DISQUS

DISQUS Hello! Elliott Back's Blog is using DISQUS, a powerful comment system, to manage its comments. Learn more.

Community Page

Elliott Back's Blog

Jump to original thread »
Author

WP-Spam quiz lives: WP-Gatekeeper dead

Started by elliottback · 8 months ago

No excerpt available. Jump to website »

11 comments

  • marcovhv

    3 years ago

    Hi Elliott,

    Thanks for blogging a bit about my plugin! Way cool!
    I've just released an 1.1 version which is really completely customizable and works with all possible templates.

    About your remark: Can you explain to me how a product like this is vulnerable except for when spammers go and manually check all questions and answers for each site separately? This is possible but it makes spamming too hard and too expensive which is exactly the purpose of this plugin...
    reply
  • Ozh

    3 years ago

    I was to make the same remark as Marco :)
    I know there are bots that can decypher captchas, but Marco's plugin is more on the AI side.

    BTW you could even make things harder if the question was printed to the page on the client-side with Javascript, so that spam bots would not even get the question in the page source. But still, answering the question is more a matter of AI anyway.

    On a side note, Elliott, I noticed your feed item footer (reading you via planetwordpress.planetozh.com) with the copyright notice. Is it my plugin "Better Feed" ? :)
    reply
  • marcovhv

    3 years ago

    Ozh> If it would use javascript it would decrease in accessibility. Users without javascript wouldn't be able to post anymore. If you want a javascript solution you'd better use Elliott's (excellent) WP Hashcash. It's the same thing really but with his plugin it's not the visitor who has to answer a question but... your webbrowser, through a javascript challenge-response.
    reply
  • Elliott Back

    3 years ago

    Ah, yes. So there were two attacks that came to mind immediately. No, make that three:

    1) Brute Force. If any response is alphabetic or integer, that is quite an easy attack to run, and one that is sucessfully being used against hashcash in the field.

    2) Manual enumation of the correct values. Time consuming, but straightforward.

    3) Automatic guessing of the answers to questions. Google does it, we can do it too by using statistical methods. This is an open area of research!
    reply
  • marcovhv

    3 years ago

    Point 1 and 3 can be ruled out by using not one but many questions. My plugin supports an unlimited amount of stupid questions to be entered. There's nothing to brute-force if the question and the corresponding answer keeps changing at every request.

    Point 2 can be done but one will have to refresh the site until all questions have been displayed in order to record the answer. Then they'll have to link question id's to answers in their script. This will then be only valid for just ONE site because everyone has different questions. If, finally, we change our questions every once in a while it will be way too time consuming (expensive) to keep track of it all.

    The only option left is manual spam. If that ever takes off, centralized blacklists will get their second life because we can still simply scan for certain textual patterns to even make manual spam a horribly tedious job.
    reply
  • Elliott Back

    3 years ago

    You can't rule out brute force. All the spammers need to do is keep a tuple of (id, successful brute force). Since there are a finite number of questions, and an infinite number of chances to guess, the expected value of getting a spam comment should be one.

    Point three is not really brute force. Researchers at Cornell developed a way for machines to learn to answer questions, or generate music, based on identifying similar semantics. For example "what color is the sky?" or "the sky is colored ___?" would be recognized as the same content, and matched to the response "blue." This is quite experimental, but I believe AI will be able to automatically answer the type of questions in WP-Spam Quiz eventually.

    As for manual spam... eh... it's just a pain. Bayes, here we come...
    reply
  • marcovhv

    3 years ago

    Ok, you're right in a strictly theoretical sense. But it will take quite a while before this is economically viable. And of course there's the option to detect brute force attempts and blocking IP's before the brute force attack even found something. You'll have to agree that in most cases it will take a substantial amount of attempts. My own Pivot-Blacklist package flags IP's after a user-configurable amount of failed attempts. Set this to say three and they'll never get through unless they have unlimited IP's.
    reply
  • marcovhv

    3 years ago

    PS. something really scary just happened after posting that comment. :P
    reply
  • Elliott Back

    3 years ago

    Hahaa...what kind of scariness?
    reply
  • marcovhv

    3 years ago

    I got a load of PHP errors related to some WP caching mechanism. It did post my comment though (doh) ;)
    reply
  • Elliott Back

    3 years ago

    I wish I knew what those were!! Probably the file had been deleted because it was too old and not generated yet, or something like that.... Hmmm. WP-cache is too complicated, I think.
    reply

Add New Comment

Returning? Login