Shoutbox spam gains the upper hand

Question

Shoutbox spam gains the upper hand

tehron opened this issue 4 years ago · comments

Forbid anonymous shouts completely?
Or just use better captcha?

livinskull · Answer 1 · Tue Feb 16 2021 01:49:24 GMT+0800 (China Standard Time)

Aren't they always on some weird-ass subdomain instead of wechall.net?
Maybe there's some configuration issue there with captcha being disabled on those.

tehron · Answer 2 · Tue Feb 16 2021 02:19:43 GMT+0800 (China Standard Time)

That subdomain shows captcha, too. Seems to behave the same way, too.
I think the problem is that you have indefinite tries to get the captcha right, because it doesn't change on failure, only on success...

function gwfShout()
{
	var e = document.getElementById('gwf_shoutmsg');
	if (e === null) {
		alert('Can not find element with ID \'gwf_shoutmsg\'');
		return false;
	}
	
	var c = document.getElementById('captcha');
	if (c !== null) {
		c = '&captcha='+encodeURIComponent(c.value);
	} else {
		c = '';
	}
	
	var url = GWF_WEB_ROOT+'index.php?mo=Shoutbox&me=Shout&ajax=true';
	var data = 'message='+encodeURIComponent(e.value)+c;
	var response = ajaxSyncPost(url, data);
	
	if (gwfIsSuccess(response)) {
		gwfShoutRefresh();
	}
	else {
		gwfDisplayMessage(response);
	}
	
	return false;
}

dloser · Answer 3 · Tue Feb 16 2021 03:08:31 GMT+0800 (China Standard Time)

Although that is pretty stupid, I don't think bots have much difficulty solving these captchas anyway. For registration I added an alternative "captcha" that seems to stop bots for now.

That said, I'm not sure I see that much benefit from anonymous shouts (or shouts in general :p), so disabling might be the easiest solution here.