The worst CAPTCHA in the world
April 21, 2017
FYI, “CAPTCHA” is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”. For more information, see the Wikipedia article.
For my and my clients’ servers, I deal with crackers (cyber criminals the media call “hackers”) and spammers. The way I deal with spammers is covered in another article.
I use fail2ban on all of my servers. It watches the logs and when it sees several authentication failures from one IP, it blocks that IP for a period of time and sends me an email about the action. The notice includes the “whois” information for that IP, and I’m interested in the abuse contact, because I’m going to send a complaint to the contact about abuse coming from his network.
Internet standards, namely RFC 2142 says you should have a working “abuse” point of contact and a “postmaster” point of contact listed in the whois information for your network. When I send a complaint to the abuse POC, I expect them to hunt down and shut down the machine on the offending IP. Some of them send back an auto-reply. Some send a personalized acknowledgment. Some even send a follow-up reporting the results of their findings. One even reported that he “terminated” the rogue machine. I got a kick out of that.
Some don’t send me anything. I don’t mind as long as they deal with the blighter. (No I’m not British, but I really like some Brit-isms.) If my complaint goes to /dev/null, I have no way of knowing. If any IP, or sometimes network, goes on unabated, I block them for a month. I will not have crackers freely hitting my servers.
The vast majority of POC information is available from the text-mode “whois” program, available for every flavor of UNIX and Linux. I’ve found two primary areas that frequently do not provide any POC information. The first is most of the networks registered with AFRINIC, the African Regional Internet Registry (RIR). I don’t know if they don’t provide POC email addresses because they are RFC-ignorant, or are afraid of publishing an address and getting spammed, or are just lazy. My policy is, if they don’t publish an abuse POC and some machine on their network hits my server, the network gets blocked for a month.
A few months ago, I noticed that whois info from Brazilian networks had no abuse POC email addresses. Their stock whois footer lists email@example.com, who are also interested in such reports. So I sent a note to them asking what’s going on with that. They forwarded my note to the folks at registro.br which is the Brazilian registry. They pointed me to their web-based whois. I am against web-based tools for this because I build scripts to simplify a lot of my work. If I have to stop, bring up their web site, copy and paste the IP, click several places, and then copy and paste the results to my script, that really bogs things down. But I’m willing to do it on a limited basis.
Well, I tried that, but still didn’t get the email POCs. I informed them and they said if you fill in the CAPTCHA block correctly, then you get the email info. Well I saw that stuff there, but it was accompanied by text in Portugese, so figured it wasn’t important. The CAPTCHA has several images of characters, and a prompt in Portugese. They pointed me to some translation web sites where I could find out what the prompt is. Can you not provide subtitles in English? The whole world does not speak Portugese.
Okay, so I tried it. Didn’t work. Tried several more times and failed. It’s not always obvious if the letters are uppercase or lowercase, and you have to ask if it’s a lowercase “L” or the numeral 1. I complained to them about it and ultimately they said they would pass my complaint to their developers. The final irritation is that it says (in Portugese, of course), “If you have difficulty with the image above, use the version without the image challenge or contact our service.” And, of course, if you do that, you get the restricted whois without any POC emails.
I challenge you to try it. Go to the web site and try a Brazilian IP, say, 220.127.116.11. Answer the CAPTCHA, and then scroll down to see if you get any email addresses for the POCs.
For the nonce, I’m blocking for a month all Brazilian networks harboring botted machines that hit my servers. If I can’t solve their friggin’ CAPTCHA to get their POC emails, then they might as well not have any at all.
Sorry I took so long to get to the point of the title, but I needed to explain how I got there.
But continuing with the subject line, the second worst CAPTCHAs I’ve seen have pictures and you are supposed to click on the ones that do or do not fit some criteria. One had you click on the pictures that had storefronts. Some of them were fuzzy and it wasn’t always obvious what constituted a store front. Another had images of streets and you had to click on the ones with “street signs”. Define “street signs”. I think I went through four of those before I passed.
The most usable CAPTCHA is called “reCAPTCHA”. This is used by the AFRINIC web-based whois. Aside from it being web-based, it is the least objectionable form of CAPTCHA. After you enter the IP into the search box, it puts up a box, and you are to click inside the box. When you do that, it spins for about five seconds and then presents a check mark indicating you are approved. Then you hit “Search” and you get the requested information. As noted before, you still frequently get no POC email addresses, I presume just because they don’t have any in their database.
Update: AFRINIC no longer uses any kind of CAPTCHA. Perhaps they figured if they are (mostly) not going to provide POC emails, then there is no point in using a CAPTCHA to keep email harvesters out.
Let me know if you have differing experiencees.