FYI, “CAPTCHA” is an acronym for “Completely Automated Public Turing
test to tell Computers and Humans Apart”. For more information, see
the Wikipedia article.
For my and my clients’ servers, I deal with crackers (cyber criminals
the media call “hackers”) and spammers. The way I deal with spammers
is covered in another article.
I use fail2ban on all of my servers. It watches the logs and when it
sees several authentication failures from one IP, it blocks that IP
for a period of time and sends me an email about the action. The
notice includes the “whois” information for that IP, and I’m
interested in the abuse contact, because I’m going to send a complaint
to the contact about abuse coming from his network.
Internet standards, namely RFC 2142 says you should have a working
“abuse” point of contact and a “postmaster” point of contact listed in
the whois information for your network. When I send a complaint to
the abuse POC, I expect them to hunt down and shut down the machine on
the offending IP. Some of them send back an auto-reply. Some send a
personalized acknowledgment. Some even send a follow-up reporting the
results of their findings. One even reported that he “terminated” the
rogue machine. I got a kick out of that.
Some don’t send me anything. I don’t mind as long as they deal with
the blighter. (No I’m not British, but I really like some Brit-isms.)
If my complaint goes to /dev/null, I have no way of knowing. If any
IP, or sometimes network, goes on unabated, I block them for a month.
I will not have crackers freely hitting my servers.
The vast majority of POC information is available from the text-mode
“whois” program, available for every flavor of UNIX and Linux. I’ve
found two primary areas that frequently do not provide any POC
information. The first is most of the networks registered with
AFRINIC, the African Regional Internet Registry (RIR). I don’t know
if they don’t provide POC email addresses because they are
RFC-ignorant, or are afraid of publishing an address and getting
spammed, or are just lazy. My policy is, if they don’t publish an
abuse POC and some machine on their network hits my server, the
network gets blocked for a month.
A few months ago, I noticed that whois info from Brazilian networks
had no abuse POC email addresses. Their stock whois footer lists
cert@cert.br, who are also interested in such reports. So I sent a
note to them asking what’s going on with that. They forwarded my note
to the folks at registro.br which is the Brazilian registry. They
pointed me to their web-based whois. I am against web-based tools for
this because I build scripts to simplify a lot of my work. If I have
to stop, bring up their web site, copy and paste the IP, click several
places, and then copy and paste the results to my script, that really
bogs things down. But I’m willing to do it on a limited basis.
Well, I tried that, but still didn’t get the email POCs. I informed
them and they said if you fill in the CAPTCHA block correctly, then
you get the email info. Well I saw that stuff there, but it was
accompanied by text in Portugese, so figured it wasn’t important. The
CAPTCHA has several images of characters, and a prompt in Portugese.
They pointed me to some translation web sites where I could find out
what the prompt is. Can you not provide subtitles in English? The
whole world does not speak Portugese.
Okay, so I tried it. Didn’t work. Tried several more times and
failed. It’s not always obvious if the letters are uppercase or
lowercase, and you have to ask if it’s a lowercase “L” or the
numeral 1. I complained to them about it and ultimately they said
they would pass my complaint to their developers. The final
irritation is that it says (in Portugese, of course), “If you have
difficulty with the image above, use the version without the image
challenge or contact our service.” And, of course, if you do that,
you get the restricted whois without any POC emails.
I challenge you to try it. Go to
the web site and try a Brazilian
IP, say, 186.235.159.62. Answer the CAPTCHA, and then scroll down to
see if you get any email addresses for the POCs.
For the nonce, I’m blocking for a month all Brazilian networks
harboring botted machines that hit my servers. If I can’t solve their
friggin’ CAPTCHA to get their POC emails, then they might as well not
have any at all.
Sorry I took so long to get to the point of the title, but I needed to
explain how I got there.
But continuing with the subject line, the second worst CAPTCHAs I’ve
seen have pictures and you are supposed to click on the ones that do
or do not fit some criteria. One had you click on the pictures that
had storefronts. Some of them were fuzzy and it wasn’t always obvious
what constituted a store front. Another had images of streets and you
had to click on the ones with “street signs”. Define “street signs”.
I think I went through four of those before I passed.
The most usable CAPTCHA is called
“reCAPTCHA”. This is used
by the AFRINIC web-based whois. Aside from it being web-based, it is
the least objectionable form of CAPTCHA. After you enter the IP into
the search box, it puts up a box, and you are to click inside the
box. When you do that, it spins for about five seconds and then
presents a check mark indicating you are approved. Then you hit
“Search” and you get the requested information. As noted before, you
still frequently get no POC email addresses, I presume just because
they don’t have any in their database.
Update: AFRINIC no longer uses any kind of CAPTCHA. Perhaps they
figured if they are (mostly) not going to provide POC emails, then
there is no point in using a CAPTCHA to keep email harvesters out.
Let me know if you have differing experiencees.