Home General support

Spam Intrusion

miqrogroove Member
in General support
Are there any known flaws in ZenPhoto's captcha system? My website is under continuous attack by spam bots, and it appears one of them found a way to defeat the captcha this morning. If there are no known fixes please tell me and I will find a way to patch it.

Comments

  • sbillard Member
    Captcha uses a key for encrypting/decrypting the captcha code. This key is based on your Admin login, so change your password frequently and it will be hard for the bots to stay current.
  • miqrogroove Member
    I just reviewed the captcha script and there are actually no keys involved. Zenphoto transmits and consumes the wrong hash value, making the captcha a trivial bypass. A spammer would never have to know what is in the image to post a comment.
  • sbillard Member
    You are correct. The encryption is missing. It will be added back in tonight's build.
  • miqrogroove Member
    There is a confirmed patch now at http://www.zenphoto.org/trac/ticket/673 in case anyone is reading ;)

    Thanks for the quick work sbillard.
  • miqrogroove Member
    My website appeart to be compromised again this morning. D: I'll let you know what I find out.
  • miqrogroove Member
    sbillard, I've written a patch for your patch. I don't know if it will be a permanent solution, but it seems to solve my immediate problems with spam bots. The next logical step would be for me to add an invisible spam bot test, and ultimately to remove the Site field from the comment form to aid in heuristic analysis. One way or another I will force these spammers to meet me at my level.
  • sbillard Member
    What does your patch do? You can submit it on a ticket if you think it is of general use.
  • miqrogroove Member
    FYI, I did write an invisible spam bot test just to give the finger to these script kiddies. Without fail, one of them showed up again today and scored 0/21 on the bot test. He never even made it to the cypher function.

    ZEN_SPAMMER '221.231.138.19' Sun, 10 Aug 2008 17:22:10 GMT
    ZEN_SPAMMER '221.231.138.19' Sun, 10 Aug 2008 17:22:28 GMT
    ZEN_SPAMMER '221.231.138.19' Sun, 10 Aug 2008 17:22:36 GMT
    ZEN_SPAMMER '91.121.106.120' Sun, 10 Aug 2008 19:51:08 GMT
    ZEN_SPAMMER '91.121.106.120' Sun, 10 Aug 2008 19:54:11 GMT
    ZEN_SPAMMER '91.121.106.120' Sun, 10 Aug 2008 19:54:15 GMT
    ZEN_SPAMMER '200.97.21.173' Sun, 10 Aug 2008 19:56:11 GMT
    ZEN_SPAMMER '200.97.21.173' Sun, 10 Aug 2008 19:56:14 GMT
    ZEN_SPAMMER '200.97.21.173' Sun, 10 Aug 2008 19:56:21 GMT
    ZEN_SPAMMER '78.31.106.146' Sun, 10 Aug 2008 20:04:36 GMT
    ZEN_SPAMMER '78.31.106.146' Sun, 10 Aug 2008 20:04:38 GMT
    ZEN_SPAMMER '78.31.106.146' Sun, 10 Aug 2008 20:04:40 GMT
    ZEN_SPAMMER '194.249.198.98' Sun, 10 Aug 2008 20:05:47 GMT
    ZEN_SPAMMER '194.249.198.98' Sun, 10 Aug 2008 20:05:48 GMT
    ZEN_SPAMMER '194.249.198.98' Sun, 10 Aug 2008 20:05:50 GMT
    ZEN_SPAMMER '89.96.88.105' Sun, 10 Aug 2008 20:09:51 GMT
    ZEN_SPAMMER '89.96.88.105' Sun, 10 Aug 2008 20:09:53 GMT
    ZEN_SPAMMER '89.96.88.105' Sun, 10 Aug 2008 20:09:57 GMT
    ZEN_SPAMMER '89.96.88.105' Sun, 10 Aug 2008 20:10:01 GMT
    ZEN_SPAMMER '89.96.88.105' Sun, 10 Aug 2008 20:10:05 GMT
    ZEN_SPAMMER '89.96.88.105' Sun, 10 Aug 2008 20:10:07 GMT

    And in case he's bothering anyone else out there, now you know how to ID him ;)
  • cunami Member
    Hi,

    Can anyone tell which exactly changes I have to make?

    I've tried applying changes 2131 and 1996 as described here:

    http://www.zenphoto.org/trac/ticket/673

    But seems spammers are still able to pass captcha and time from time I am getting spam in comments. I think its very unlikely that someone would come and type captcha codes manually, as my site is very small and it almost wouldn't make sense to waste time on doing anything manually, so it has to be a bot ;)

    Thanks for any help!
  • sbillard Member
    Your best strategy is to install the nightly build. Maybe you can figure out which changes you need and pick them from the files, but be aware that software changes build on themselves so taking code out of context is a recipe for difficulties, specially if you are not well versed in both the programming language and the software itself.
  • cunami Member
    Thanks sbillard for your reply.

    Actually I've managed applying captcha#2.patch to zenphoto 1.1.7 and it seems to work (no spam for a while, I really really hope so it stays that way...).

    And regarding nightly build - how stable are? To be honest I was a bit skeptical about trying putting nightly build online and see what happens as from my personal experience nightly builds aren't meant usually for productive systems :)
  • sbillard Member
    The nightly builds have traditionally been quite stable. Of course, on occasions there will be problems. Right now they are specially stable since we are in the count-down for the 1.2 release and have not put new implementation in since August 7.
  • CaptainObvious Member
    I'm running version 1.2 [2213] and somehow a bot has gotten through and I'm getting dozens of spam comments a week. Is there any new tweak that updates the captcha or a new implementation that will help stem this?

    Thanks
  • sbillard Member
    1.2 is a quite old version. You can view the changes via the change log http://www.zenphoto.org/trac/log/trunk. But of course, there are some 2034 changes between your version and the current nightly build (soon to be version 1.2.6)
Sign In or Register to comment.