I've been recently getting SPAM registrations non-stop daily. Now, some are posting content on my site.

I have the Realname registration module installed, and you can see below that most of the spam accounts simply enter the username for both the First & Last name. However, the spam accounts that have been posting content have a real First & Last name. I believe there are two different technologies getting by the CAPTCHA.

See registered people:

I stiffened up my rules a bit more, so now my CAPTCHA looks like this:

http://img405.imageshack.us/img405/6656/captchaexample.png

Still, they are getting through. How is this happening, and what do I do?

CommentFileSizeAuthor
captcha_example.png9.93 KBownage
captcha_not_working_anymore.png34.4 KBownage
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

ownage’s picture

ownage CreditAttribution: ownage commented
Issue summary: View changes

link realname registration

ownage’s picture

ownage CreditAttribution: ownage commented
Issue summary: View changes

captcha update

soxofaan’s picture

soxofaan CreditAttribution: soxofaan commented
Category: bug » support
Status: Active » Closed (duplicate)

Long story short: it's not because you get spam, that it's coming from bots. Humans can write spam as well and humans are great at solving CAPTCHA's

Even worse: it doesn't take a lot of googling to find companies that sell "human CAPTCHA solving farms" for spam purposes.

Related reading/duplicates:
#519314: Spam bot getting through?
#1191774: Captcha module has been cracked!
#1135682: Drupal sites using Captcha are vulnerable...

ownage’s picture

ownage CreditAttribution: ownage commented

soxofaan,

I think that is a terrible excuse if that is where you truly think the origin of most spam cases are.

Humans don't write the same First and Last name on registration forms and I know this isn't human.

Hsu Hsu
Miles Miles
Thomas Thomas
Roche Roche1
Haugen Haugen
Hargrave Hargrave
Clifton Clifton
Greiner Greiner
Whittle Whittle
Vigil Vigil
Jobe Jobe
Marcotte Marcotte
Alarcon Alarcon
Wentz Wentz
Lancepva Lancepva
Tipton Tipton
Childress Childress
Akers Akers
Clemmons Clemmons
Gayle Gayle
Millard Millard
Forte Forte
Saylor Saylor
Klinger Klinger
Fitzgerald Fitzgerald
Donovan Donovan1
Andre Andre
Bullard Bullard
Chaves Chaves
Cortes Cortes
Andersen Andersen
Chun Chun
Brookshire Brookshire
Thomson Thomson
Mcgrath Mcgrath
Nason Nason
Albrecht Albrecht
Day Day
Lau Lau
Wilke Wilke
Brannon Brannon
Mcbride Mcbride
Lemieux Lemieux
Jenkins Jenkins
Dion Dion1
Bruce Dones
Mcdonnell Mcdonnell
Mojica Mojica
Roberts Roberts
Hughes Hughes
Ernst Ernst
Pashu Carlsen
Carder Carder
Quiroz Quiroz
Hunter Hunter
Golden Golden
Lamontagne Lamontagne
Bland Bland
Clemente Clemente
Carpenter Carpenter
Ayres Ayres1
Forster Forster
Toney Toney
Cantu Cantu
Luckett Luckett
Nutter Nutter
Woodcock Woodcock
Prather Prather
Flanagan Flanagan
Mcewen Mcewen
Hudson Hudson
Deboer Deboer
Bowen Bowen
Luna Luna
Foote Foote
Frick Frick
Trout Trout
Arriola Arriola
Usher Usher
Medina Medina
Hawks Hawks
Straub Straub
Colby Colby
Maksimal Maksimal2
East East
Kerr Kerr
Berrios Berrios
Carroll Carroll
Harder Harder
Serna Serna
Canada Canada
Holley Holley
Luther Luther
Whaley Whaley
Franco Franco
Ricks Ricks
Mccormick Mccormick
Shanahan Shanahan
Walter Walter
Akin Akin
Kolb Kolb
Quitesjohn Quitesjohn
Lord Lord
Leone Leone
Whyte Whyte
Aranda Aranda
Sheridan Sheridan
Cruz Cruz
Jeffers Jeffers
Durden Durden
Bernhardt Bernhardt
Bonner Bonner
Girard Girard
Jordan Jordan
Barnett Barnett
Rodrigues Rodrigues
Locke Locke
Briley Briley
Ahmed Ahmed
Roche Roche
Haskins Haskins
Burger Burger
Wilbur Wilbur1
Hinton Hinton
Pulley Pulley
Broadway Broadway
Arteaga Arteaga
Gore Gore
Castillo Castillo
Chong Chong
Sowers Sowers
Andrew Andrew
Witt Witt
Cutler Cutler
Taber Taber
Flanders Flanders
Dion Dion
Mcclintock Mcclintock
Avery Avery
Willie Willie
Keegan Keegan
Truitt Truitt
Chatman Chatman
Pointer Pointer
Medlin Medlin
Dumas Dumas
Meyers Meyers
Dunham Dunham
Ritchey Ritchey
Hanks Hanks
Place Place
Mcadams Mcadams
Frey Frey
Ayres Ayres
Ashe Ashe
Walters Walters
Good Good1
Foley Foley
Peak Peak
Ring Ring
Leigh Leigh
Goins Goins
Sauer Sauer
Saxon Saxon
Etheridge Etheridge
Leger Leger
Lindsay Lindsay
Herman Herman
Ferry Ferry
Mccarter Mccarter
Henderson Henderson
Hooks Hooks
Dugas Dugas
Dooley Dooley
Maksimal Maksimal1
Schmitt Schmitt
Galbraith Galbraith
Donovan Donovan
Bright Bright
Cronin Cronin
Macon Macon
Jacoby Jacoby
Broyles Broyles
Avila Avila
Guillory Guillory
Goldstein Goldstein
Messenger Messenger
Sosa Sosa
Blankenship Blankenship
Havens Havens
Richards Richards
YuSullivan YuSullivan
Lundgren Lundgren
Huntington Huntington
Delgadillo Delgadillo
Benton Benton
Lennon Lennon
Norfleet Norfleet
Horvath Horvath
Schrader Schrader
Lowry Lowry
Thorn Thorn
Abney Abney
Naylor Naylor
Pinkston Pinkston
Villarreal Villarreal
Williamson Williamson
Angelo Angelo
Ames Ames
Crawley Crawley
Hillman Hillman
Luong Luong
Burden Burden
Hass Hass
Loper Loper
Gooden Gooden
Braxton Braxton
Rider Rider
Mchenry Mchenry
Duckett Duckett
Marquez Marquez
Montano Montano
Lopez Lopez
Corbett Corbett
Rea Rea
Amundson Amundson
Hahn Hahn
Samuels Samuels
Craig Craig
Person Person
Lake Lake
Broderick Broderick
Bowens Bowens
Pham Pham
Borrego Borrego
Wild Wild
Mendenhall Mendenhall
Bertrand Bertrand
Brubaker Brubaker
Soliz Soliz
Miner Miner
Dubois Dubois
Silas Silas
Draper Draper
Janssen Janssen
Scott Scott
Shorter Shorter
Cornwell Cornwell
Maksimal Maksimal
Stegall Stegall
Michels Michels
Tyson Tyson
Collado Collado
Southern Southern
Parson Parson
Good Good
Dowdy Dowdy
Kessler Kessler
Sellars Sellars
Valles Valles
Driscoll Driscoll
Pinkney Pinkney
Huynh Huynh
Loyd Loyd
Snipes Snipes
Denman Denman
Harrell Harrell
Hite Hite
Druppa Druppa
Wooley Wooley
JurfitAluri JurfitAluri
Houck Houck
Hyland Hyland
Hodgson Hodgson
Drayton Drayton
Unwibiaalinue Unwibiaalinue
Reichert Reichert
Spring Spring
Serphawk Serphawk
Xchris Xchris
Jordansiuyw Jordansiuyw
Wilbur Wilbur
Hendrix Hendrix
Dunlap Dunlap
Sumpter Sumpter
Cygamaczer Cygamaczer
Liamzed Liamzed3
Liamzed Liamzed2
Liamzed Liamzed1
Liamzed Liamzed
Simpson Simpson
Jennyname Jennyname
Jordanswheu Jordanswheu
Farr Farr
Blesimomassitter Blesimomassitter1
Blesimomassitter Blesimomassitter
Paydayloans Paydayloans
CrirmTidaadah CrirmTidaadah
Frutaplantaxc Frutaplantaxc
Paydayloan Paydayloan
Foentetry Foentetry
Drupyguyx Drupyguyx
Gorwitchseconds Gorwitchseconds1
Gorwitchseconds Gorwitchseconds
Koleinzackmert Koleinzackmert1
Koleinzackmert Koleinzackmert
Gorejnackzen Gorejnackzen
DuBimmildvelm DuBimmildvelm
Nojsedrakijjsman Nojsedrakijjsman1
Nojsedrakijjsman Nojsedrakijjsman
Gooogle Gooogle
Cugeqfqv Cugeqfqv
Mccants Mccants
Bunch Bunch
Dzisekerti Dzisekerti
Mypayday Mypayday
Minter Minter
Webster Webster
Tirtuannive Tirtuannive
Waphello Waphello
Excurnnug Excurnnug
Iursarn Iursarn
Bialablemia Bialablemia
ArrekHefe ArrekHefe
JalkSmeamsral JalkSmeamsral
FookigDop FookigDop
Stonsiggitesy Stonsiggitesy
Kayakefique Kayakefique
Samior Samior
DyessDory DyessDory
AbornDoxren AbornDoxren
SlefesernGeby SlefesernGeby
AdvadyFalia AdvadyFalia

soxofaan’s picture

soxofaan CreditAttribution: soxofaan commented

Hi,

I'm not trying to make excuses for a broken CAPTCHA module, if that would be the case (I don't have evidence that it is broken).

I just want to make sure that the expectations are right:
a CAPTCHA system is not a spam filter,
it is only a roadblock for automated form posting.
And unfortunately, it is not invincible (even a random generator would be right sometimes).

Humans don't write the same First and Last name on registration forms and I know this isn't human.

Again, not trying to make excuses, but those CAPTCHA solving farms I was talking about allow for semi-automated spamming: automate the easy part (e.g. first name, last name crap) and only use humans for the harder part (CAPTCHA's). Think sweat shops where people are solving one CAPTCHA after the other, without any context about which form or site they are spamming.
This is not just a concept or theory, but very easy and cheap to find.

If you need a more powerful system you probably have to look for real spam filters or modules like http://drupal.org/project/mollom

ownage’s picture

ownage CreditAttribution: ownage commented

I installed reCAPTCHA today but if that doesn't hold the spam back, I'll turn to Mollom.

If reCAPTCHA holds the spam back, I can basically rule out the human factor.

ownage’s picture

ownage CreditAttribution: ownage commented
Issue summary: View changes

captcha update