Mother May I already logs unsuccessful attempts to the logfile, but only logs the username, not the (wrong) secret word that was entered by that user.

I believe it will be useful for the administrator to see what the unsuccessful user actually entered.

Let's imagine a question like: "Who is the mayor of Littleville TX"? The correct answer is set up to be /^smith$/i, but the user types in "Joe Smith". As it happens, "Joe Smith" is indeed the mayor's name.

Here, there is a rather obvious problem with the question - it is not precise enough. Seeing that legitimate correct answers are rejected will prompt the administrator to improve the question. (For instance, changing the question to: "What is the last name of the mayor of Littleville TX?" will probably make the procedure more robust.

CommentFileSizeAuthor
#1 mothermayi-report_wrong_secret_word-to-logfile-2084261-1.git_.patch1011 bytesgisle

Comments

gisle’s picture

gisle
he/him
Primary language Norwegian Bokmål
Location Norway
commented
StatusFileSize
new mothermayi-report_wrong_secret_word-to-logfile-2084261-1.git_.patch1011 bytes

Attached is a patch that report a wrong secret word to logfile.

Please review.

dwillcox’s picture

dwillcox commented
Assigned: Unassigned » dwillcox

Not a horrid idea, and a trivial change.

I wouldn't want to log the incorrect password on a normal password failure. That would be a huge security flaw. But since in this case you know what the correct word is, logging the miss shouldn't be a problem.

gisle’s picture

gisle
he/him
Primary language Norwegian Bokmål
Location Norway
commented

I want to congratulate you with a very, very useful module for keeping spammers from registering.

I have a fairly popular website that used to get more than 2000 robot registrants per day when unprotected. About 10 of those robots where clever enough to verify their email address, so requiring email verification was not good enough. I started out with the CAPTCHA module. The default challenge (math question) was useless - robots now know how to solve those. Graphic challenges work, but also lock out the visually disabled (and are sometimes hard to solve, even for people with reasonable good eyesight like myself). I then moved on to CAPTCHA riddler. This CAPCHA riddler challenge works well, but it don't support regular expressions and don't provide a "hint" block. Having a hint block is important to make the right answer (or secret word) obvious to humans.

So Mother May I is the module I now use. Thanks!

After I added code to see the "wrong" secret words I got some insight into how the robots work. My regular production "secret word" is community specific (and hard to guess for a human outside the site's target community). But just for fun, I tested it for for 24 hours with the not too subtle hint: "The secret word is “nospam”." Even this very obvious hint only produced two types of response from the robots. An empty string (""), or a garbage string (e.g. "Q1w2e3r4t5y"). A fairly common response is that the robot first enters an empty string, and when that is rejected, it tries again with a garbage string.

This tells me that the robots are currently incapable of parsing English, but aware of "Leave this field blank" challenge and usually tries that option first when it sees a fill-in field it does not recognize. I.e. the "empty field" feature of Mother May I is not very useful. It just incentives the robot to try to register twice, instead of once.

dwillcox’s picture

dwillcox commented

Thanks for the testimonial. :)

It sounds like your site suffered the same problem as ours, though to a much greater extent. Ours is a pretty low-traffic site with only a few dozen people who would legitimately have accounts. We didn't get anywhere near as many spam registrations as you, but it was still enough to be a bother even with reCAPTCHA installed. Bots can get past the CAPTCHA variants (even to the point of employing people to sit at their computer and get paid a few cents for decoding each challenge), but at least they have to work at it.

The original idea was to use some group-specific knowledge for the secret word. That could be very specific to a particular club or organization, or domain-specific such as jargon used within a particular hobby. But now that you mention it, even a question like "What color do you get if you mix yellow and blue paint?" would be obvious to most English-speakers, but way beyond the abilities of any existing bot.

And you're right, the "leave this field blank" feature turned out to be pretty useless. It was listed in a number of places as a suggested way to deter bots, but I never saw it do any good. I'll leave it in, just in case someone wants it.

With Mother May I, it's been months since I saw a spam account request. (Lots of attempts, non successful.)

dwillcox’s picture

dwillcox commented
Status: Needs review » Fixed

See version 7.x-1.2.

dwillcox’s picture

dwillcox commented

Also fixed in 6.x-1.2. (And in 7.x-1.3, which differs from 7.x-1.2 only in corrected CHANGELOG date.)

dwillcox’s picture

dwillcox commented
Version: 7.x-1.x-dev » 7.x-1.1

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

(not verified) commented
Issue summary: View changes

typo