Solved

How did a spam bot decipher my captcha?

Posted on 2014-07-19
4
470 Views
Last Modified: 2014-07-19
I recently added a captcha field to my website's contact form, because the form was being abused by spam bots.  Today I got a spammed contact form, and I'd like to understand how a bot deciphered the captcha.

The contact form is at www.mauitradewinds.com/contact.htm    It requires typing the name of the island where I live into t text field.  Below, I've pasted the relevant section of my server's log file, which shows that the initial visit originated from a notorious forum-spamming IP in China, and a moment later, the site was accessed by a (probably-spoofed) Iraq IP address, also  reported as notorious for forum spamming.   The visitor only spent one second on each page of my site, including the contact form.  So I can't see that there was human intervention, and can't understand how the captcha was populated successfully.

61.50.245.133 - - [19/Jul/2014:20:49:48 -0400] "GET /IE8index.php HTTP/1.1" 403 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:51 -0400] "GET /IE8index.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:53 -0400] "GET /IE8index.htm HTTP/1.1" 200 15974 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:55 -0400] "GET /suite.htm HTTP/1.1" 302 314 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:56 -0400] "GET /IE8suite.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:57 -0400] "GET /IE8suite.htm HTTP/1.1" 200 25814 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:58 -0400] "GET /StarWind.htm HTTP/1.1" 302 317 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:59 -0400] "GET /IE8StarWind.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:00 -0400] "GET /IE8StarWind.htm HTTP/1.1" 200 25817 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:02 -0400] "GET /viewtriage.htm HTTP/1.1" 200 1266 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:03 -0400] "GET /RezEasy/availability.html HTTP/1.1" 200 1078 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:04 -0400] "GET /location.htm HTTP/1.1" 200 6702 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:05 -0400] "GET /service.htm HTTP/1.1" 200 10047 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:06 -0400] "GET /hostess.htm HTTP/1.1" 200 6759 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:08 -0400] "GET /contact.htm HTTP/1.1" 200 8209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:09 -0400] "POST /contact-form-handler.php HTTP/1.1" 302 - "http://www.mauitradewinds.com/contact.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:11 -0400] "GET /thankyou.htm HTTP/1.1" 200 5752 "http://www.mauitradewinds.com/contact.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:13 -0400] "GET /guestbook.htm HTTP/1.1" 200 8849 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:15 -0400] "GET / HTTP/1.1" 302 314 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:16 -0400] "GET /IE8index.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:18 -0400] "GET /index.htm HTTP/1.1" 301 326 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:19 -0400] "GET / HTTP/1.1" 302 314 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:20 -0400] "GET /IE8index.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:22 -0400] "GET /suite.htm HTTP/1.1" 302 314 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:23 -0400] "GET /IE8suite.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:25 -0400] "GET /StarWind.htm HTTP/1.1" 302 317 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:26 -0400] "GET /IE8StarWind.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:32 -0400] "GET /links.htm HTTP/1.1" 200 10713 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
0
Comment
Question by:ddantes
  • 2
4 Comments
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
ID: 40206853
For a Captcha to be effective, it has to require a different answer every time.  Your's does not so all they have to do it get it right once and they're in.
0
 

Author Comment

by:ddantes
ID: 40206866
OK.  But in the case of the question "which Hawaiian island are we located?"  how does a machine get it right once?
0
 
LVL 58

Accepted Solution

by:
Gary earned 250 total points
ID: 40206899
You will find that a lot of spam is not always a bot but a real person that finds out how to make a successful post and then adds the method to the bot.
0
 

Author Comment

by:ddantes
ID: 40206901
That makes sense.  Thank you both.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
The viewer will learn how to dynamically set the form action using jQuery.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now