WP-Spam quiz lives: WP-Gatekeeper dead
So you’ve all heard about WP Gatekeeper, Eric Meyers inane “What colour is an orange” challenge/response authorization system for user comments. Now let me introduce WP Spam Quiz, a more customizable, user-friendly implementation of the same idea.
As a computer science major, though, I have to point out that these products are *still* vulnerable. However, it is my opinion that most of these attacks are far beyond the level of sophistication of the average spammer. Or in other words, we are still vulnerable, but in practice this will serve well until some time in the future!
This entry was posted on Wednesday, September 21st, 2005 at 6:55 pm and is tagged with eric meyers, authorization system, customizable user, challenge response, spammer, sophistication, computer science, quiz, implementation. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.
on September 22nd, 2005 at 1:41 am
Hi Elliott,
Thanks for blogging a bit about my plugin! Way cool!
I’ve just released an 1.1 version which is really completely customizable and works with all possible templates.
About your remark: Can you explain to me how a product like this is vulnerable except for when spammers go and manually check all questions and answers for each site separately? This is possible but it makes spamming too hard and too expensive which is exactly the purpose of this plugin…
on September 22nd, 2005 at 2:50 am
I was to make the same remark as Marco
I know there are bots that can decypher captchas, but Marco’s plugin is more on the AI side.
BTW you could even make things harder if the question was printed to the page on the client-side with Javascript, so that spam bots would not even get the question in the page source. But still, answering the question is more a matter of AI anyway.
On a side note, Elliott, I noticed your feed item footer (reading you via planetwordpress.planetozh.com) with the copyright notice. Is it my plugin “Better Feed” ? :)
on September 22nd, 2005 at 2:58 am
Ozh> If it would use javascript it would decrease in accessibility. Users without javascript wouldn’t be able to post anymore. If you want a javascript solution you’d better use Elliott’s (excellent) WP Hashcash. It’s the same thing really but with his plugin it’s not the visitor who has to answer a question but… your webbrowser, through a javascript challenge-response.
on September 22nd, 2005 at 4:31 am
Ah, yes. So there were two attacks that came to mind immediately. No, make that three:
1) Brute Force. If any response is alphabetic or integer, that is quite an easy attack to run, and one that is sucessfully being used against hashcash in the field.
2) Manual enumation of the correct values. Time consuming, but straightforward.
3) Automatic guessing of the answers to questions. Google does it, we can do it too by using statistical methods. This is an open area of research!
on September 22nd, 2005 at 5:17 am
Point 1 and 3 can be ruled out by using not one but many questions. My plugin supports an unlimited amount of stupid questions to be entered. There’s nothing to brute-force if the question and the corresponding answer keeps changing at every request.
Point 2 can be done but one will have to refresh the site until all questions have been displayed in order to record the answer. Then they’ll have to link question id’s to answers in their script. This will then be only valid for just ONE site because everyone has different questions. If, finally, we change our questions every once in a while it will be way too time consuming (expensive) to keep track of it all.
The only option left is manual spam. If that ever takes off, centralized blacklists will get their second life because we can still simply scan for certain textual patterns to even make manual spam a horribly tedious job.
on September 22nd, 2005 at 1:44 pm
You can’t rule out brute force. All the spammers need to do is keep a tuple of (id, successful brute force). Since there are a finite number of questions, and an infinite number of chances to guess, the expected value of getting a spam comment should be one.
Point three is not really brute force. Researchers at Cornell developed a way for machines to learn to answer questions, or generate music, based on identifying similar semantics. For example “what color is the sky?” or “the sky is colored ___?” would be recognized as the same content, and matched to the response “blue.” This is quite experimental, but I believe AI will be able to automatically answer the type of questions in WP-Spam Quiz eventually.
As for manual spam… eh… it’s just a pain. Bayes, here we come…
on September 22nd, 2005 at 3:55 pm
Ok, you’re right in a strictly theoretical sense. But it will take quite a while before this is economically viable. And of course there’s the option to detect brute force attempts and blocking IP’s before the brute force attack even found something. You’ll have to agree that in most cases it will take a substantial amount of attempts. My own Pivot-Blacklist package flags IP’s after a user-configurable amount of failed attempts. Set this to say three and they’ll never get through unless they have unlimited IP’s.
on September 22nd, 2005 at 3:56 pm
PS. something really scary just happened after posting that comment.
on September 22nd, 2005 at 6:15 pm
Hahaa…what kind of scariness?
on September 23rd, 2005 at 3:01 am
I got a load of PHP errors related to some WP caching mechanism. It did post my comment though (doh)
on September 23rd, 2005 at 7:57 am
I wish I knew what those were!! Probably the file had been deleted because it was too old and not generated yet, or something like that…. Hmmm. WP-cache is too complicated, I think.