去年換裝reCAPTCHA後,連人類都很難看懂的變態OCR文字(其實大家在無形中參與了古書籍的數位化),成功擊退機器人大軍,垃圾留言從此絕跡。

近一個月,網站開始冒出許多垃圾留言,跟當年決定換掉TrimothyHUmphrey’s CAPTCHA時的情境相仿,三不五時會冒出一堆看不懂的洋文廣告,很多甚至是俄文、法文,一目了然的只有  我今年15歲,我有5" 之類的威而剛廣告(應是不了解台灣鄉民的實力,才膽敢跑來班門弄斧貼這種廣告夏夕夏景):

日期留言文章主題留言內容
2012-08-30re: XML Notepad Improvement«En tant que a ville côtière, nous sommes sur le à propos de l' top y compr...
2012-08-29re: Mini C# Lab ver 1.3 Release NoteWatt Is Prozac Viagra Spongebob Nascar Jackets <a href=http://archive.org/detail...
2012-08-29re: Mini C# Lab ver 1.3 Release NoteWatt Is Prozac Viagra Spongebob Nascar Jackets <a href=http://archive.org/detail...
2012-08-29re: Mini C# Lab ver 1.3 Release NoteWatt Is Prozac Viagra Spongebob Nascar Jackets <a href=http://archive.org/detail...
2012-08-29re: Mini C# Lab ver 1.3 Release NoteWatt Is Prozac Viagra Spongebob Nascar Jackets <a href=http://archive.org/detail...
2012-08-29re: Mini C# Lab ver 1.3 Release NoteWatt Is Prozac Viagra Spongebob Nascar Jackets <a href=http://archive.org/detail...
2012-08-29re: Mini C# Lab ver 1.3 Release NoteWatt Is Prozac Viagra Spongebob Nascar Jackets <a href=http://archive.org/detail...
2012-08-29re: Mini C# Lab ver 1.3 Release NoteWatt Is Prozac Viagra Spongebob Nascar Jackets <a href=http://archive.org/detail...
2012-08-29re: Mini C# Lab ver 1.3 Release NoteWatt Is Prozac Viagra Spongebob Nascar Jackets <a href=http://archive.org/detail...
2012-08-29re: NOTES-PDF轉文字檔筆記Hi blog.darkthread.net owner your site is interesting but you should improve gra...
2012-08-29re: Inline Style ASP.NET MVC Validation Message??? High-definition <a href=http://freemoviesonlinetv.net/ category/stream-movies...
2012-08-29re: CodeBetter CAPTCHA Modification<center><a href=http://bit.ly/LUcsrR><img>http:// i711.photobucket.com/ albums/ww1...
2012-08-26re: Resolving MasterPage ClientId Issue in jQueryWhat if there was a way to get thousands of visitors/day to your blog.darkthread...
2012-08-23re: 筆記-讓ASP.NET TreeView可以透過Javascript新增節點Hi, I'm 15. I have 5" (i think you understand). Should i <a href=http://dbxkci.b...
2012-08-21re: KB-Watch Out For The SPVirtualPathProviderHi, I'm 15. I have 5" (i think you understand). Should i <a href=http://rykbpw.b...
2012-08-21re: XML Notepad Improvement Ganz produktive, Marke wir einen Blick auf das befassen sich mit der ...
2012-08-21re: Unit Test Reference Issuehowdy, do you search for a <a href=http:// www.loans--payday.com>online cash Adva...
2012-08-21re: Unit Test Reference Issuehowdy, do you search for a <a href=http:// www.loans--payday.com>online cash Adva...
2012-08-21re: TIPS-About UI Thread Limitation<a href=http://www.lightfootbranding.com/ index.php/member/138482/>cccam provider...
2012-08-21re: XML Notepad ImprovementSehr active , Gesellschaft betrachten Gesicht, dass befassen sich mit de...
2012-08-21re: C# 3.0 極簡風 - Lambda Expressionhowdy, are you trying to get <a href=http://www.loans--payday.com>online Cash Ad...
2012-08-20re: TIPS-About UI Thread LimitationFascinating article. Certain that I'll come back here. Great work. Best Regards ...
2012-08-20re: CODE-ASPX接收jQuery.ajax傳送XML文件範例батареи отопления видноегазовые котлы пироговскийустановка отопления пушкино <a ...
2012-08-20re: 觀察LINQ to SQL DataContext的連線開啟時機<a href=http://new.magic-teens.com><IMG>http://new.magic-teens.com/7/26.jpg</IMG...
2012-08-20re: Unit Test Reference IssueAudio engineering is a promising occupation that gives you immense chance in fil...

使用WhatIsMyIpAddress的IP查詢服務,發現留言IP來自烏克蘭、俄羅斯、南韓... 等國家,其中不乏同一IP連續留言多篇,或隔幾天重複留言的狀況,依此研判,應是垃圾留言機器人無誤,原本固若金湯的reCAPTCHA,莫非已被機器人攻破?

查詢之後,還真發現一個名為Decon Group 949的Hacker團體,想出改由語音繞道進攻的聰明點子,寫出一套叫Stiltwalker的工具,略過難以破解的OCR挑戰,從語音識別下手,成果豐碩;即使reCAPTCHA工程師一路調整程式應戰,但依其網頁說法,2012/7/26推出的版本,已達到99.95%的破解率。檢查了站上的垃圾留言,是從8/20開始出現的,若推論是Stiltwalker已被應用於垃圾留言產業,倒也有幾分合理性。

reCAPTCHA似乎未提供停用語音測驗的選項,若上述推測正確,在Google工程師想出克服之道前,恐怕還得被垃圾留言騷擾一陣子...

有在使用reCAPTCHA的朋友,近期是否也開始出現來自國外的垃圾留言? (我的案例以英文文章居多,推測是文章被引用於英文網頁或討論區,引來攻擊) 若大家都有類似發現,reCAPTCHA被破解的可能性就更高了。


Comments

# by KKBruce

Blogger有出現幾天類似的留言,可能小弟網站流量不像黑大,留言數沒那麼多,且印象中三四天後就沒有了。

# by Jeffrey

to KKBruce, 12小時內我又刪了八則垃圾留言,感覺上有惡化的跡象。

# by Jeffrey

記錄: 2012/09/2 09:23,剛才又刪了9則垃圾留言... 看來得開始籌備備援方案

# by Ruinland

CAPTCHA一直倍受爭議,有人說花在解CAPTCHA的時間內浪費的資源與電力比汽車怠速不熄火多zzz

# by 貓咪圓滾滾

奇怪我之前好像就看過黑大這篇文章 可是竟完全沒有危機意識! 不愧是黑大選的驗證碼 難度真的都頗高耶 哈哈

# by 蝸牛

原來是透過語音的方式來攻擊

Post a comment


99 - 64 =