bots defeating securimage about securimage HOT 17 OPEN

So it is now 2020 and the world has come a long way since Securimage 0.3 was first released around 2005. Its mighty 297 lines (including GPL, comments, and whitespace) were enough to keep almost any form spam under control. Here we are today with cars driving us, bots carrying on pointed arguments with unwitting humans, facial recognition, and of course, Deepfakes.

There are a few awesome open source projects for defeating Securimage specifically, and plenty more are available for other captchas. While it may be possible to spend some time tweaking defaults to keep away the pre-trained bots, word image captchas are no longer a valid turing test for stopping form spam.

At this time I would suggest other alternatives unless you have very specific needs (no 3rd party, no cookies, etc) and have several hours to spend figuring out how to make this all work in 2020.

As I've been trying to go through the issues and pull requests and do a bit of maintenance, there will probably be few more developments on this project. There may be some pieces worth salvaging for other projects, and the 4.0.1+/nextgen branch is a better starting point for any use than master going forward.

Thanks to everyone over the years for their use, contributions, and interest. This project has been quite great over the years. As a result of it I've spoken to hundreds of people from all over the world, had great discussions, challenges, established some priceless contacts.

As has always been the case, please feel free to use and modify, modify, and distribute the code freely under its license.

To a better future with intelligent computers have taught humans how to live together in peace, as one.

from securimage.

Hi @futureweb,

Sorry those settings turned out to be difficult for users. I'll give them more trials and see if I can fix that.

I'd say almost any font that you could find other than the one included would be a big step up for bots as long as it's not too similar in appearance. Whatever bot is out there solving against the default settings was trained against that font so changing it up should help.

I definitely went through quite a few in testing, some look great in print but are not at all suitable for captchas (either too easy/too difficult to read, or look terrible).

Thank you for your feedback!

from securimage.

It's possible these are humans solving the captcha, in which case little will work to stop that. Changing the font in addition to the other changes would help a lot if they were trained bots to solve the captcha.

If they're acting from many of the same IP's or using Tor, you might consider blocking those for certain things. If you aren't using audio, delete securimage_play.php as audio might be an easier attack vector than the image itself.

Feel free to reach out via email to look more into this.

from securimage.

Other possibilities:

• spambots solve image riddle
• spambots solve audio riddle

Maybe check logfiles if bots beat the image or audiofile. (maybe cut http access to .php file that generates audio and see if that makes a difference)

Given the assumption a spambot(net) is optimized for securimage image solving but still quite simple (not using trained neural networks for instance), this would make it a little bit harder to analyze the image:

1. The noise, the lines and the characters should be the exact same color.
2. Increase the noise blob size to make it harder to be simply removed.
3. Mix fonts
4. I'm quite unsure if it makes any difference: Apply the noise blobs AFTER the distortion.

(5. Maybe the lines should be as thick and long as the character lines and looking a bit like a letter too (curves and/or straight parts). But as they are melt together with noise and the real letters it would also for humans hard to solve the captcha.)

Beside that, do NOT use uploaded background images (the default or uploaded) as replacement of random generated backgrounds.

(explanation for each can be given)

from securimage.

Hi,
same here, I found a guy who may know the hack: https://www.idontplaydarts.com/2011/05/exploit-phpcaptcha-securimage/
who says
"No fix is currently available from the author. The only current solution is to remove the securimage_play.php script from your site."

Unfortunatelly, when I deleted the file (no audio clues needed on my site), the spam doesn't stop.

P.S.: I'd prefer things like securimage to google recaptcha as it seems recaptcha tracks users, which I see as bad and unnecessary

from securimage.

@panfanky It's not the audio, that article is super old and no longer relevant. For now, try using a different TTF file. I hope to have this addressed further this weekend with changes to image rendering.

from securimage.

We are having the same issue. Some thing is getting past it.

from securimage.

I will try tonight to merge some changes from a newer branch into 3.x that should stop this.

from securimage.

Sorry for the delay. I have just pushed release 3.6.7 available from composer or at phpcaptcha.org/download/

In order to take advantage of the newer features, I'd suggest turning on the options use_text_angles, use_random_baseline, use_random_spaces, and optionally use_random_boxes.

Switching to another font from the default AHGBold.ttf will help a great deal as well.

Ideally, text, noise, and line colors should all be the same. Background images likely do not help at all.

Here is a sample config.inc.php:

<?php

return array(
    'image_width'      => 275,
    'image_height'     => 100,
    'code_length'       => mt_rand(4, 6),
    'num_lines'          => mt_rand(2, 4),
    'noise_level'         => 4,
    'perturbation'        => 0.68,
    'use_transparent_text' => false,
    'use_text_angles'  => true,
    'use_random_spaces' => true,
    'use_random_baseline' => true,
    'use_random_boxes'     => true,
);

For the last week the changes have been working pretty well for me on forms that recently started getting bot submissions.

I'll be interested to hear any results.

Thanks!

from securimage.

from securimage.

from securimage.

from securimage.

Hey Drew,
tried it with the settings you suggest - but they not only defy bots - but also lot's of real customers ... ;-)
Complaints of "not being able to solve the captchas" raised with those settings so we went back to "standard" Settings.
Do you maybe have a Hint for which Font would still be good solveable for Humans but is "bot save"?
thx, bye from Austria
Andreas Schnederle-Wagner

from securimage.

Still having issue with bots. Any other ideas?

/**** CAPTCHA Appearance Options ****/

'image_width'      => 275,       // width of captcha image in pixels
'image_height'     => 100,       // height of captcha image in pixels
'code_length'       => mt_rand(4, 6),         // # of characters for captcha code
'image_bg_color'   => '#ffffff', // hex color for image background
'text_color'       => '#707070', // hex color for captcha text
'line_color'       => '#707070', // hex color for lines over text
'noise_color'      => '#707070', // color of random noise to draw under text
'num_lines'        => mt_rand(2, 4),         // # of lines to draw over text
'noise_level'      => 4,         // how much random noise to add (0-10)
'perturbation'     => 0.68,       // distoration level

'use_random_spaces'   => true,
'use_random_baseline' => true,
'use_text_angles'     => true,
'use_random_boxes' => false,

'wordlist_file'    => 'words/words.txt', // text file for word captcha
'use_wordlist'     => false,             // true to use word list
'wordlist_file_encoding' => null,        // character encoding of word file if other than ASCII (e.g. UTF-8, GB2312)

// example UTF-8 charset (TTF file must support symbols being used
// 'charset'          => "абвгдeжзийклмнопр�туфхцчшщъью��БВГДЕЖЗИЙКЛМ�ОПРСТУФХЦЧШЩЪЬЮЯ",

'ttf_file'         => './AHGBold.ttf',   // TTF file for captcha tex

from securimage.

@dapphp Why do you left great script. Try do something similar but modern style. What about Captcha styled on Matrix screen? There is a lot to types of modern captchas even with face ID or other biometrics. You can use black mail list as well to stop spam or blocking users by IP. We can make huge spam DB with lot of details about spammers.

from securimage.

@dapphp Why do you left great script. Try do something similar but modern style. What about Captcha styled on Matrix screen? There is a lot to types of modern captchas even with face ID or other biometrics. You can use black mail list as well to stop spam or blocking users by IP. We can make huge spam DB with lot of details about spammers.

Or more real examples for captcha:

1. Slider Captcha. You need to drag the slider to make the puzzle piece fit
   
   Companies like Huawei, Binance and so on use this mechanic.

2 (super idea!). for example they r developing it, but its not opensource https://www.arkoselabs.com/ such companies like Microsoft, EpicGames and so on - using this solution. but we need open source😥
The bottom line is that you need to flip the picture so that it stands correctly (not upside down), and I think this is easy to implement

from securimage.

I confirm the problem...

from securimage.