Dave Burke : Freelance .NET Web Developer specializing in Online Communities

My CAPTCHA has been infiltrated

Some asshole with the handle "Easy Forex" has broken through my CAPTCHA perimeter and posted "nice :-)" spam comments linking back to some site in Germany generating some nasty javascript errors when I checked it.  I would take more extensive action if I weren't leaving today for Mexico, but for now I used CS's new Limit Comment Time feature and reduced the comment period on posts to 14 days.  I also increased the number of captcha characters required to 6 (the default) from its current 3, and threw in some non-numeric values.  My sincere apologies to all great commenters to this blog who must now enter the additional 3 characters.

Funny, I've been using the same CAPTCHA approach for 8 months on dotText and now in CS and this is the first time I've had a problem.  And of course this crap always happens the day you need to leave town.

Comments (12) | Post RSS RSS comment feed

Posted on 4/14/2005 7:55:00 AM by Dave Burke
Categories: Community Server
Tags:

Related posts

Comments (12) -

4/14/2005 10:29:16 AM Permalink

I thought I better try my captcha changes...

daveburke |

4/14/2005 10:29:54 AM Permalink

First one seemed to work okay, now the second...

daveburke |

4/14/2005 11:28:48 AM Permalink

Dave, I don't think it's the problem of your CAPTCHA, but maybe the asshole has posted via RSS reader (and the metablog API). This way bypass the captcha.

Stefano Demiliani |

4/14/2005 11:30:45 AM Permalink

Funny hearing from you on this, Stefano, since we've been talking about it.  So you can bypass the captcha if using the metablog API, eh?  Man, I didn't know that!  Thanks!

daveburke |

4/14/2005 11:55:01 AM Permalink

Is there a chance that the spam was entered by hand? Its pretty unusual for even simple CAPTCHA stuff to be bypassed.

Jaxon Rice |

4/14/2005 12:00:13 PM Permalink

Jaxon, thanks for your input.  I sure would like to revert my captcha back to its more simple format and remove the 14-day restriction on comments!  What I'll do on my return is open things back up and perform some analysis, like capture host addresses, browsers, and that sort of thing.  Will definitely be following up on this.  Thanks!

daveburke |

4/14/2005 2:16:48 PM Permalink

It's not the Metablog API, but the Comment API. All someone needs for this is to be able to POST to where your element points in your rss feed.

FWIW, I wasn't able to post a reply from RssBandit, so maybe you have already disabled this feature?

Chris Frazier |

4/15/2005 5:02:21 PM Permalink

Have you looked into the various trigger based solutions that are out there?  Nips it at the source w/o the need to annoy your readers w/ CAPCHA Smile.

@Chris
CS doesn't support CommentAPI correctly out of the box (unfortunately), so that's not it.  The community is working on a fix (well, I am at least).

jayson knight |

4/19/2005 5:32:23 AM Permalink

Hey Dave, I know you hate registering on remote sites, but this might be a great way to not encumber your common posters with the captcha gymanstics...

Dan

Dan Bartels |

4/23/2005 12:09:53 PM Permalink

Dave - How was Mexico - I am hanging out on a rainy day in Philly at the local code camp. Scott is doing a talk on CS - should I ask him about adding cathpa? Smile

Jim Bonnie |

4/23/2005 3:05:36 PM Permalink

Jim, great hearing from you.  I'm still trying to find my nerd bearings after Puerto Vallarta, but hope to be back in the blog groove soon.  You're a lucky guy listening to Scott doing a talk on CS!  

Dan, registration just doesn't work, my friend, unless its an automated registration like I implemented in dotText (on my CS todo list).

Jayson, thanks for the info on the CommentAPI not being the culprit.  That was very helpful.  I think you're right, though, a more trigger-based approach is the way to go.

daveburke |

4/23/2005 6:52:43 PM Permalink

I've gone back to the 3-digit CAPTCHA number and will re-evaluate on next spam incident, probably going with a trigger-based approach.  I'm thinking storing the url, username and email and using any of the 3 to determine validity.  Anyway, good to be rid of the more complicated required code string.

daveburke |


Powered by BlogEngine.NET 2.0.0.36
Theme by Dave Burke