WordPress.org

Ready to get started?Download WordPress

Forums

SI CAPTCHA Anti-Spam
SICAPTCHA has been cracked by cheap bot (5 posts)

  1. willjardain
    Member
    Posted 2 years ago #

    Hey,

    You should be aware that your captcha has been cracked by a very cheap bot. The rest of your users are going to get spammed to death really soon...

    This is the link to that bot: http://captchasniper.com/

    http://wordpress.org/extend/plugins/si-captcha-for-wordpress/

  2. puffidredz
    Member
    Posted 2 years ago #

    yup. it has begun. my web site as of february 25th 2012 has been mega spammed to the point where my hosting provider suspended my web site because the database got too large from all the spam in a course of one day. and even though i deleted them all and checked my si captcha settings, when i woke up this morning i had 6 more spam comments in my spam inbox.

  3. Mike Challis
    Member
    Plugin Author

    Posted 2 years ago #

    See this question on the FAQ
    Spammers have been able to bypass my CAPTCHA, what can I do?
    http://wordpress.org/extend/plugins/si-captcha-for-wordpress/faq/

  4. andreas.tyrosvoutis
    Member
    Posted 1 year ago #

    Same issue here. They have broken the image capture for this plugin on my site. Getting 40+ a day spams using this plugin. :(

  5. Mike Challis
    Member
    Plugin Author

    Posted 1 year ago #

    I have done some research on this:

    There are a few types of spam you will receive:

    Human spammers - they actually visit your form and fill it out including the CAPTCHA.

    Spambot probes - sometimes contain content that does not make any sense (jibberish). Spam bots will try to target any forms that they discover. They first attempt an email header injection attack to use your web form to send spam emails. After failing that, they simply submit the form with a URL or embedded HTML, hoping someone will be phished or click the link.

    Blackhat SEO spammers - looking for blog comment forms, contact forms, Wikis, etc. By using randomly generated unique "words", they can then do a Google search to find websites where their content has been posted un-moderated. Then they can go back to these websites, identify if the links have been posted without the rel="nofollow" attribute (which would prevent them contributing to Google's algorithm), and if not they can post whatever spam links they like on those websites, in an effort to boost Google rankings for certain sites. Or worse, use it to post whatever content they want onto those websites, even embedded malware.

    Human captcha solvers - The thing is that it's easy and cheap for someone to hire a person to enter this spam. Usually it can be done for about $5 for 1,000 or so form submissions. The spammer gives their 'employee' a list of sites and what to paste in and they go at it. not all of your spam (and other trash) will be computer generated - using CAPTCHA proxy or farm the bad guys can have real people spamming you. A CAPTCHA farm has many cheap laborers (India, far east, etc) solving them. CAPTCHA proxy is when they use a bot to fetch and serve your image to users of other sites, e.g. porn, games, etc. After the CAPTCHA is solved, they use a bot to post your form.

    How to stop it?

    Change the URL of your form: - This should immediately eliminate all spam sent directly to your form by spammers who have the URL of your webmail script in their databases. This could only be temporary if they come back to find it again, or maybe they wont. This is not possible on WP comments.

    Filter Spam With Akismet – The Akismet plugin comes pre-installed with WordPress now. First you will need to make sure that Akismet is activated using your WordPress.com API key. Once activated, Akismet helps to block spam comments.

    First check this: make sure the only other security plugins you have are Akismet or WP-spamFree. Akismet and WP-spamFree are the only other anti-spam plugins approved for use with SI CAPTCHA Anti-Spam, others can simply break the CAPTCHA validation so that the CAPTCHA is never checked. If another security plugin is combined(not Akismet or WP-spamFree), the captcha may not work. Be sure to always test the CAPTCHA after installing new plugins.

    Built in form defenses
    - such as hidden honeypot fields. if the spam bot fills it in, it IS SPAM, let them to the thanks page but do not send the email. There are some related options including session tokens fields, time delay, and randomization of methods. I might experiment with this in a future version, but nothing can stop human spammers.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic