[conspire] Web spam and yandex forms

Ivan Sergio Borgonovo ivan at webthatworks.it
Wed Dec 8 03:38:53 PST 2021 

On 12/8/21 03:11, Akkana Peck wrote:
> You guys are brilliant, thanks! I'm sure Ivan's idea is right:
> the spam message is in the username, which is part of the

Rick wrote something that it's worth a bit more explanation.
Generally they try to use forms as mail reflector... but also as link 
factories. Because sometimes what you put in forms end up being published.

I'd check the whole form validation (or lack of...) since they were able 
to send a really long bunch of text in the user name field.

> confirmation email (because I didn't originally include it, and
> learned that sometimes users forgot what username they'd picked
> and then gave up after a bunch of failed login attempts).
> 
> I sure hope I didn't get on any blacklists while that was going on!

> And I hate recaptcha (the number of hours of my life I've wasted
> clicking on traffic signal photos over and over, because Google
> *never* agrees with me about traffic signals -- I have no idea what
> they think a traffic signal is) and was very resistant to that idea,

Newer versions of recaptcha may not require any effort from the user and 
just check some other signal to guess if you're a legit user (IP, 
browser signature, possibly even how you interact with mouse/touch screen.

The most important advantage of a not very popular captcha is there 
won't be many bot around that know how to solve it but the downside is 
that it could be algorithmically very easy to solve (as the one with the 
dices).

> but I love Rick's suggestions about chatty English captcha
> substitutes, and the suggestions in the links you sent look good
> too, so I'll read through more of them before picking one.
> I confess I would have been unclear whether to try Faye or Faye W.
> for Faye's given name, on the theory that the W. was also given. :-)

This could somehow be very easy to solve algorithmically, and you'd have 
to set a limit to wrong answer from the same IP, risking to block 
legitimate users and adding complexity to the captcha.

If I were a spammer I'd go to the list Rick mentioned in a previous post 
and see which one I can easily circumvent... and dice captcha would be 
on the top of my list.

The things that annoy me of google captcha is that you're offering them 
one more data point to know what people do on the internet.

-- 
Ivan Sergio Borgonovo
https://www.webthatworks.it https://www.borgonovo.net

More information about the conspire mailing list