One of my client sites just noticed a bunch of spam comments in their articles, which concerns me as they have reCAPTCHA enabled.

 

I found this article claiming that reCAPTCHA had been cracked but I'm taking it with a grain of salt as it is an internet artlice after all...

 

So I was wondering if any other developers or administrators out there have noticed anything similar?  And how will the developers of K2 react to this. if reCAPTCHA truly has been broken...?

 

cheers,:Duane

There are several programs out there that will calculate the recaptcha phrase with about a 20% accuracy. This has been true for a while although the accuracy is improving.  Recaptcha's weakness is that it uses words, hence it is easier to estimate what the correct answer is.  Decaptcher.com, for example, will crack 1,000 recaptcha phrases for $2.

I always put in a form field and then hide it with css.  The spambot will put something in the field and then I test to make sure the field is empty. This works even better if you label the field url or email or something similar. Eventually they'll get on to this, but for now it works.  Also consider the fact that overseas labor is cheap and it might not have been a bot.

Terry:
Have you coded a conditional that checks the hidden field before allowing submit? I've used a similar plugin for Wordpress called invisible captcha (or something like that) - it would be great if we had that for K2 as well...
-Alan

@Terry: I've successfully used similar hidden field methods in the past in lieu of CAPTCHA.  Haven't implemented anything for K2 yet though.

 

Are you able to employ your method without any core hacking?  It would be ideal if we had a plugin that adds a field like you describe.

@Duane, I haven't gotten far enough on my first project with k2 to implement the hidden field yet.  I'll do it when I get closer to going live. But from what I've seen you would have to hack form.php to add the field and then check that it is empty.

 

@Alan, as mentioned above just hack form.php to add a field and then check that the field is empty.  Form.php already does some conditinal checks on submit so just add it to that portion of the code.

@Terry@Duana

 I'll give it a whirl and see how it turns out - if successful, I'll post mods here.

i started receiving spam the last few days.

I'm having exactly the same problem! Did you found a solution?

K2 should make some comments verification as SMF forum registration has.

reCaptcha is cracked (and every other known even faster), and i fought with spammers at my forum for weeks. Every day i had to delete at least 30 spammers account. (and many spam posts)

 

And then i made an experiment with a question and answer for registration. Simple question as tex "What is capital od France?" Answer is not case sensitive.

 

Imagine what happened ? Number of spammers drop to (0) Zero.

Same can use for K2 comments. Captcha and bebeath captcha some simple question.

That way at least you know you fight not automatised scripts.

Sorry, case insensitive sholud be.

All my K2 sites are being hit with spam and I don't even use the comments on my site I have hidden it in the configurations, and don't know how to stop them.

They are sucking up my bandwidth.Any solutions will be greatly appreciated!

 

Lara:

a. first, double check all categories to make sure that comments are disabled in category AND item views. Because you can override category parameters in individual items, you may want to revisit those as well - if there is a vulnerability, they will find it.

b. make sure that the spam is coming in via K2 - you can delete all the spam either through the backend (or else drop the rows in mysql). Lock down all contact forms and any other forms. General rule: you should always use some form of security check.

c. if you are still getting spam after this, then I would would look at any other 3rd party extensions - make sure you unistall any unused extensions.

d. look through the site to ensure that your site has not been hacked.

e. you will certainly benefit from security extension that allow you to identify and block IP addresses of spammers and other malicious 'bad behaving' bots, etc. I highly recommend Admin Tools Pro - www.akeebabackup.com/software/admin- tools.html

After you read Nicholas' documentation, you will have a pretty strong idea about what is at stake and how you can protect your site.

If you need additional help, please let me know - I do a lot of security rescue & recovery for clients all over the world.

Hope this helps!

Alan

Lara Lee Templemore-Walters said:

All my K2 sites are being hit with spam and I don't even use the comments on my site I have hidden it in the configurations, and don't know how to stop them.

They are sucking up my bandwidth.Any solutions will be greatly appreciated!