Solved

How did a spam bot decipher my captcha?

Posted on 2014-07-19
4
475 Views
Last Modified: 2014-07-19
I recently added a captcha field to my website's contact form, because the form was being abused by spam bots.  Today I got a spammed contact form, and I'd like to understand how a bot deciphered the captcha.

The contact form is at www.mauitradewinds.com/contact.htm    It requires typing the name of the island where I live into t text field.  Below, I've pasted the relevant section of my server's log file, which shows that the initial visit originated from a notorious forum-spamming IP in China, and a moment later, the site was accessed by a (probably-spoofed) Iraq IP address, also  reported as notorious for forum spamming.   The visitor only spent one second on each page of my site, including the contact form.  So I can't see that there was human intervention, and can't understand how the captcha was populated successfully.

61.50.245.133 - - [19/Jul/2014:20:49:48 -0400] "GET /IE8index.php HTTP/1.1" 403 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:51 -0400] "GET /IE8index.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:53 -0400] "GET /IE8index.htm HTTP/1.1" 200 15974 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:55 -0400] "GET /suite.htm HTTP/1.1" 302 314 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:56 -0400] "GET /IE8suite.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:57 -0400] "GET /IE8suite.htm HTTP/1.1" 200 25814 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:58 -0400] "GET /StarWind.htm HTTP/1.1" 302 317 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:49:59 -0400] "GET /IE8StarWind.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:00 -0400] "GET /IE8StarWind.htm HTTP/1.1" 200 25817 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:02 -0400] "GET /viewtriage.htm HTTP/1.1" 200 1266 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:03 -0400] "GET /RezEasy/availability.html HTTP/1.1" 200 1078 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:04 -0400] "GET /location.htm HTTP/1.1" 200 6702 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:05 -0400] "GET /service.htm HTTP/1.1" 200 10047 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:06 -0400] "GET /hostess.htm HTTP/1.1" 200 6759 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:08 -0400] "GET /contact.htm HTTP/1.1" 200 8209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:09 -0400] "POST /contact-form-handler.php HTTP/1.1" 302 - "http://www.mauitradewinds.com/contact.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:11 -0400] "GET /thankyou.htm HTTP/1.1" 200 5752 "http://www.mauitradewinds.com/contact.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:13 -0400] "GET /guestbook.htm HTTP/1.1" 200 8849 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:15 -0400] "GET / HTTP/1.1" 302 314 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:16 -0400] "GET /IE8index.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:18 -0400] "GET /index.htm HTTP/1.1" 301 326 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:19 -0400] "GET / HTTP/1.1" 302 314 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:20 -0400] "GET /IE8index.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:22 -0400] "GET /suite.htm HTTP/1.1" 302 314 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:23 -0400] "GET /IE8suite.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:25 -0400] "GET /StarWind.htm HTTP/1.1" 302 317 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:26 -0400] "GET /IE8StarWind.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
37.239.46.2 - - [19/Jul/2014:20:50:32 -0400] "GET /links.htm HTTP/1.1" 200 10713 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
0
Comment
Question by:ddantes
  • 2
4 Comments
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
ID: 40206853
For a Captcha to be effective, it has to require a different answer every time.  Your's does not so all they have to do it get it right once and they're in.
0
 

Author Comment

by:ddantes
ID: 40206866
OK.  But in the case of the question "which Hawaiian island are we located?"  how does a machine get it right once?
0
 
LVL 58

Accepted Solution

by:
Gary earned 250 total points
ID: 40206899
You will find that a lot of spam is not always a bot but a real person that finds out how to make a successful post and then adds the method to the bot.
0
 

Author Comment

by:ddantes
ID: 40206901
That makes sense.  Thank you both.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question