above. Still, it's a page that is quite useful: it explains the weaknesses of the certain implementations. I guess we can all learn from all these, some examples: 1) destroy the session when not needed any more 2) change the picture on a wrong attempt 3) take measures against 'brute force' 4) don't use constant parts (font, background, colors) 5) use rotation, deformation, maybe letters in 3D (adding extra edges ;]) 6) layer more words on each other 7) if you sense too much spam, change a few things etc etc etc I probably left out a lot of things that should be considered, so additional ideas are very welcome. php0t _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Comment Spam: new trends, failing counter-measures and why it's a big deal php0t (Feb 13)