Next level in anti-spam protection

New to the board and want to practice? Do it here. Find a bug in the forum, report it here.

Moderator: Tuna Cowboy

Next level in anti-spam protection

Postby poopShotgun » Fri Jan 19, 2007 11:20 am

This is a "theoretical security document", so don't read if you find such things boring. I am not a security expert, but I have found some things work and some don't.

I have been looking at the code for Lotta Livin' forums because I am doing work for them, and found they are using a "Humanizer" question much as we are now. The problem with the mod they are using, and the fact that it does not work, boils down to one fact: It is standardized. The fact that we have a unique approach rather than a cookie-cutter solution is most likely why we have had no spam-bot registrations since I installed it (Props to self. Yes, I rawk.) while Lotta Living has contracted me to help them because their solution failed.

When I applied my approach to the "Humanizer" mod they are using, it seemed to stop the spam bots (although this has only been in effect for one night so far). But the mod they are using is far more sophisticated than the one I wrote, and I want to take the "Humanizer" mod to the next level and apply it to our forums.

The current problem with the Humanizer mod is that it generates an MD5 number for the Humanizer question's variable. This means it is highly predictable and can be bypassed by spam-bots quite easily:
Calculates the MD5 hash of str using the RSA Data Security, Inc. MD5 Message-Digest Algorithm, and returns that hash. The hash is a 32-character hexadecimal number. If the optional raw_output is set to TRUE, then the md5 digest is instead returned in raw binary format with a length of 16.

My emphasis added. Using this solution, a bot simply looks for a 32-character string in the page source, checks that it only contains hexadecimal digits, captures the number and alters the variable it represents. Voila! The bot is now considered human.

The approach I propose does two things:
1. Add or subtract a random number of characters from the MD5 number, resulting in a length of 8 to 56 characters, but never equal to 32. This can be done by generating another MD5 and splitting it randomly, then tacking on the extra characters.
2. Run the resulting number through some sort of encryption scheme, thus ensuring it is not purely hexadecimal.

In this way, a bot never knows what to expect in terms of variable names. I can see this approach being eventually cracked, so another idea is to create a database of pseudo-variable names that can be stuck together randomly (ala Star Trek. i.e. just slap a bunch of techno-babble together and you have a new device...) so that the humanizer variable looks like any other "official" variable. Other approaches include HTML drop-downs for the state you live in, a second captcha, etc... The idea is to be unique, because a spam-bot relies on standardized code.

Whatever, just some random thoughts I felt like sharing.
Splash me on in the morning and wear the great smell of me all day long.
User avatar
poopShotgun
 
Posts: 1601
Joined: Fri Apr 28, 2006 7:13 am
Location: Under the evil influence of Uranus

Postby RagazzoPazzo » Fri Jan 19, 2007 2:36 pm

Vedy, vedy interestink...
User avatar
RagazzoPazzo
 
Posts: 105
Joined: Thu Oct 26, 2006 3:44 pm
Location: Eugene, Oregon

Postby poopShotgun » Fri Jan 19, 2007 2:52 pm

It actually didn't work. phpBB loses the variable name when submitting and generates a new one. Thus, the random prevented everyone from registering. I have instead opted for a date-randomiztion scheme, which uses the php date() function for two different randoms. That way, the randomized variable name/length is the same for registering for the whole day.

The only time it will fail is if you try to register right before midnight and you submit after midnight.
Splash me on in the morning and wear the great smell of me all day long.
User avatar
poopShotgun
 
Posts: 1601
Joined: Fri Apr 28, 2006 7:13 am
Location: Under the evil influence of Uranus

Postby joe » Fri Jan 19, 2007 4:24 pm

poop: I registered 'gay scooter boy' on the board, posted up a message, and delited the it with the profile. everything seemed to work fine. even tried to post a link.

you receive a passing grade for today's quality control test in the WAR ON SPAM
User avatar
joe
Site Admin
 
Posts: 8233
Joined: Tue Apr 25, 2006 10:06 pm
Location: Sunny Eugene, Oregon

Postby poopShotgun » Fri Jan 19, 2007 4:29 pm

Nah, the test was on Lotta Living. :wink:

I'm focusing on their board for now because ours is tha shit. Once Lotta Living is done (i.e. I gets paid in full) I'll do the same for our board.

EDIT: looks like I gots some work to do on their forum. :( They're being bombarded again. This is freakin' ridiculous. I HATE SPAMMERS!!!
Splash me on in the morning and wear the great smell of me all day long.
User avatar
poopShotgun
 
Posts: 1601
Joined: Fri Apr 28, 2006 7:13 am
Location: Under the evil influence of Uranus


Return to Test Messages and Forum Updates

Who is online

Users browsing this forum: No registered users and 2 guests

cron