Shoutbox spam gains the upper hand
tehron opened this issue · comments
Forbid anonymous shouts completely?
Or just use better captcha?
Aren't they always on some weird-ass subdomain instead of wechall.net
?
Maybe there's some configuration issue there with captcha being disabled on those.
That subdomain shows captcha, too. Seems to behave the same way, too.
I think the problem is that you have indefinite tries to get the captcha right, because it doesn't change on failure, only on success...
function gwfShout()
{
var e = document.getElementById('gwf_shoutmsg');
if (e === null) {
alert('Can not find element with ID \'gwf_shoutmsg\'');
return false;
}
var c = document.getElementById('captcha');
if (c !== null) {
c = '&captcha='+encodeURIComponent(c.value);
} else {
c = '';
}
var url = GWF_WEB_ROOT+'index.php?mo=Shoutbox&me=Shout&ajax=true';
var data = 'message='+encodeURIComponent(e.value)+c;
var response = ajaxSyncPost(url, data);
if (gwfIsSuccess(response)) {
gwfShoutRefresh();
}
else {
gwfDisplayMessage(response);
}
return false;
}
Although that is pretty stupid, I don't think bots have much difficulty solving these captchas anyway. For registration I added an alternative "captcha" that seems to stop bots for now.
That said, I'm not sure I see that much benefit from anonymous shouts (or shouts in general :p), so disabling might be the easiest solution here.