First spammer working around captcha

Submitted by Frederic Marand on

After almost six months without abuse following the installation of the captcha module, a spammer found its way through it, to promote a ringtones site.

Not that it did him/her much good, since comments are premoderated anyway, but still...

Sheer luck, of astute pattern matching and module workaround ? Oh well, it's still six months of peace gained. Well worth the almost nonexistent hassle, it seems.

Frederic Marand

Wed, 2007-06-06 21:47

Another spammer today makes it through captcha to push some blue pills. Looks like the basic captcha is now taken into account by some spammer tools :-(

Time for a stronger anti-blue-pill-pusher pill ?

Anonymous (not verified)

Thu, 2007-06-07 13:16

I was getting spam from some guy using sdial.biz email addresses so I installed the captcha module but it didnt make a difference. I guess he probably just wrote some code that parses the maths expression and computes the result.

Might be the same: (s)he claims an sdial.biz address too. However, they may just as well be victims as us. The one thing I wonder about, though, is why (s)he lets the bot attempt again and again although it fails at publishing anything.

It looks like the captcha fix does not prevent the same spammer from still submitting: fresh new comment spam just 90 minutes after I installed the latest captcha module.

Maybe they actually parse and interpret the captcha, instead of relying on hacking it...

I did consider Akismet. However, after reading their take on commercial use vs non-commercial, I did not feel I could really claim my blog to be strictly personal:

  • On the "commercial" side:
    • it runs on hosting paid for by one of my companies
    • it links back to one of my company's sites, so this has some
      visibility impact to the company
  • On the "non-commercial" side:
    • I never promote the company's products or services on my
      blog, nor even comment directly about them
    • I do not make a dime from the blog
    • most of the content is related to my musical experiences,
      not to professional endeavours or even a resume

As the Akismet page itself says, the line is hard to draw: by the criterium they mention, I would not need a "pro-blogger" key, since I make 0 income from my blog. But the blog is hosted by one of my companies and links back to it, so one might argue I would have to use an "enterprise" key. But the cost of an "enterprise" key
is higher than the monthly hosting cost for the whole assortment of sites, which does not really make sense, especially considering the fact that the company does not gain anything from the fact that comments exist on this blog and not on any of the other sites.

So, in the end, a line had to be drawn, and I thought my blog fell on the non-personal side of the line... and chose not to use Akismet for now.

This being said, should someone from Akismet chime in saying I would really fall under their "personal, non-commercial" rules from reading this description, I would certainly try it: most of what I know about the service and the experience of its users is positive.