Mailing List Archive

Spam account creation, circumventing recaptcha
Greetings,

As of a few months ago, I've been getting spam pages generated on my
wiki. I upgraded to the latest mediawiki release and I added recaptcha
to login and anonymous edit, but spam accounts and pages are still
being created. I added debug output to the recaptcha extension to show
me when it accepts or denies input, but it seems it isn't even getting
called when the spam accounts are being created. Is there a known
security hole with recaptcha and the latest mediawiki version? An log
example is below (with a couple modifications for privacy).

Thanks,
Sol

POST /wiki/index.php?title=Special:UserLogin&action=submitlogin&type=signup
HTTP HEADERS:
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
ACCEPT_ENCODING: gzip
CONNECTION: keep-alive
COOKIE: wikidb_algowiki__session=c6622d43e60d6161f4d071925be118db
COOKIE2: $Version="1"
HOST: algowiki.net
REFERER: http://algowiki.net/wiki/index.php?title=Special:UserLogin&type=signup
USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
[...]
DatabaseBase::query: Writes done: INSERT INTO `algowiki_user`
(user_id,user_name,user_password,user_newpassword,user_newpass_time,user_email,user_email_authenticated,user_real_name,user_options,user_token,user_registration,user_editcount)
VALUES (NULL,'MaryannCarney','','','20110307115456','',NULL,'','','09f0f00ac09383bde1de0721eeaf2cd4','20110307115456','0')
Loading options for user 197 from database.
setcookie: "wikidb_algowiki_UserID", "197", "1302090896", "/", "", "", "1"
setcookie: "wikidb_algowiki_UserName", "MaryannCarney", "1302090896",
"/", "", "", "1"
setcookie: "wikidb_algowiki_Token", "", "1299412496", "/", "", "", "1"

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Spam account creation, circumventing recaptcha [ In reply to ]
On Mon, Mar 7, 2011 at 10:27 AM, Sol Invictus <solinvic@gmail.com> wrote:
> Greetings,
>
> As of a few months ago, I've been getting spam pages generated on my
> wiki. I upgraded to the latest mediawiki release and I added recaptcha
> to login and anonymous edit, but spam accounts and pages are still
> being created. I added debug output to the recaptcha extension to show
> me when it accepts or denies input, but it seems it isn't even getting
> called when the spam accounts are being created. Is there a known
> security hole with recaptcha and the latest mediawiki version? An log
> example is below (with a couple modifications for privacy).

Switching to MathCaptcha has pretty much solved my problem for now.

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Spam account creation, circumventing recaptcha [ In reply to ]
Switching to Questycaptcha solved my spambot problem completely... a question as simple as what this website about did the trick.

--- On Mon, 3/7/11, Sol Invictus <solinvic@gmail.com> wrote:

> From: Sol Invictus <solinvic@gmail.com>
> Subject: [Mediawiki-l] Spam account creation, circumventing recaptcha
> To: mediawiki-l@lists.wikimedia.org
> Date: Monday, March 7, 2011, 10:27 AM
> Greetings,
>
> As of a few months ago, I've been getting spam pages
> generated on my
> wiki. I upgraded to the latest mediawiki release and I
> added recaptcha
> to login and anonymous edit, but spam accounts and pages
> are still
> being created. I added debug output to the recaptcha
> extension to show
> me when it accepts or denies input, but it seems it isn't
> even getting
> called when the spam accounts are being created. Is there a
> known
> security hole with recaptcha and the latest mediawiki
> version? An log
> example is below (with a couple modifications for
> privacy).
>
> Thanks,
> Sol
>
> POST
> /wiki/index.php?title=Special:UserLogin&action=submitlogin&type=signup
> HTTP HEADERS:
> ACCEPT:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> ACCEPT_ENCODING: gzip
> CONNECTION: keep-alive
> COOKIE:
> wikidb_algowiki__session=c6622d43e60d6161f4d071925be118db
> COOKIE2: $Version="1"
> HOST: algowiki.net
> REFERER: http://algowiki.net/wiki/index.php?title=Special:UserLogin&type=signup
> USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1;
> en-US;
> rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
> [...]
> DatabaseBase::query: Writes done: INSERT  INTO
> `algowiki_user`
> (user_id,user_name,user_password,user_newpassword,user_newpass_time,user_email,user_email_authenticated,user_real_name,user_options,user_token,user_registration,user_editcount)
> VALUES
> (NULL,'MaryannCarney','','','20110307115456','',NULL,'','','09f0f00ac09383bde1de0721eeaf2cd4','20110307115456','0')
> Loading options for user 197 from database.
> setcookie: "wikidb_algowiki_UserID", "197", "1302090896",
> "/", "", "", "1"
> setcookie: "wikidb_algowiki_UserName", "MaryannCarney",
> "1302090896",
> "/", "", "", "1"
> setcookie: "wikidb_algowiki_Token", "", "1299412496", "/",
> "", "", "1"
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Spam account creation, circumventing recaptcha [ In reply to ]
Sol Invictus wrote:
> Greetings,
>
> As of a few months ago, I've been getting spam pages generated on my
> wiki. I upgraded to the latest mediawiki release and I added recaptcha
> to login and anonymous edit, but spam accounts and pages are still
> being created. I added debug output to the recaptcha extension to show
> me when it accepts or denies input, but it seems it isn't even getting
> called when the spam accounts are being created. Is there a known
> security hole with recaptcha and the latest mediawiki version? An log
> example is below (with a couple modifications for privacy).
>
> Thanks,
> Sol

There is probably some weakness inside recaptcha plugin (or they simply
broke recaptcha), as I have seen other wikis heavily spammed albeit
using recaptcha.


_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Spam account creation, circumventing recaptcha [ In reply to ]
On Mon, Mar 7, 2011 at 6:01 PM, Platonides <Platonides@gmail.com> wrote:
> There is probably some weakness inside recaptcha plugin (or they simply
> broke recaptcha), as I have seen other wikis heavily spammed albeit
> using recaptcha.
>

Back at the beginning of Jan all my sites that use reCaptcha started
getting lots of spam so it's not limited to mediawiki.

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Spam account creation, circumventing recaptcha [ In reply to ]
I'll try to take a look at the extension's code tonight to see if I
can find it... was hoping someone had already identified the problem.

On Mon, Mar 7, 2011 at 5:03 PM, OQ <overlordq@gmail.com> wrote:
> On Mon, Mar 7, 2011 at 6:01 PM, Platonides <Platonides@gmail.com> wrote:
>> There is probably some weakness inside recaptcha plugin (or they simply
>> broke recaptcha), as I have seen other wikis heavily spammed albeit
>> using recaptcha.
>>
>
> Back at the beginning of Jan all my sites that use reCaptcha started
> getting lots of spam so it's not limited to mediawiki.
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Spam account creation, circumventing recaptcha [ In reply to ]
Well, my log output shows the spam bots are entering valid responses.
I have to assume that recaptcha has simply been broken, either
legitimately or through response poisoning... guess I'll switch to
another captcha type.

On Mon, Mar 7, 2011 at 5:06 PM, Sol Invictus <solinvic@gmail.com> wrote:
> I'll try to take a look at the extension's code tonight to see if I
> can find it... was hoping someone had already identified the problem.
>
> On Mon, Mar 7, 2011 at 5:03 PM, OQ <overlordq@gmail.com> wrote:
>> On Mon, Mar 7, 2011 at 6:01 PM, Platonides <Platonides@gmail.com> wrote:
>>> There is probably some weakness inside recaptcha plugin (or they simply
>>> broke recaptcha), as I have seen other wikis heavily spammed albeit
>>> using recaptcha.
>>>
>>
>> Back at the beginning of Jan all my sites that use reCaptcha started
>> getting lots of spam so it's not limited to mediawiki.
>>
>> _______________________________________________
>> MediaWiki-l mailing list
>> MediaWiki-l@lists.wikimedia.org
>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>
>

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Spam account creation, circumventing recaptcha [ In reply to ]
I have captcha on, plus a user needs to validate their
email address to acquire edit privls, and the spam just
keeps coming. It appears to be an army of hired hands
paid to insert links for black hat spoofing of google
rankings. Do these guys get put on the black listing ?
Maybe I should turn on the black listing extension.

--Hiram

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Spam account creation, circumventing recaptcha [ In reply to ]
My www.PWSNotes.org MediaWiki site, which I've operated since 2004,
has been overrun with spam in the last month. I used Nuke to clean it
up. Unfortunately, neither ConfirmEdit with ReCaptcha nor
SpamBlacklist is stopping the spammers. I interpret this as meaning
that real people are doing the spamming. I just installed
ConfirmAccount, which I expect should bring the spam to an end, at the
unfortunate cost of making it harder for new people to contribute to
our community.

Bummer.
--
Dan Kohn <mailto:dan@dankohn.com>
tel:+1-646-833-8291

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Spam account creation, circumventing recaptcha [ In reply to ]
I don't think that's the case; my logs show pretty much instant data
entry. They must have found some way to break the service itself. I
switched to Questy with some simple things like "type the word X" or
"sum(2,3)" and it seems to be blocking them all so far.

On Tue, Mar 8, 2011 at 10:43 AM, Dan Kohn <dan@dankohn.com> wrote:
> My www.PWSNotes.org MediaWiki site, which I've operated since 2004,
> has been overrun with spam in the last month.  I used Nuke to clean it
> up.  Unfortunately, neither ConfirmEdit with ReCaptcha nor
> SpamBlacklist is stopping the spammers.  I interpret this as meaning
> that real people are doing the spamming.  I just installed
> ConfirmAccount, which I expect should bring the spam to an end, at the
> unfortunate cost of making it harder for new people to contribute to
> our community.
>
> Bummer.
> --
> Dan Kohn <mailto:dan@dankohn.com>
> tel:+1-646-833-8291
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Spam account creation, circumventing recaptcha [ In reply to ]
Sol, I'd like to confirm your analysis. I switched from ReCaptcha to
QuestyCaptcha with a custom question
<http://www.pwsnotes.org/Special:RecentChanges?title=Special:UserLogin&type=signup&returnto=Special:RecentChanges>
and have seen no further spam.

So, it looks like someone has programmed a
MediaWiki/ConfirmEdit-focused spambot that can defeat SimpleCatcha
(simple math problems) and -- shockingly -- ReCaptcha. But not that
they're using human beings to do the spamming. So, QuestyCaptcha, for
now, still works well.
--
Dan Kohn <mailto:dan@dankohn.com>
tel:+1-646-833-8291



On Tue, Mar 8, 2011 at 2:21 PM, Sol Invictus <solinvic@gmail.com> wrote:
> I don't think that's the case; my logs show pretty much instant data
> entry. They must have found some way to break the service itself. I
> switched to Questy with some simple things like "type the word X" or
> "sum(2,3)" and it seems to be blocking them all so far.
>
> On Tue, Mar 8, 2011 at 10:43 AM, Dan Kohn <dan@dankohn.com> wrote:
>> My www.PWSNotes.org MediaWiki site, which I've operated since 2004,
>> has been overrun with spam in the last month.  I used Nuke to clean it
>> up.  Unfortunately, neither ConfirmEdit with ReCaptcha nor
>> SpamBlacklist is stopping the spammers.  I interpret this as meaning
>> that real people are doing the spamming.  I just installed
>> ConfirmAccount, which I expect should bring the spam to an end, at the
>> unfortunate cost of making it harder for new people to contribute to
>> our community.
>>
>> Bummer.
>> --
>> Dan Kohn <mailto:dan@dankohn.com>
>> tel:+1-646-833-8291
>>
>> _______________________________________________
>> MediaWiki-l mailing list
>> MediaWiki-l@lists.wikimedia.org
>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Spam account creation, circumventing recaptcha [ In reply to ]
Just wait.. the technology behind IBM's Watson will end up in the hands of spammers and then there'll be no stopping the spam ;-)

--- On Thu, 3/10/11, Dan Kohn <dan@dankohn.com> wrote:

> From: Dan Kohn <dan@dankohn.com>
> Subject: Re: [Mediawiki-l] Spam account creation, circumventing recaptcha
> To: "MediaWiki announcements and site admin list" <mediawiki-l@lists.wikimedia.org>
> Date: Thursday, March 10, 2011, 10:10 AM
> Sol, I'd like to confirm your
> analysis.  I switched from ReCaptcha to
> QuestyCaptcha with a custom question
> <http://www.pwsnotes.org/Special:RecentChanges?title=Special:UserLogin&type=signup&returnto=Special:RecentChanges>
> and have seen no further spam.
>
> So, it looks like someone has programmed a
> MediaWiki/ConfirmEdit-focused spambot that can defeat
> SimpleCatcha
> (simple math problems) and -- shockingly --
> ReCaptcha.  But not that
> they're using human beings to do the spamming.  So,
> QuestyCaptcha, for
> now, still works well.
> --
> Dan Kohn <mailto:dan@dankohn.com>
> tel:+1-646-833-8291
>
>
>
> On Tue, Mar 8, 2011 at 2:21 PM, Sol Invictus <solinvic@gmail.com>
> wrote:
> > I don't think that's the case; my logs show pretty
> much instant data
> > entry. They must have found some way to break the
> service itself. I
> > switched to Questy with some simple things like "type
> the word X" or
> > "sum(2,3)" and it seems to be blocking them all so
> far.
> >
> > On Tue, Mar 8, 2011 at 10:43 AM, Dan Kohn <dan@dankohn.com>
> wrote:
> >> My www.PWSNotes.org MediaWiki site, which I've
> operated since 2004,
> >> has been overrun with spam in the last month.  I
> used Nuke to clean it
> >> up.  Unfortunately, neither ConfirmEdit with
> ReCaptcha nor
> >> SpamBlacklist is stopping the spammers.  I
> interpret this as meaning
> >> that real people are doing the spamming.  I just
> installed
> >> ConfirmAccount, which I expect should bring the
> spam to an end, at the
> >> unfortunate cost of making it harder for new
> people to contribute to
> >> our community.
> >>
> >> Bummer.
> >> --
> >> Dan Kohn <mailto:dan@dankohn.com>
> >> tel:+1-646-833-8291
> >>
> >> _______________________________________________
> >> MediaWiki-l mailing list
> >> MediaWiki-l@lists.wikimedia.org
> >> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >>
> >
> > _______________________________________________
> > MediaWiki-l mailing list
> > MediaWiki-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Spam account creation, circumventing recaptcha [ In reply to ]
On Thu, Mar 10, 2011 at 11:10 AM, Dan Kohn <dan@dankohn.com> wrote:
> So, it looks like someone has programmed a
> MediaWiki/ConfirmEdit-focused spambot that can defeat SimpleCatcha
> (simple math problems) and -- shockingly -- ReCaptcha. But not that
> they're using human beings to do the spamming. So, QuestyCaptcha, for
> now, still works well.

It's not really that shocking: reCAPTCHA isn't different from any
other CAPTCHA, and even if a bot can only get it right 1% of the time,
it can generally try new images until it gets one right.

I actually don't think there's any guarantee that it's not humans
solving the CAPTCHAs: spammers could well be farming it out to humans
and have just not yet added the infrastructure to support
question-based CAPTCHAs (which are a rather small segment of the
market and are more site-specific).


On Thu, Mar 10, 2011 at 11:49 AM, 2007@gmaskfx.com <2007@gmaskfx.com> wrote:
> Just wait.. the technology behind IBM's Watson will end up in the hands of spammers and then there'll be no stopping the spam ;-)
Funny, I had the same thought. The good news is that we'll have
Watson-like ClueBots detecting and reverting spam by that point. In
the end, it will just be machines engaged in an automated edit war.
:-)

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Spam account creation, circumventing recaptcha [ In reply to ]
From my debug logging, the reCAPTCHAs were solved the first time,
every time, in under 1 second. This is no human, and it's no retries.
I can think of any way that could happen unless the service itself has
been broken, legitimately or through some flaw.

On Thu, Mar 10, 2011 at 3:37 PM, Benjamin Lees <emufarmers@gmail.com> wrote:
> On Thu, Mar 10, 2011 at 11:10 AM, Dan Kohn <dan@dankohn.com> wrote:
>> So, it looks like someone has programmed a
>> MediaWiki/ConfirmEdit-focused spambot that can defeat SimpleCatcha
>> (simple math problems) and -- shockingly -- ReCaptcha.  But not that
>> they're using human beings to do the spamming.  So, QuestyCaptcha, for
>> now, still works well.
>
> It's not really that shocking: reCAPTCHA isn't different from any
> other CAPTCHA, and even if a bot can only get it right 1% of the time,
> it can generally try new images until it gets one right.
>
> I actually don't think there's any guarantee that it's not humans
> solving the CAPTCHAs: spammers could well be farming it out to humans
> and have just not yet added the infrastructure to support
> question-based CAPTCHAs (which are a rather small segment of the
> market and are more site-specific).
>
>
> On Thu, Mar 10, 2011 at 11:49 AM, 2007@gmaskfx.com <2007@gmaskfx.com> wrote:
>> Just wait.. the technology behind IBM's Watson will end up in the hands of spammers and then there'll be no stopping the spam ;-)
> Funny, I had the same thought.  The good news is that we'll have
> Watson-like ClueBots detecting and reverting spam by that point.  In
> the end, it will just be machines engaged in an automated edit war.
> :-)
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l