[typo] AJAX comment spam
daejuan at gmail.com
Mon Mar 13 00:22:54 EST 2006
I see what you're saying, but if my server deletes the session after
you access the page to get the image (or timeout), than what you're
tying to server me is invalid.
On 3/12/06, Kevin Ballard <kevin at sb.org> wrote:
> Uhh, what? The spammer serves back the result in the same session
> they got the captcha in the first place. This is an automated process
> so it has the potential to be fast enough.
> On Mar 12, 2006, at 5:53 PM, Daejuan Jacobs wrote:
> > Getting the image doesn't do much without the session ID. You should
> > destory the session anyway.
> > On 3/12/06, Kevin Ballard <kevin at sb.org> wrote:
> >> On Mar 12, 2006, at 4:50 PM, Trejkaz wrote:
> >>>> You can get round CAPTCHAs too by re-serving the captcha images as
> >>>> legitimate captchas on, say, your porn sites and feeding the
> >>>> punter's
> >>>> response back to the spammed site. Even if you miss the timeout 9
> >>>> times out of 10, there's always another punter.
> >>> I'm not sure I follow you, but how does this allow a spammer to
> >>> decode
> >>> my CAPTCHA in order to successfully post a comment?
> >> The spammer, who also runs a porn site, hits up your blog, sees your
> >> captcha, copies the image and re-serves it as the captcha for someone
> >> visiting his porn site. That unknowing person successfully deciphers
> >> the captcha, and the spammer takes the result and feeds it back to
> >> the blog.
> Kevin Ballard
> kevin at sb.org
> Typo-list mailing list
> Typo-list at rubyforge.org
Man Wit Da Plan.
More information about the Typo-list