Comments on: Londonvasion Part VII: phpBB Versus Spam Presentation

By: Dog Cow

Dog Cow — Wed, 30 Jul 2008 22:22:57 +0000

Hey Ganon_Master, I want to say BIG THANKS to you for giving me that link. Seriously. That was great. That guy not only showed the captchas in before/and after form, but he told how to break them. And he was totally right about how people make them who don’t know how to break them. I’m using the advanced vc mod and I tried his techniques, where you set the threshhold. …. My gosh, any OCR could have read it like a book.

So I spent some time tweaking the settings, so now each letter gets about 6 or so shadows behind it of different colors and rotational angles. Colors are all the same intensity so the result is that trying to threshhold it to remove all the bg colors and garbage makes the letters look awful. I don’t have it running live yet, but it makes me happy to know I increased the toughness of my captcha (and still make it solvable by humans) in an hour or two.

Still probably not unbreakable, but hopefully more difficult now.

I recommend others do the same, or at least open a paint program ( I used Photoshop 5) and try his methods on your own captcha, if you are using one.

By: Ganon_Master

Ganon_Master — Thu, 24 Jul 2008 23:39:53 +0000

I did some searching on the phpBB3 CAPTCHA being broken topic, and I found this website: http://www.apathysketchpad.com/blog/2007/06/05/how-to-crack-captchas/ I haven’t read the entire thing yet, but it seems that this guy found a possible way to break the phpBB3 CAPTCHA.

Some guys who also experiment with CAPTCHA’s are the guys at Rapidshare.com. Unregistered users have to complete a CAPTCHA every time before they can download. They did quite a lot of things, similar to the “marked checkbox” method here.

Sounds like it was a good presentation. I should’ve been there, but couldn’t make it.

By: Dave Rathbun

Dave Rathbun — Thu, 24 Jul 2008 04:02:56 +0000

From what I understand, the phpBB3 CAPTCHA has reportedly been broken. I don’t think it’s in widespread use yet, but it will be. We have seen spam on phpbb.com but so far most of it appears to be manual (human) stuff.

I mentioned in the presentation that it’s only a matter of time, in my opinion, before phpBB3 becomes a major target. At that point, we’ll need new defenses against reg-bots and post-bots and all the rest.

Logging posted data would be an interesting exercise, just make sure you sanitize the data before you log it.

By: Dog Cow

Dog Cow — Wed, 23 Jul 2008 23:45:30 +0000

One more comment. I just remembered that one of my projects for the next week is to start recording all $_POST data, as well as the $_SERVER data in order to take a look to see if any non-standard values or bizarre user-agents are involved. The contents of $_GET are easy to see since they are part of the URL and can be looked up in server logs but I have a feeling since POST data is often over-looked, there may be some interesting tidbits left behind.

By: Dog Cow

Dog Cow — Wed, 23 Jul 2008 23:39:32 +0000

I haven’t heard of any cases of phpBB 3 spam. Have there been any reported?