: How can I protect my website if services like 2Captcha claim to crack the new reCAPTCHA? Have recently seen their ad where they claim to be able to do it due to the fact that unlike most
Have recently seen their ad where they claim to be able to do it due to the fact that unlike most OCR CAPTCHA crackers which are bots, they use workforce, humans behind the scenes. Although I still don't get the technical side of the problem, I'd like still know if it is an issue or a rumor. And, of course, how can I protect my website in case it's true.
More posts by @Pope3001725
1 Comments
Sorted by latest first Latest Oldest Best
The answer is to not use a captcha, or use something in addition to it. Look to alternate methods such as hidden form fields that should never be filled in. Bots will most likely still fill them in, your validation will know immediately that it is a spammer.
Another method would be the time based trigger. If a bot hits page then fills out a form, it will be submitted immediately in many cases. This is because of both automation, and because they don't load assets in many cases. So using a timer function to calculate the time page parse stops to the time submit is clicked can reduce abusive actions. This is not foolproof though because some [return] users with autocomplete can fill a form and submit very quickly. You might want to combine this timer with other bot heuristics such as known user agents.
Finally an identifier check on POST can prevent a lot of abuse. This includes checking blacklists such as stopforumspam.com or projecthoneypot.org after the form is submitted, but before the logic/controllers take over the request. This works from ISP/server level REMOTE_ADDR header which is very hard to spoof, but very easy to proxy. If you do use this method, remember to make a proxy buster and only check via a POST (or throttled) action. If you try to use the blacklists like a API firewall, you will be quickly banned from their services.
If you do indeed insist on captcha, there are methods to embetter it. Example, using a homebrew captcha that uses different/unique structure and classes, or CSS :before and :after combined with layered component background images may throw off bots. Or, slicing the captcha images up so that there are a handful of squares may help. Or, randomizing classing and overkill nesting so there are no targets could help. Or, flickering/strobing/moving it around constantly could help by preventing screenshots. There are other variations of concepts like these too that will fragment captcha enough to throw off abusers. Basically, the more people who use things like recapthca means the more easily abusers will have free reign once the syntax is cracked. At least in a homebrew captcha you can change it up on a whim and make it more crypticy and hard to "understand" from a coded source angle.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.