bots defeating securimage

[twiddly]

I have securimage on dozens of websites, which has worked well for a long time, but in the past week, many are getting tons of spam. I have tried increasing the number of lines, upped the perturbation, switched a couple to use the math problem, but the spam continues.

Any suggestions on other tweaks to stymie the bots?

[dapphp]

It's possible these are humans solving the captcha, in which case little will work to stop that. Changing the font in addition to the other changes would help a lot if they were trained bots to solve the captcha.

If they're acting from many of the same IP's or using Tor, you might consider blocking those for certain things. If you aren't using audio, delete securimage_play.php as audio might be an easier attack vector than the image itself.

Feel free to reach out via email to look more into this.

[peterdd]

Other possibilities:

• spambots solve image riddle
• spambots solve audio riddle

Maybe check logfiles if bots beat the image or audiofile. (maybe cut http access to .php file that generates audio and see if that makes a difference)

Given the assumption a spambot(net) is optimized for securimage image solving but still quite simple (not using trained neural networks for instance), this would make it a little bit harder to analyze the image:

1. The noise, the lines and the characters should be the exact same color.
2. Increase the noise blob size to make it harder to be simply removed.
3. Mix fonts
4. I'm quite unsure if it makes any difference: Apply the noise blobs AFTER the distortion.

(5. Maybe the lines should be as thick and long as the character lines and looking a bit like a letter too (curves and/or straight parts). But as they are melt together with noise and the real letters it would also for humans hard to solve the captcha.)

Beside that, do NOT use uploaded background images (the default or uploaded) as replacement of random generated backgrounds.

(explanation for each can be given)

[panfanky]

Hi, same here, I found a guy who may know the hack: https://www.idontplaydarts.com/2011/05/exploit-phpcaptcha-securimage/ who says "No fix is currently available from the author. The only current solution is to remove the securimage_play.php script from your site."

Unfortunatelly, when I deleted the file (no audio clues needed on my site), the spam doesn't stop.

P.S.: I'd prefer things like securimage to google recaptcha as it seems recaptcha tracks users, which I see as bad and unnecessary

[dapphp]

@panfanky It's not the audio, that article is super old and no longer relevant. For now, try using a different TTF file. I hope to have this addressed further this weekend with changes to image rendering.

[pablomosca]

We are having the same issue. Some thing is getting past it.

[dapphp]

I will try tonight to merge some changes from a newer branch into 3.x that should stop this.

[dapphp]

Sorry for the delay. I have just pushed release 3.6.7 available from composer or at phpcaptcha.org/download/

In order to take advantage of the newer features, I'd suggest turning on the options use_text_angles, use_random_baseline, use_random_spaces, and optionally use_random_boxes.

Switching to another font from the default AHGBold.ttf will help a great deal as well.

Ideally, text, noise, and line colors should all be the same. Background images likely do not help at all.

Here is a sample config.inc.php:

<?php

return array(
    'image_width'      => 275,
    'image_height'     => 100,
    'code_length'       => mt_rand(4, 6),
    'num_lines'          => mt_rand(2, 4),
    'noise_level'         => 4,
    'perturbation'        => 0.68,
    'use_transparent_text' => false,
    'use_text_angles'  => true,
    'use_random_spaces' => true,
    'use_random_baseline' => true,
    'use_random_boxes'     => true,
);

For the last week the changes have been working pretty well for me on forms that recently started getting bot submissions.

I'll be interested to hear any results.

Thanks!

[pablomosca]

Hello Drew, thank you very much for updating me on this. I have downloaded the latest version from your website as well as implement the config file with the settings you mentioned below. I am using it on all of our forms as of today. https://interskill.com/contact-support.html is one of them.

I will keep you updated if the bots return!

Thank you,

[cid:image001.jpg@01CD5F54.A0F0CE40]

Pablo Mosca, IT Manager Interskill Learning, America, Europe and Australia O: 770-573-4964 C: 469-422-8309 Chat with me instantlyhttp://messenger.providesupport.com/messenger/1vjjg30y8234o1h8qp7ek7pudx.html Leading e-learning solutions in IBM Mainframe. Find out more at: www.interskill.comhttp://www.interskill.com/ | Twitterhttps://twitter.com/Interskill | LinkedInhttp://www.linkedin.com/company/interskill-learning/ | Bloghttp://interskill-learning.blogspot.com/

---

Interskill Learning 11770 Haynes Bridge Roade Suite 205 PMB 526, Alpharetta, Georgia 30009-197. All information transmitted herein is governed by our standard Privacy PolicyTerms Conditions, available here:http://www.interskill.com/terms-and-conditions.html

From: Drew Phillips [mailto:notifications@github.com] Sent: Friday, March 09, 2018 12:37 AM To: dapphp/securimage securimage@noreply.github.com Cc: Pablo Mosca pmosca@interskill.com; Comment comment@noreply.github.com Subject: Re: [dapphp/securimage] bots defeating securimage (#66)

Sorry for the delay. I have just pushed release 3.6.7 available from composer or at phpcaptcha.org/download/

In order to take advantage of the newer features, I'd suggest turning on the options use_text_angles, use_random_baseline, use_random_spaces, and optionally use_random_boxes.

Switching to another font from the default AHGBold.ttf will help a great deal as well.

Ideally, text, noise, and line colors should all be the same. Background images likely do not help at all.

Here is a sample config.inc.php:

<?php

return array(

'image_width'      => 275,

'image_height'     => 100,

'code_length'       => mt_rand(4, 6),

'num_lines'          => mt_rand(2, 4),

'noise_level'         => 4,

'perturbation'        => 0.68,

'use_transparent_text' => false,

'use_text_angles'  => true,

'use_random_spaces' => true,

'use_random_baseline' => true,

'use_random_boxes'     => true,

);

For the last week the changes have been working pretty well for me on forms that recently started getting bot submissions.

I'll be interested to hear any results.

Thanks!

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/dapphp/securimage/issues/66#issuecomment-371726904, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AjcAuY6NCM-ZNbxOUxQDapijYPIcbTZAks5tciMSgaJpZM4Lm5B-.

[pablomosca]

Drew, sorry but a bot made it throw already.

First Name: ZilliamknillFX

Last Name: ZilliamknillFX

Email: buncolip@yandex.commailto:buncolip@yandex.com

Phone: 87625548214

Company: google

Type of Issue: Forgot_UserName

Description: http://viagrawithoutdoctor.org - buy viagra without prescription

viagrawithoutdoctor.org

Thank you,

[cid:image001.jpg@01CD5F54.A0F0CE40]

Pablo Mosca, IT Manager Interskill Learning, America, Europe and Australia O: 770-573-4964 C: 469-422-8309 Chat with me instantlyhttp://messenger.providesupport.com/messenger/1vjjg30y8234o1h8qp7ek7pudx.html Leading e-learning solutions in IBM Mainframe. Find out more at: www.interskill.comhttp://www.interskill.com/ | Twitterhttps://twitter.com/Interskill | LinkedInhttp://www.linkedin.com/company/interskill-learning/ | Bloghttp://interskill-learning.blogspot.com/

---

Interskill Learning 11770 Haynes Bridge Roade Suite 205 PMB 526, Alpharetta, Georgia 30009-197. All information transmitted herein is governed by our standard Privacy PolicyTerms Conditions, available here:http://www.interskill.com/terms-and-conditions.html

From: Drew Phillips [mailto:notifications@github.com] Sent: Friday, March 09, 2018 12:37 AM To: dapphp/securimage securimage@noreply.github.com Cc: Pablo Mosca pmosca@interskill.com; Comment comment@noreply.github.com Subject: Re: [dapphp/securimage] bots defeating securimage (#66)

Sorry for the delay. I have just pushed release 3.6.7 available from composer or at phpcaptcha.org/download/

In order to take advantage of the newer features, I'd suggest turning on the options use_text_angles, use_random_baseline, use_random_spaces, and optionally use_random_boxes.

Switching to another font from the default AHGBold.ttf will help a great deal as well.

Ideally, text, noise, and line colors should all be the same. Background images likely do not help at all.

Here is a sample config.inc.php:

<?php

return array(

'image_width'      => 275,

'image_height'     => 100,

'code_length'       => mt_rand(4, 6),

'num_lines'          => mt_rand(2, 4),

'noise_level'         => 4,

'perturbation'        => 0.68,

'use_transparent_text' => false,

'use_text_angles'  => true,

'use_random_spaces' => true,

'use_random_baseline' => true,

'use_random_boxes'     => true,

);

For the last week the changes have been working pretty well for me on forms that recently started getting bot submissions.

I'll be interested to hear any results.

Thanks!

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/dapphp/securimage/issues/66#issuecomment-371726904, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AjcAuY6NCM-ZNbxOUxQDapijYPIcbTZAks5tciMSgaJpZM4Lm5B-.

[pablomosca]

Drew, it seems that after these changes the spamming has increased. Over the weekend we saw a very large increase.

Thank you,

[cid:image001.jpg@01CD5F54.A0F0CE40]

Pablo Mosca, IT Manager Interskill Learning, America, Europe and Australia O: 770-573-4964 C: 469-422-8309 Chat with me instantlyhttp://messenger.providesupport.com/messenger/1vjjg30y8234o1h8qp7ek7pudx.html Leading e-learning solutions in IBM Mainframe. Find out more at: www.interskill.comhttp://www.interskill.com/ | Twitterhttps://twitter.com/Interskill | LinkedInhttp://www.linkedin.com/company/interskill-learning/ | Bloghttp://interskill-learning.blogspot.com/

---

Interskill Learning 11770 Haynes Bridge Roade Suite 205 PMB 526, Alpharetta, Georgia 30009-197. All information transmitted herein is governed by our standard Privacy PolicyTerms Conditions, available here:http://www.interskill.com/terms-and-conditions.html

From: Drew Phillips notifications@github.com Sent: Friday, March 09, 2018 12:37 AM To: dapphp/securimage securimage@noreply.github.com Cc: Pablo Mosca pmosca@interskill.com; Comment comment@noreply.github.com Subject: Re: [dapphp/securimage] bots defeating securimage (#66)

Sorry for the delay. I have just pushed release 3.6.7 available from composer or at phpcaptcha.org/download/

In order to take advantage of the newer features, I'd suggest turning on the options use_text_angles, use_random_baseline, use_random_spaces, and optionally use_random_boxes.

Switching to another font from the default AHGBold.ttf will help a great deal as well.

Ideally, text, noise, and line colors should all be the same. Background images likely do not help at all.

Here is a sample config.inc.php:

<?php

return array(

'image_width'      => 275,

'image_height'     => 100,

'code_length'       => mt_rand(4, 6),

'num_lines'          => mt_rand(2, 4),

'noise_level'         => 4,

'perturbation'        => 0.68,

'use_transparent_text' => false,

'use_text_angles'  => true,

'use_random_spaces' => true,

'use_random_baseline' => true,

'use_random_boxes'     => true,

);

For the last week the changes have been working pretty well for me on forms that recently started getting bot submissions.

I'll be interested to hear any results.

Thanks!

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/dapphp/securimage/issues/66#issuecomment-371726904, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AjcAuY6NCM-ZNbxOUxQDapijYPIcbTZAks5tciMSgaJpZM4Lm5B-.

[futureweb]

Hey Drew, tried it with the settings you suggest - but they not only defy bots - but also lot's of real customers ... ;-) Complaints of "not being able to solve the captchas" raised with those settings so we went back to "standard" Settings. Do you maybe have a Hint for which Font would still be good solveable for Humans but is "bot save"? thx, bye from Austria Andreas Schnederle-Wagner

[dapphp]

Hi @futureweb,

Sorry those settings turned out to be difficult for users. I'll give them more trials and see if I can fix that.

I'd say almost any font that you could find other than the one included would be a big step up for bots as long as it's not too similar in appearance. Whatever bot is out there solving against the default settings was trained against that font so changing it up should help.

I definitely went through quite a few in testing, some look great in print but are not at all suitable for captchas (either too easy/too difficult to read, or look terrible).

Thank you for your feedback!

[pablomosca]

Still having issue with bots. Any other ideas?

/**** CAPTCHA Appearance Options ****/

'image_width'      => 275,       // width of captcha image in pixels
'image_height'     => 100,       // height of captcha image in pixels
'code_length'       => mt_rand(4, 6),         // # of characters for captcha code
'image_bg_color'   => '#ffffff', // hex color for image background
'text_color'       => '#707070', // hex color for captcha text
'line_color'       => '#707070', // hex color for lines over text
'noise_color'      => '#707070', // color of random noise to draw under text
'num_lines'        => mt_rand(2, 4),         // # of lines to draw over text
'noise_level'      => 4,         // how much random noise to add (0-10)
'perturbation'     => 0.68,       // distoration level

'use_random_spaces'   => true,
'use_random_baseline' => true,
'use_text_angles'     => true,
'use_random_boxes' => false,

'wordlist_file'    => 'words/words.txt', // text file for word captcha
'use_wordlist'     => false,             // true to use word list
'wordlist_file_encoding' => null,        // character encoding of word file if other than ASCII (e.g. UTF-8, GB2312)

// example UTF-8 charset (TTF file must support symbols being used
// 'charset'          => "абвгдeжзийклмнопрстуфхцчшщъьюяАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЬЮЯ",

'ttf_file'         => './AHGBold.ttf',   // TTF file for captcha tex

[dapphp]

So it is now 2020 and the world has come a long way since Securimage 0.3 was first released around 2005. Its mighty 297 lines (including GPL, comments, and whitespace) were enough to keep almost any form spam under control. Here we are today with cars driving us, bots carrying on pointed arguments with unwitting humans, facial recognition, and of course, Deepfakes.

There are a few awesome open source projects for defeating Securimage specifically, and plenty more are available for other captchas. While it may be possible to spend some time tweaking defaults to keep away the pre-trained bots, word image captchas are no longer a valid turing test for stopping form spam.

At this time I would suggest other alternatives unless you have very specific needs (no 3rd party, no cookies, etc) and have several hours to spend figuring out how to make this all work in 2020.

As I've been trying to go through the issues and pull requests and do a bit of maintenance, there will probably be few more developments on this project. There may be some pieces worth salvaging for other projects, and the 4.0.1+/nextgen branch is a better starting point for any use than master going forward.

Thanks to everyone over the years for their use, contributions, and interest. This project has been quite great over the years. As a result of it I've spoken to hundreds of people from all over the world, had great discussions, challenges, established some priceless contacts.

As has always been the case, please feel free to use and modify, modify, and distribute the code freely under its license.

To a better future with intelligent computers have taught humans how to live together in peace, as one.

[MESWEB]

@dapphp Why do you left great script. Try do something similar but modern style. What about Captcha styled on Matrix screen? There is a lot to types of modern captchas even with face ID or other biometrics. You can use black mail list as well to stop spam or blocking users by IP. We can make huge spam DB with lot of details about spammers.

[submgr]

@dapphp Why do you left great script. Try do something similar but modern style. What about Captcha styled on Matrix screen? There is a lot to types of modern captchas even with face ID or other biometrics. You can use black mail list as well to stop spam or blocking users by IP. We can make huge spam DB with lot of details about spammers.

Or more real examples for captcha:

1. Slider Captcha. You need to drag the slider to make the puzzle piece fit Companies like Huawei, Binance and so on use this mechanic.

2 (super idea!). for example they r developing it, but its not opensource https://www.arkoselabs.com/ such companies like Microsoft, EpicGames and so on - using this solution. but we need open source😥 The bottom line is that you need to flip the picture so that it stands correctly (not upside down), and I think this is easy to implement

[Neustradamus]

I confirm the problem...