[typo] AJAX comment spam
daejuan at gmail.com
Sun Mar 12 20:53:21 EST 2006
Getting the image doesn't do much without the session ID. You should
destory the session anyway.
On 3/12/06, Kevin Ballard <kevin at sb.org> wrote:
> On Mar 12, 2006, at 4:50 PM, Trejkaz wrote:
> >> You can get round CAPTCHAs too by re-serving the captcha images as
> >> legitimate captchas on, say, your porn sites and feeding the punter's
> >> response back to the spammed site. Even if you miss the timeout 9
> >> times out of 10, there's always another punter.
> > I'm not sure I follow you, but how does this allow a spammer to decode
> > my CAPTCHA in order to successfully post a comment?
> The spammer, who also runs a porn site, hits up your blog, sees your
> captcha, copies the image and re-serves it as the captcha for someone
> visiting his porn site. That unknowing person successfully deciphers
> the captcha, and the spammer takes the result and feeds it back to
> the blog.
> Kevin Ballard
> kevin at sb.org
> Typo-list mailing list
> Typo-list at rubyforge.org
Man Wit Da Plan.
More information about the Typo-list