Hi,
I found that spammers heavily used "c.php" file to exploit Zenphoto captcha before posting malicious comments. Are you aware of this? I can provide details if not. I have fixed it on my Zenphoto. Bad and quick but it seems to be a efficient fix.
Let me know!
Comments
was there more to this?
your report may be unrelated, but it sounds as if it could have something in common with the issue as per my report today (see separate thread id=17564)
thanks
`
$ grep '" 200 [0-9]' access.log | grep 195.190.13.102
195.190.13.102 - - [27/Nov/2012:10:15:33 -0500] "GET /news/asp-reorganiser-le-volet-de-developpement HTTP/1.0" 200 27718 "http://www.benoitvarret.fr/news/asp-reorganiser-le-volet-de-developpement" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1"
195.190.13.102 - - [27/Nov/2012:10:15:39 -0500] "GET /zp-core/c.php?i=e2b7467923 HTTP/1.0" 200 4265 "http://www.benoitvarret.fr/news/asp-reorganiser-le-volet-de-developpement" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1"
195.190.13.102 - - [27/Nov/2012:10:15:40 -0500] "POST /news/asp-reorganiser-le-volet-de-developpement HTTP/1.0" 200 32207 "http://www.benoitvarret.fr/news/asp-reorganiser-le-volet-de-developpement" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1"
`
Indeed, spammer access to c.php. They probably have a kind of orc software, and then they spam.
I hope it will help.
But since it is NOT a gateway to anything, I do why you believe that it lets anyone spam. To post spam they will have to guess the characters presented by the references to c.php that YOUR scripts are making, not ones that they somehow decide to make.
Perhaps by brute force they can figure out the encoding. But I suspect that takes more sophisticated software than is really available. For instance, the software would have to OCR the text from the captcha image just to see what the result of the fetch was.
Of course if you are concerned with this, set your captcha font to random and you will make their life even more impossible.
But really now. We have said time and again that captcha does not prevent SPAM. All captcha can do is make it harder for bots to post to your site. Any human can easily get past a captcha barier and SPAM your site to no end. If you want to protect against SPAM use a SPAM filter.