A CAPTCHA is a challenge-response test most often placed within web forms to determine whether the user is human. The purpose of the CAPTCHA module is to block form submissions by spam-bots, which are automated scripts that post spam content everywhere they can. The CAPTCHA module includes several options which allow you to add a challenge to virtually every form on the website.

Installation

  1. Download the module from the project page and enable the module
  2. To enable CAPTCHA for various actions, go to:
    • D6: admin/user/captcha
    • D7: admin/config/people/captcha

Installation

The CAPTCHA module can be installed and enabled with the normal instructions in the Installation Guide.

Permissions

The CAPTCHA module adds two new permissions to the permissions page, which can be accessed by going to admin/user/permissions in Drupal 6 or admin/people/permissions in Drupal 7. The two new permissions are 'administer CAPTCHA settings' and 'skip CAPTCHA'. The 'administer CAPTCHA settings' permission gives the user access to the pages admin/user/captcha in Drupal 6 or admin/config/people/captcha in Drupal 7.The 'Skip CAPTCHA' permission tells Drupal not to show or require a CAPTCHA for the specified role.

Additional CAPTCHA Modules

Subpages

Comments

nicolaisen_nancy’s picture

I downloaded and installed CAPTCHA ( naively ) using the SEO Checklist Module recommendations. The first time I restarted my computer afterwards, the Internet Explorer default color schemes were blown away and the system font had been replaced with something pretty awful. A bit of research made it clear that this was because I'd set up image CAPTCHA without changing the font selection from it's bitmap font default. This all took me by surprise, because it appeared to work fine before the restart. Things are mostly fixed now. I use Vista, so here are a few tips if anyone has the same problem:

Fix colors using Control Panel: You need to use Appearance and Personalization tools to get your system colors back. ( You can't recover using the Tools tab of the IE browser toolbar )

Fix system fonts: Follow the CAPTHCA true type font install instructions--install the font you want to see as a system font.

Hiccups aside, I appreciate the donation of this sophisticated and powerful module. Ditto the excellent SEO checklist module. Thank you, developers and maintainers. You do great work.

soxofaan’s picture

It is almost impossible that the Image CAPTCHA module is the cause of the symptoms described here (unless you downloaded a hacked version of the CAPTCHA module from a not trustworthy website).
The Image CAPTCHA module is just a simple Drupal module that uses the standard Drupal and PHP API's and does not interact with your operating system in way that it could change your operating system settings as you described.
Further discussion at #263013: CAPTCHA Corrupted Font Defaults for IE.

iandickson’s picture

I personally hate image captchas and found that spam was getting past math captcha.

I was also getting registrations from people who seemed real, but I didn't trust - why would people in Russia and Far East be registering on a local English site with throwaway emails from spam associated freemail providers? These people had answered a simple text captcha.

So I changed things - I now ask a question that everyone who lives here knows the answer to, and if you don't, you'll need to invest a Google search in finding the answer.

So far no bots have got past it, and all the distant registrations have stopped as well. (I guess if they want be nefarious, they just want to sign up for loads of sites, and it's easier to move to the next one than try and find the answer to mine).

So, If you run a site and can think of a question that effectively filters PEOPLE, ask it with a text captcha. Try to keep the question open with as few clues as possible in the text. In the example below I'm assuming spammers might start trying "Linux" if they see "penguin".

Example - for an IT site - "What operating system has an antarctic bird logo?"

Ian Dickson

Likal.com

armanschwarz’s picture

I block about more than 99.9% of spam with a "enter "foo" here" textbox...

gpelletier’s picture

Hello,
I wonder if there is a restriction on IE6 that prevents images without extension to be displayed correctly.
Has anyone got this issue ?

captaingeek’s picture

what settings do people use to actually block spam attacks?

For me these settings still allow spammers to get by. Is someone paying real humans to read these in order to post ridiculous comments?

Additional variation of text color: very high
Distortion level: 10
Noise level: 1 (anything higher and its almost impossible to read)

alreaud’s picture

These are working pretty well for me. Higher settings caused real humans to complain via email.

Characters: >= 5
Fonts: Not the bold or the php one.
Additional variation of text color: high
Distortion Level: Medium (3)
Smooth distortion ENABLED
Add salt and pepper noise ENABLED
Add line noise ENABLED
Noise Level: Medium (3)

That has stopped, almost, false registrations in combination with the Honeypot module. BTW: From the logged responses, it's easy to see (when one has a thousand log entries from a botnet) that they are using automated methods to crack the Image CAPTCHA, and are getting very close, sometimes within one character.

alreaud’s picture

I have the "TooBad[nnn]" problem with botnets. A combination of Honeypot, CAPTCHA, and GoAway modules stops the majority of false registrations and spammers, but I have to sometimes wade through pages of logs of individuals responding to the CAPTCHA with "TooBad1" through "TooBad1000". Sometimes other activity, such as SQL based attacks, are embedded in it, sometimes not. It can span hours of attacks, usually from overseas, and if from the US, from a very small set of places.

What I need is a way to modify the CAPTCHA module to test the CAPTCHA response for known strings, and if a known string is received, to immediately call the User Management -> Access Rules -> Add Rule function. Any suggestions as to were and how that could be done?

I'm also curious what the name of this botnet is and what it's purpose is? To harass Drupal operators? That seems silly, but from my perspective it would be worth it to write the code rather than to continue to fight something I've been fighting for over a year manually...

AlexBorsody’s picture

I also have this problem http://screencast.com/t/vHlvKixB