I think there is a human registering a user, getting past the original CAPTCHA, then firing his php script to spamalot.
Is there a way to make the user do the captcha test for every post in PHPBB3?
Won't this deter regular user from using your forum ? I wouldn't use stackoverflow if I had to enter a CAPTCHA each time I wanted to post a answer...
I'm not directly answering your question, but in PHPBB 3.06 you have the "Newly Registered Users Group" to which you can give specific permissions (like all messages going to the moderation queue). May this help ? Depending on your traffic you may also validate each user manually (admin activation)
More info on PHPBB and spam here : http://www.phpbb.com/community/viewtopic.php?f=46&t=1861645 (stronly suggested)
Related
We have a site that uses a "one-time" login process for password resets which are not initiated by the user themselves. (for instance, a password reset that is initiated by an admin or another employee) A URL is sent to the user via email which can then be used to reset their password. The URL can only be visited one time. (there's more to this for security-sake but I'll keep it simple) Recently, some users have complained that when they visit the link, it has already expired. The end result is that they can't reset their passwords using this feature. We discovered that the users in question have a spam filter or "link checker" in their environment that they do not have access to. This device visits the one-time link before the user is able to, to make sure its safe.
I'm trying to solve this issue and was wondering if there's a way I can detect these type of devices on the web server when the request is made? When the spam filter visits the link, is there something in the http request that would stand apart from a regular browser? Maybe they all use a specific custom HTTP header? Or maybe there's a regex I could use on the user agent? I haven't been able to catch one of these yet, so I'm not sure what the request looks like coming from a spam filter.
Anyone know of a way to detect spam filters of any vendor by looking at the http requests? I know it's a long shot but maybe they all use a specific header for reasons such as this?
I got approval to modify the design to remove the one-time aspect of the URL. This solves the issue and saves me the headache. Thanks for the suggestion, #PeeHaa
I have this question in mind and I wanted to get other developer's opinion on this issue.
For creating a user (like in Facebook or creating an account in Gmail), some people suggested to have an public/private (means we don't tell developers how to use it) action in API for it. I, however, think it is a security risk as even if it is not documented, a hacker can simple see the calls and http requests when our front-end app is using that api action to create a new user (using a web debugger like fiddler) and can find the url to that action so simple ! like this POST ~/api/user/create
and then he/she can send thousands of requests to create user, users needs to be verified but still he/she is adding a lot of junk users in our database and puts a lot of pressure on our servers.
So the question is how do we handle this? Allow this only on our website or what?
Thanks
You can use CAPTCHA to verify that's a real user.
It seems to be common practice to lock user accounts after enough failed attempts in a particular time window.
I am wondering how you prevent denial-of-service attacks since a malicious user who had the username of someone he wished to DoS could simply rapidly make logon attempts.
Is the remedy to lock the account for only the IP address of the user who exceeded the logon attempt count+window ?
Is there any better way?
EDIT:
I don't want to make my users solve a captcha on each login attempt.
You shouldn't block the user by its IP, because maybe it is a real user that forgot his pass and did the retries manually.
The worst thing (business-wise) is that a real user will not be able to access your service.
So, your problem is actually "How do I know that the user is not a robot?".
One of the most popular ways to deal with this is to use a different mechanism for multiple login attempts.
For instance, Google uses Captcha after about 3 trials,
so an automatic bot will get stuck on this stage.
Of course it is possible to get the bot to read the captcha, but it's a start.
You can read more about captcha implementation in their official site: http://www.captcha.net/
Other alternative ideas here: http://econsultancy.com/il/blog/63144-six-alternatives-to-using-the-dreaded-captcha-images
This question was previously asked here but the OP never responded to the comment left and therefore it is left unanswered. I'm looking to sign into a specific Box account via API and am hoping there's a way to automatically set the login and password instead of asking users for theirs. I'm coding my app in PHP and so far I'm using the basic OAuth2 process that asks the user to login (/auth/ticket&api_key). So far the only suggestions I've found requires saving files to local storage but that's not an option as I need my app users to do as little work as possible to get in. I just need to tweak this authentication process. Any suggestions??
Thanks!
this is the answer i got from Box API technical support:
Unfortunately, there's no way to do this at this point. You do have to go through the web based login to authenticate, however once you authenticate the first time, you can automate the refresh token so you won't have to do it again. I apologize for that and just let me know if you have anymore questions about this.
I know it's not really a programming question but I don't know where to ask it.
Should i use a captcha in my sign up form ?
Facebook, twitter, foursquare, gowalla etc... don't use one (or not a visible one). Is there an invisible catpcha on theses sites ?
Thank you
UPDATE :
I have found a nice article about it : http://www.smashingmagazine.com/2008/07/08/web-form-design-patterns-sign-up-forms-part-2/
Thanks for your answers
I don't use a captcha for SingingEels, but I do require a valid email address. Users have to confirm their email address by clicking a link sent with a GUID upon creating a new account.
That validates a real human, and also prevents quick sign-ups for spam comments.
There is no need to use captcha code in SignUp page. But as far as security reason is concerned, you need to captcha code where you have any form. Because some one puts a robot for signup in your page at that you have to face a problem with your website. So for this purpose you need to add captcha not only in Signup page but every form you are using in your website.
CAPTCHA helps prevent automated abuse of your site (such as comment spam or bogus registrations)
it is advisable to use additional authenication methods, captcha, email authentication are most advisable.
It is not advisable to use any captcha at all..
Also see;
http://www.interfacegeek.com/dont-ever-use-captchas/