Spam bypassing CAPTCHA Checks?
Posted: Mon Aug 25, 2008 9:27 am
Hi,
I have a site running under CMS 1.4.1 and using the built-in (standard) tag {contact_form} in a "Contact Us" page.
That worked well, but we were getting spam through the page (looking in the logs, you could see the IP address scanning the whole Menu system, each page in turn without a referring URL, usually for less than a second per page until it got to the "Contact Us" page, then it called it again, and left the site. The times and IP address used matched the spam exactly.
I recently added the modules "Captcha" and "PHPIDS" but the spam messages seem to be bypassing the Captcha routine but being caught by PHPIDS. The IP Address is using the "POST" command and the advice email from PHPIDS says:
- - - - - - - - - - - - - - - - -
The following attack has been detected by PHPIDS
IP: xx.xx.xxx.xxx
Date: 2008-08-24T23:09:15+01:00
Impact: 24
Affected tags: xss csrf sqli id lfi
Affected parameters: POST.message=Extraordinarity%3A+%2C+%3Ca+href%3D%22http%3A%2F%2.....
Request URI: %2Findex.php%3Fpage%3Dcontact
- - - - - - - - - - - - - - - -
Yet if I try the "Contact Us" page and not enter the CAPTCHA text, my message gets rejected by the "Contact Us" page. If I try again, and this time enter the CAPTCHA text, my message (the content of which was pasted from a previous rejected spam message) gets through without being rejected by PHPIDS.
So, it looks like the spammers are somehow using the usability of the {contact_form} tag but bypassing the CAPTCHA routine. How? That's my question? I want to stop the b***ards in the first place, not block them after they have posted their message with PHPIDS!
Any help/explanation would be much appreciated.
Thanks
Quethiock
I have a site running under CMS 1.4.1 and using the built-in (standard) tag {contact_form} in a "Contact Us" page.
That worked well, but we were getting spam through the page (looking in the logs, you could see the IP address scanning the whole Menu system, each page in turn without a referring URL, usually for less than a second per page until it got to the "Contact Us" page, then it called it again, and left the site. The times and IP address used matched the spam exactly.
I recently added the modules "Captcha" and "PHPIDS" but the spam messages seem to be bypassing the Captcha routine but being caught by PHPIDS. The IP Address is using the "POST" command and the advice email from PHPIDS says:
- - - - - - - - - - - - - - - - -
The following attack has been detected by PHPIDS
IP: xx.xx.xxx.xxx
Date: 2008-08-24T23:09:15+01:00
Impact: 24
Affected tags: xss csrf sqli id lfi
Affected parameters: POST.message=Extraordinarity%3A+%2C+%3Ca+href%3D%22http%3A%2F%2.....
Request URI: %2Findex.php%3Fpage%3Dcontact
- - - - - - - - - - - - - - - -
Yet if I try the "Contact Us" page and not enter the CAPTCHA text, my message gets rejected by the "Contact Us" page. If I try again, and this time enter the CAPTCHA text, my message (the content of which was pasted from a previous rejected spam message) gets through without being rejected by PHPIDS.
So, it looks like the spammers are somehow using the usability of the {contact_form} tag but bypassing the CAPTCHA routine. How? That's my question? I want to stop the b***ards in the first place, not block them after they have posted their message with PHPIDS!
Any help/explanation would be much appreciated.
Thanks
Quethiock