Spammers bypassing CAPTCHA and/or attack prevention

[verzogert]

This is my second attempted post regarding this subject. Spammers/bots are apparently bypassing the captcha scheme. Received this e-mail today from a form on our website. *No* turing entry at all, but the e-mail was sent on. Fortunately, this e-mail was directed to me, but my earlier post detailed that other users are getting this type of spam, too. This was *not* sent as an attack detection (I have that turned off due to the high volume of attacks). I will happily provide more info if you tell me what you need.

email:
realname:
subemail: eozalv@mghomt.com
subrealname: tlqluv
Turing:
comments: oszlgzquxfbjbpvdenvjwddjmvqslb
goodurl: http://www.acousticbrew.org/brewlistty.htm
compare: 1

[russellr]

Hi,

I don't know why you would switch *off* attack detection if you have a high volume of attacks.

That's the opposite of what you would want to do.

Have you followed the HOW TO guide for implementing Captcha?

In particular, have you made the "imgverify" field required? Have you moved the "required" field into an INI file?

Alternatively, the easier way is just to use the new REQUIRE_CAPTCHA feature in FormMail available in version 8.11).

It's extremely unlikely your Captcha is being bypassed - it's more likely you have set it up correctly.

[verzogert]

I have attack detection on. I've only disabled ALERT ON ATTACK DETECTION. I followed the "How-to" guides when I set it up (pre 8.10). I use an ini file for e-mail addresses, and Captcha Creator.

The REQUIRE_CAPTCHA doc does not specifically state that it works with both the integrated captcha and Captcha Creator. It does, though, except when using REQUIRE_CAPTCHA, I did notice that the message strings in my form for the other required fields are *not* displayed when those fields are not provided.

The "turing" (imgverify) field *was* required in my form. I did not, however, have a special_fields setting in the ini file for the required captcha string.

I've renamed my captcha field to imgverify from turing and added an special_fields-required ini entry *and* set REQUIRE_CAPTCHA and hopefully that will stop the attacks. It's all working now except for the other required fields messages as noted above, but that's minor compared to stopping the bots.

My bad, thanks for the help,
vz

[russellr]

Hi,

I have attack detection on. I've only disabled ALERT ON ATTACK DETECTION.

OK, that's good.

The REQUIRE_CAPTCHA doc does not specifically state that it works with both the integrated captcha and Captcha Creator. It does, though, except when using REQUIRE_CAPTCHA, I did notice that the message strings in my form for the other required fields are *not* displayed when those fields are not provided.

REQUIRE_CAPTCHA works well with "required" fields, but precedes conditions tests.

Your other missing required fields should be displayed along with the REQUIRE_CAPTCHA message.

The "turing" (imgverify) field *was* required in my form. I did not, however, have a special_fields setting in the ini file for the required captcha string.

OK, that's what I suspected. If you move it to the INI file it will stop the spam.

I've renamed my captcha field to imgverify from turing and added an special_fields-required ini entry *and* set REQUIRE_CAPTCHA and hopefully that will stop the attacks.

You don't need both. Either INI file entry or REQUIRE_CAPTCHA. Your choice. Having both is harmless, though.

[CHMOD000]

If CAPTCHA won't stop them, you might try what I did. I use a script that checks that the domain name the person's email address has in it actually has an associated mail server.

This is that script (domainMXval.php):

Code:

<?php
/* 
   $Id: VerifyEmailAddress.php 8 2008-01-13 22:51:10Z visser $
 
   Email address verification with SMTP probes
   Dick Visser <dick@tienhuis.nl>
 
   INTRODUCTION
 
   This function tries to verify an email address using several tehniques,
   depending on the configuration. 
 
   Arguments that are needed:
 
   $email (string)
   The address you are trying to verify
 
   $domainCheck (boolean)
   Check if any DNS MX records exist for domain part
 
   $verify (boolean)
   Use SMTP verify probes to see if the address is deliverable.
 
   $probe_address (string)
   This is the email address that is used as FROM address in outgoing
   probes. Make sure this address exists so that in the event that the
   other side does probing too this will work.
 
   $helo_address (string)
   This should be the hostname of the machine that runs this site.
 
   $return_errors (boolean)
   By default, no errors are returned. This means that the function will evaluate
   to TRUE if no errors are found, and false in case of errors. It is not possible
   to return those errors, because returning something would be a TRUE.
   When $return_errors is set, the function will return FALSE if the address
   passes the tests. If it does not validate, an array with errors is returned.
 
 
   A global variable $debug can be set to display all the steps.
 
 
   EXAMPLES
 
   Use more options to get better checking.
   Check only by syntax:  validateEmail('dick@tienhuis.nl')
   Check syntax + DNS MX records: validateEmail('dick@tienhuis.nl', true);   
   Check syntax + DNS records + SMTP probe:
   validateEmail('dick@tienhuis.nl', true, true, 'postmaster@tienhuis.nl', 'outkast.tienhuis.nl');
 
 
   WARNING
 
   This function works for now, but it may well break in the future.
 
*/
function validateEmail($email, $domainCheck = false, $verify = false, $probe_address='', $helo_address='', $return_errors=false) {
    global $debug;
    $server_timeout = 180; # timeout in seconds. Some servers deliberately wait a while (tarpitting)
    if($debug) {echo "<pre>";}
    # Check email syntax with regex
    if (preg_match('/^([a-zA-Z0-9\._\+-]+)\@((\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,7}|[0-9]{1,3})(\]?))$/', $email, $matches)) {
        $user = $matches[1];
        $domain = $matches[2];
        # Check availability of DNS MX records
        if ($domainCheck && function_exists('checkdnsrr')) {
            # Construct array of available mailservers
            if(getmxrr($domain, $mxhosts, $mxweight)) {
                for($i=0;$i<count($mxhosts);$i++){
                    $mxs[$mxhosts[$i]] = $mxweight[$i];
                }
                asort($mxs);
                $mailers = array_keys($mxs);
            } elseif(checkdnsrr($domain, 'A')) {
                $mailers[0] = gethostbyname($domain);
            } else {
                $mailers=array();
            }
            $total = count($mailers);
            # Query each mailserver
            if($total > 0 && $verify) {
                # Check if mailers accept mail
                for($n=0; $n < $total; $n++) {
                    # Check if socket can be opened
                    if($debug) { echo "Checking server $mailers[$n]...\n";}
                    $connect_timeout = $server_timeout;
                    $errno = 0;
                    $errstr = 0;
                    # Try to open up socket
                    if($sock = @fsockopen($mailers[$n], 25, $errno , $errstr, $connect_timeout)) {
                        $response = fgets($sock);
                        if($debug) {echo "Opening up socket to $mailers[$n]... Succes!\n";}
                        stream_set_timeout($sock, 30);
                        $meta = stream_get_meta_data($sock);
                        if($debug) { echo "$mailers[$n] replied: $response\n";}
                        $cmds = array(
                            "HELO $helo_address",
                            "MAIL FROM: <$probe_address>",
                            "RCPT TO: <$email>",
                            "QUIT",
                        );
                        # Hard error on connect -> break out
                        # Error means 'any reply that does not start with 2xx '
                        if(!$meta['timed_out'] && !preg_match('/^2\d\d[ -]/', $response)) {
                            $error = "Error: $mailers[$n] said: $response\n";
                            break;
                        }
                        foreach($cmds as $cmd) {
                            $before = microtime(true);
                            fputs($sock, "$cmd\r\n");
                            $response = fgets($sock, 4096);
                            $t = 1000*(microtime(true)-$before);
                            if($debug) {echo htmlentities("$cmd\n$response") . "(" . sprintf('%.2f', $t) . " ms)\n";}
                            if(!$meta['timed_out'] && preg_match('/^5\d\d[ -]/', $response)) {
                                $error = "Unverified address: $mailers[$n] said: $response";
                                break 2;
                            }
                        }
                        fclose($sock);
                        if($debug) { echo "Succesful communication with $mailers[$n], no hard errors, assuming OK";}
                        break;
                    } elseif($n == $total-1) {
                        $error = "None of the mailservers listed for $domain could be contacted";
                    }
                }
            } elseif($total <= 0) {
                $error = "No usable DNS records found for domain '$domain'";
            }
        }
    } else {
        $error = 'Address syntax not correct';
    }
    if($debug) { echo "</pre>";}
 
    if($return_errors) {
        # Give back details about the error(s).
        # Return FALSE if there are no errors.
        if(isset($error)) return htmlentities($error); else return false;
    } else {
        # 'Old' behaviour, simple to understand
        if(isset($error)) return false; else return true;
    }
}
 
?>

and the usage:

Code:

include("includes/domainMXval.php");
            if (!validateEmail($email, true)){
                $fail = 1;
                $errorMessageStack[] = '<li>Your email address</li>';
            }

If the POSTed email address is good, I use cURL to POST the POSTed values to formmail.

I also have a hook that checks all POST values for "bad words". The bad words can include anything I specify. Since the IP address is passed through with the POST values, this is also something that could be considered a "bad word". I think I've posted this script here before. Look through my previous posts.

I only have manual spammers now, and they are far and few between. No bots at all, and I don't even use CAPTCHA.

I think you have to get creative. Bots are not human, and do not have the human intelligence that we have. We can challenge them and win easily, because they are simply programmed to do the same thing, over and over.

[illibraliof]

I got that message too when I tried to make a character named Wix. Is now an illegal character? because I have used it before without a problem.Is there a thread anywhere that lists usable/unusable characters?

[russellr]

Hi,

Stick to English alphabetics and numeric digits.

International characters can cause problems in CAPTCHA due to technical details related to the history of computing.

[programmer]

I was getting hammered with spam forever and no matter what I did, I could not get it to go away.

Here's my trick to making it stop. I've yet to get a single one of these people to put junk in my formmail since implementing this code.

Every time I update my formmail with a new version, I have to edit the very top portion and I add this piece of code right below the "$FM_VERS = "8.15"; // script version of the code" and make it look just like this:

Code:

$FM_VERS = "8.15";      // script version
$spamn = $_POST['name']; if ($spamn != "") { echo "Thank You!"; die; }
$spame = $_POST['emailaddress']; if ($spame != "") { echo "Thank You!"; die; }
$no_html_msg = 'Sorry No HTML Tags Allowed';
 
foreach ($_POST as $chk_html) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $chk_html)) || (eregi("<[^>]*object*\"?[^>]*>", $chk_html)) ||
        (eregi("<[^>]*iframe*\"?[^>]*>", $chk_html)) || (eregi("<[^>]*applet*\"?[^>]*>", $chk_html)) ||
        (eregi("<[^>]*meta*\"?[^>]*>", $chk_html)) || (eregi("<[^>]*style*\"?[^>]*>", $chk_html)) ||
        (eregi("<[^>]*form*\"?[^>]*>", $chk_html)) || (eregi("<[^>]*href*\"?[^>]*>", $chk_html)) ||
  (eregi("<[^>]*//*\"?[^>]*>", $chk_html)) || (eregi("<[^>]*==*\"?[^>]*>", $chk_html))) { // Added to check </ or = >
    die ($no_html_msg);
    }
}
unset($chk_html);

That's what the top of my formmail.php looks like.

In every one of my forms, I put two traps to capture spambots. They always fill one of both of the fields in, which cannot be seen my human visitors because of the CSS.

I have this CSS style put on the same page that I have the form:

Code:

<style>
.special { display:none; }
.style1 {color: #FF0000}
.style3 {color: #FF0000; font-weight: bold; }
</style>

Within the form itself I have these dummy fields that wait for the spambots to fill in. The human web visitor never sees these fields with the browser and cannot fill them in.

Code:

<input name="name" type="text" id="name" class="special" size="30" maxlength="30" />
<input name="email" type="text" id="emailaddress" class="special" size="30" maxlength="30" />

"name" and "emailaddress" are common names for forms, so the bots look for them. I rename my the fields where I capture the person's name and email to something different and leave these as decoys.

Notice how I have the class="special". That makes it so the human visitor can't see it, but the bot does and the bot will fill it out.

Try this out with your formmail and 99.9% of your spam problems should go away.

[CHMOD000]

programmer, your method seems like it would defeat many bots, but it presents a usability/accessibility problem. A screen reader for instance would see the "special" form fields.

[programmer]

I used to get 1 to 5 of those spams per day where they would put in URL's to web sites and bogus stuff. In 8-10 months, not a single one of them has gone through.