[REQ] Spam tickets passing captcha.

[DNSinSC]

Hello friends.  First, let me say that we really like TTX. We tried several other ticket systems over the last 5 or 6 years and each one grew and grew and integrated ebay and amazon until they became bloatware.  TTX has remained slim, fast, simple and does exactly what we NEED it to do.  We really appreciate that and have purchased every add on written for it. Hey, they were all good...

But, lately we have started getting spam tickets created from the submission form. We have the captcha enabled.  It took them a while to get it perfected because the first few would be blank. But now they have a script developed that actually selects options, enters the captcha, and submits links, creating a new ticket each time.  It is automated, happens every single night... and is annoying.

How bad would it be to add a question like the one asked when I registered here on this forum?

• Enter the captcha:
• If you are a human, leave it blank......
• and type the code here: ------------

[Alex]

re. How bad would it be to add a question like the one asked when I registered here on this forum?

How long it will take to adjust spambot settings? Please keep in mind that simple tricks work on single web sites only. Spammers analyze widely deployed software, not your web site. This is why you need to have something unique on your website to stop the bots. I would suggest reviewing key.cgi code. You may edit the script to modify digits - change size, distort whatever. The bot script relies on stock images, it should fail processing custom images.

If you need custom programming services, please submit a request to our help desk.

[DNSinSC]

his is why you need to have something unique on your website to stop the bots

That is what I was thinking. A customized question for our site. When registering on our church website, we ask the pastors name. Anyone going there would know that... and if they look on the website they could find it, but it is 100% effective in stopping spam bots.

I will check out key.cgi though...

[Sparky]

It's usually the same person(s) from the same network in the same country.

You could do server-level IP blocking or black-listing so the offender won't even be able to see your site.

http://forum.unitedwebcoders.com/index.php/topic,1243.0.html

Even if you don't go this route, it's not be a bad idea to save the relevant lines from your server logs and report it to the offenders' ISP's.  Reputable ISP's will take action and cancel their accounts.

[DNSinSC]

We could IP ban but in this situation TTX sits behind a proxy, so all IP addresses show as coming from the proxy server.  Its hard to pin point where the connection came from.  I took a look at key.cgi. It seemed no matter what change I made nothing happened. For instance:

I can change $white from 255,255,255 to 10,10,10 but it remains white...
I can change the fonts from Giant to Tiny, but it remains Giant...

It is evident that I am going to have to learn more about GD to work with this.  All in all, I think that a customized question for each install would mostly eliminate spam.  A question that you could change to be anything that you like.

What is 1 + 1?
What is the name of this site?
What color is blue?

When I have more time I will try and dig deeper. I really like TTX and would buy another module for this if there was such a thing 

[Sparky]

In the TTXCaptcha.pm module, I changed the first line to black (000000) and it gave my code a black background...

Code:

my $pal = "\x00\x00\x00" .
            "\x66\x66\x66" .
            "\x99\x99\x99" .
            "\x33\x33\x33";

EDIT:

If in the ttxcfg.cgi file, you have "captchamode=alt", then you're using the code generated from within the TTXCaptcha.pm module; otherwise, you are are using the GD library and are using a code modifiable from within the key.cgi file.

[DNSinSC]

I seem to be using key.cgi because if I comment enough things out it breaks it

Maybe I should try the alt.

[Sparky]

I seem to be using key.cgi because if I comment enough things out it breaks it

Maybe I should try the alt.

I think you misunderstand how this all works... EVERYTHING uses the key.cgi file.

Then within key.cgi, depending on your settings, the program decides whether to use the GD library OR TTXCaptcha.pm.

[DNSinSC]

I do not have "captchamode=alt" in my ttxcfg.cgi file.  But I am going to try it. The spam is increasing each day so we have to do something or we have to start looking at other solutions.  I really like the simplicity of TTX, but this is sort of a deal breaker.

Edit: I enabled the captchamode=alt and tweaked the color settings and it indeed did change to black. I am going to tweak it to be just legible and see what happens.  They spam us every night about 2 am.  I will let you know what happens

Thanks for the help!

[DNSinSC]

After setting the captcha=alt,  and tweaking the color and dithering to gray on black in TTXCaptcha.pm, we have not gotten any more spam. Also, we are still getting normal tickets so I think this will work for us!  Thanks for the pointers   

[DNSinSC]

It started backup the following night. And we have been spammed constantly since.  I have it as dark gray numbers on a black background but somehow the spam bots can still read it....

I am open for suggestions at this point.

[Sparky]

Look at your server logs, record all the offending IP addresses, track them down, and report them. 

Then block those IPs from your server.

That's what I do. 

[DNSinSC]

As I said earlier, our TTX is behind a proxy server, and all ip addresses are listed as from the proxy server. It just shows the private address of 192.168.x.x on the tickets and in the log files.  I can compare the time on the main server log files but usually there are to many connections to zero in on it.

[Sparky]

There should be ONE line with the exact timestamp of the submit function.  Then only one line with the corresponding timestamp on the main server.  Presumably it's only a couple people from the same location doing this. 

[Alex]

Sparky,

We are in spambot networks era for many years already. Unless you are being spammed by absolute amateurs, blocking IP addresses will not do any good. We operate subscription based help desk service, which eventually is under spambot attack 7x24. Most networks use customized algorithms tailored for our particular service and try submitting spam to multiple accounts. I must assure you that ip addresses never repeat, blocking each spam originating address would result in preventing a lot of innocent customers running infected computers or sharing wifi access points with infected computers from accessing our service.