Spammers  finally reached PHPBB version 3 “Olympus” default CAPTCHA automated OCR task in their development schedule and recently started registering bot users passing the provided CAPTCHA confirmation code.

Luckily to them, PHPBB3 default CAPTCHA code is ridiculously easy to OCR, os basically this was rather expected. It does not however mean that there is no way to effectively stop automated registrations without spending too much time on forum engine update.

Automated registration spider sends HTTP POST with the code it OCR’red from the image and we can leave the same code querstion in place and just ask the interactive user to type some extra information into input field. For example, it is possible to instruct him/her to type an extra asterisk before the code, so that the following is expected to be typed in: *25K9RGS. This makes the only thing important: to put a proper not for the user so that he/she is aware that he needs this character to be also entered. PHP code update is relatively simple:

includes\ucp\ucp_register.php, near line 235:

<?php
////////////////////////////////
// NOTE: Checking extra asterisk in front of CAPCTCHA code to prevent from automated CAPTCHA readers
$confirm_code = $data['confirm_code'];
$confirm_code = (substr($confirm_code, 0, 1) == "*") ? substr($confirm_code, 1) : "";
if (strcasecmp($row['code'], $confirm_code) === 0)
// original:
//if (strcasecmp($row['code'], $data['confirm_code']) === 0)
////////////////////////////////
?>

then default style (e.g. subsilver2) HTML tempalte needs to have an extra character (9 instead of 8) space in the input field, styles\subsilver2\template\ucp_register.html, line 92:

<td class="row2"><input class="post" type="text" name="confirm_code" size="9" maxlength="9" /></td>

And finally the CONFIRM_CODE_EXPLAIN comment needs to be updated to instruct user to type the extra asterisk in language\en\common.php.

This is something fresh: spam using Windows Messenger service:

Someone, maybe Julia Cow (or Crow? whatever), provided my voice mail number as her own and I started receiving messages from so called First National Collection Bureau. It would be quite amusing unless they keep throwing messages on a daily basis, including 5 second calls with a sexy breath on the other side of the phone line. I am reluctant to give them a long distance call just to try to prove I am not Julia and why would they believe? A quick googling did not show a method to leave them a message via network, so let’s get ready for more pressing attempts to collect debt.

Update (oh they ARE annoying!):

• How do you block calls from collection agency, meant for someone else? // Yahoo Answers
• How can I stop getting harassing phone calls from a collection agency looking for someone I don’t know? // Yahoo Answers
• US National Do Not Call Registry
• US National and State Do Not Call Lists

The good news they provide Caller-ID: 775-322-0444 so it is just easy to trash their calls.