captcha the moment

Robots

According to Newton’s 3rd law of motion, for every action there is an equal and opposite reaction. Out on the Internet that probably means that when forum content spammers apply force (adding content advertisements in order to enhance someone’s SEO) then forum admins must use an equal force to repel them. In this particular case, we’re talking about that captcha challenge that you keep seeing everywhere: prove that you’re not a robot.

recaptcha

Part of the problem is that the assumption here is that we are a robot and that we must prove otherwise to proceed. And I suppose that to some extent, Google is part of the underlying problem.

Search Engine Optimization

SEO is the acronym for what’s behind all this. Google, for example, can be faked into thinking that a particular website is more important than it should be.  Spammers have figured this out of course. Every day of the year, people are being paid to create fake content across the Internet’s collection of forums, blogs, websites, etc.

Behind-the-scenes, websites and forums are being visited nightly by a virtual army of Google’s webcrawlers, those robots which visit all the pages of a website and re-add them into the big indexed database which is the brain of Google, if you will.

The problem, though, is the collection of odd configuration settings and files for which most people have no knowledge. A typical website would have a /robots.txt to tell webcrawlers what files to add to the collection; the webmaster could simply not index this area of the website. A really awesome forum or blog software would know to automatically decorate the visitor-supplied links added in comments with a no-follow argument. What this means is that these spammers/advertisers would be foiled almost overnight since they wouldn’t get any value from this behavior.

But since nobody spends much time thinking about a real fix, most of us—the forum and blog users—are forced to prove our humanity on a daily basis. We are inconvenienced in many ways.

Fast Typist = Spammer

This detection method really annoys me. Back in the ’70s I typed 115 WPM on an Underwood typewriter. Now imagine how fast I type now on a computer keyboard with almost forty years’ of experience.

Underwood

Add to that, my brain works well. I can process problems and develop solutions in a hurry and will on many occasions attempt to provide assistance to others on the Internet, say, on a forum. Unfortunately, I’m often confronted with these anti-spam countermeasures which seemingly think: if you can type more than two posts in five minutes you therefore must be a robot. Seriously, I hate that one.

Denial-of-Service to Everyone

This is the reason behind today’s post. I was out there attempting to ask a question on the Sainsmart forum and after trying multiple browsers realized that I simply wasn’t going to get to ask that question. Their registration mechanism’s captcha doesn’t work. It fails over and over again since their code is wrong. It’s a denial-of-service (DoS) to everyone, robots and humans alike.

More Than One Lookup = Spammer

I tend to use the WHOIS database information a lot since I work in Information Technology. Each domain registrar (like GoDaddy) maintains a database like this of who has registered a particular domain. And yet, I’m sure there are people who create scripts to promiscuously query this information in order to build and sell marketing lists. I would urge people who maintain websites not to be so heavy-handed at robot-detection methods. (In other words, looking up two domains does not a robot make.)

Typical Customer Reaction

In my particular case with respect to Sainsmart’s forum DoS, it feels like Newton’s 2nd law of motion: the acceleration of the customer away from their forum is directly proportional to the force of rejection by their failing captcha mechanism. Okay, even for me that was stretching things a bit but I did want to add another Newton reference so there you go. Seriously, it will take a lot for me to go back to Sainsmart’s forum again. (See, that was a Newton’s 1st law of motion joke. You knew I was a geek, right?)

hacking agar.io, part 3

This would be the third post in a series. You might want to read the first in the series if you haven’t already done so. Here, I continue with the work related to rendering the game server’s ads so that they don’t display at all.

DNS server

It struck me that if I could build a relatively-ignorant DNS server of my own and point my iPad to it then I could control which servers my computer talks to. Remove everything but the minimum and this should work for killing the Agar.io advertisements.

So I would need to use nslookup to find the IP addresses of the servers the game talks to. And since I’m authenticating via Facebook’s mechanism I’d need to educate the DNS server to this as well.

I happen to have an Ubuntu server which is under-utilized at the moment since I’m using it to develop WordPress plugins. So I installed bind9 (the DNS service) to this server and then configured it with some entries and zones:

  • agar.io @, www and m
  • facebook.com @ and www

For each of the entries above, I just used the nslookup command to determine what the normal IP address(es) would be and used those values.

The next step would be to make sure that this bind service does not do recursive lookups, in other words, it won’t ask for help if it doesn’t know the zone in question. So in theory, it will only give answers to the entries I’ve made; anything else will fail a lookup.

Next, on the iPad -> Settings -> Wi-fi -> my zone area, I manually set the only DNS server to be the IP address of my private server. I then confirmed that in a browser I could not resolve Google.com but could see the webpage for Agar.io.

Did it work? Not yet. Upon startup it either is missing a critical server it needs to talk to and the app now can’t do the DNS lookup to find that server. It’s okay. I’ll keep hacking away at this to find out what server that is. I should be able to get this approach to work, I just need to go to school on the application some more to find out.