- Posts: 9
- Thank you received: 5
OS Property support center
Spam Emails
- Marc
- Offline
- New Member
-
9 years 9 months ago #65989
by Marc
Replied by Marc on topic Spam Emails
Hi Dam,
It looks like you are on the right track with changing the captcha to a function, and I understand completely about the form within a form issue.
Additionally, you should look into changing the logic to the following:
- A db table, with fields for:
1. captcha key - (the actual text in the image that the user has to input, but is not ever given in clear text to the user which is short and easy to input)
2. captcha reference code (code included in the hidden field and the url strings, which is not the captcha key and is a long complex string)
3. Expire date - should be 15 - 30 minutes after the captcha is created.
- The captcha is created and image is stored in backend php, but only the db maps the key to the image name.
- The captcha is expired automatically
This would cut down a great deal on the spammers ability for automation and also stop spammers (and their scripts) from seeing the code in clear text on the webpage.
Here is an example of why having the image name be the same as the security key is a bad idea: i.imgur.com/8npYwZG.gif
I guess it could be worse, at least you use an actual image, not like these two
i.imgur.com/dfCakdi.png
i.imgur.com/DMsJrLx.png
Also a good reference to use for ease of solving the image is the site: caca.zoy.org/wiki/PWNtcha
From the looks of it, your algorithm being used in OSP is one of the easiest to solve.
I hope that the above advice will assist you in securing the captcha in your new release.
Regards,
Marc
It looks like you are on the right track with changing the captcha to a function, and I understand completely about the form within a form issue.
Additionally, you should look into changing the logic to the following:
- A db table, with fields for:
1. captcha key - (the actual text in the image that the user has to input, but is not ever given in clear text to the user which is short and easy to input)
2. captcha reference code (code included in the hidden field and the url strings, which is not the captcha key and is a long complex string)
3. Expire date - should be 15 - 30 minutes after the captcha is created.
- The captcha is created and image is stored in backend php, but only the db maps the key to the image name.
- The captcha is expired automatically
This would cut down a great deal on the spammers ability for automation and also stop spammers (and their scripts) from seeing the code in clear text on the webpage.
Here is an example of why having the image name be the same as the security key is a bad idea: i.imgur.com/8npYwZG.gif
I guess it could be worse, at least you use an actual image, not like these two
i.imgur.com/dfCakdi.png
i.imgur.com/DMsJrLx.png
Also a good reference to use for ease of solving the image is the site: caca.zoy.org/wiki/PWNtcha
From the looks of it, your algorithm being used in OSP is one of the easiest to solve.
I hope that the above advice will assist you in securing the captcha in your new release.
Regards,
Marc
Please Log in or Create an account to join the conversation.
- Mr. Dam
-
- Offline
- Administrator
-
Moderators: Mr. Dam, Nguyen Phu Quan