reCaptcha & Captcha debacle

[cargelock]

This is basically the convo I had with a "technical support" guru at IPB

Since upgrading from 2.3.5 to 2.3.6 IPB board on 26th oct 2008 it has come to my attention that no one can any longer register at our forums. Isn't that great? There were no instructions that one must sign up to recaptcha or do anything similar. I used the std keys that came with the upgrade which never worked "
The Following Errors Were Found
The registration code did not match the one displayed, a new code has been generated, please try again". Signed up at reCaptcha to get a public and private key and still get the same error.

Reverted to normal captcha and found that no longer works either! So now we're faced with either no new registrations and/or no spam control!
What on earth is happening here? ReCaptcha is simple to implement in a php setting, yet so many people having problems with it!

Oh and another thing: The upgrade from 2.3.5 to 2.3.6 overwrote some general settings, namely that email activation was inplace before the upgrade, now users can directly login without activation. Why's that? You telling me that one must revert all their security settings after each patch and upgrade?

------------------------------------
staff
------------------------------------
Can you get to your Security and Privacy settings in Tools & Settings? If not, we'll need a root admin log in and your FTP information to correct that issue.

If you can get to Security and Privacy, that's one issue that you don't have to worry about that some others encountered.

The reCAPTCHA setting requires fsockopen to be installed/enabled in your PHP configuration. We have seen this issue on a few boards but not the majority. When reCAPTCHA gets put into action, during registration, it has to call out to the internet, the reCAPTCHA servers, to verify the code and then it reports back to the board that it's a valid code.

The problem is, when it's attempting to go out, off of your server, it isn't allowed to.

You may want to speak with your hosting provider about this and let them know that you need fsockopen installed or enabled in your PHP configuration.

---------------------------
Me
---------------------------
Ok well I can appreciate that fsockopen() would need a cal out (and it may or may not be enabled/blocked) but it does have an return error (even if it fails to open a socket) which begs the question of testing for an error.Several things spring to mind:
1. why no error check?
2. why enable reCaptcha automatically if the presence of fsockopen fails?
3. If the above fails, new registrations get locked out. (bad idea)
4. If #2 fails, why not failsafe to "normal captcha".

I can get to all of my settings for security & privacy etc. I am still scratching my head as to why an upgrade would alter and automagically turn on recaptcha and alter security settings!

You also failed to answer the reason why "normal captcha" now doesn't work either. On the registration page "loading image" is displayed, though no image ever appears. Also in adminCP the preview that used to work, no longer works.

----------------------------
staff
----------------------------
1. There was no system put into place to check if the outbound connections on port 80 would work until you go to register. The update was put into place within a day or so of the problem arising with thousands of angry customers who were getting spammed. What's in place is what could be done within a day. IPB 3 should have a better interface for this.

2. It's put into affect automatically because there are few servers who actually block outbound connections. This problem is few and far between but in the past couple weeks, every 3 or 4 days we see this. If we saw this every day and had hundreds of tickets on this, it would then be validated as a bigger problem rather than a different server configuration error that we could do nothing about.

3. No registrations get locked out that I've seen. They're only unable to register until the issue is corrected. Could you clarify a bit on what you mean by "locked out"? Maybe I'm misunderstanding.

4. Because the settings get passed to the database which dictates what kind of CAPTCHA system is active. The setting has to be set by an admin and I would gather to say that most customers wouldn't even know there was a problem. And if there was a way to fall back to the normal CAPTCHA and the bots figure out a way to get around the normal CAPTCHA, they would end up finding a way to also error out reCAPTCHA as well to default to something their malicious programs could read.

The upgrade turned it on automatically for the number of customers we had that just wanted the spammers to stop posting porn and viagra ads on their forum. They wanted a faster answer to the issue rather than "we've upgraded you, now you have to go in and do this and do that and do this before the spammers will stop". It was already enough that the board couldn't "automatically" tell the spammers apart from normal members and the board doesn't moderate itself. Turning reCAPTCHA on by default was the option the developers went with ultimately and I understand why they did so. If you require further explaination of this, I would highly suggest posting in the IPS Company Feedback section for IP.Board at http://forums.invisionpower.com. The log in there would be the same as your Client Area log in here.

Your normal CAPTCHA should be working. If you're not getting any sort of display on that, we'll need the following to take a look. Basically, normal is now Advanced (from 2.3.5 and below) and "Advanced" is reCAPTCHA. The simple numbers are no longer affective against any botter/spammer.
------------------------------------------------------

Ok well, back to me...
It clearly states that the requirements for IPB board are PHP4/5 & MySQL 4/5.
It says nothing of any other requirement, nor did the upgrade from 3.5 to 3.6 mention anything about having any further requirements.

I understand about the spamming issues with others, but I have never seen any spamming on my site as I took preventative measures for it not to be very possible or worthwhile. My site is a very busy one and heavily used, so there is no reason why spammers would overlook it.

If it weren't for my curiosity as to why my member take up had dropped off, maybe I would never have been the wiser. For those that say well IPB does run with those requirements, it renders a forum or any other software, useless if members can't sign up, and for all intents and purposes, it locks users out of a community board.

So, IPB; if you're going to wholesale change the requirements for a software which would in any other way render it unfit for purpose, PLEASE INFORM US!

[SonixStudio]

Actually, I am having the same problem with 1 board that I upgraded, but am having no problems with a new install. Both are on the same server.

[TCWT]

:blink: I hope all my settings are retained after the upgrade to 3.0. I am still on 2.3.1. So reCaptcha is set as default now? :-/

[Rοb]

Upgrade was fine for me, all settings were retained.

[Mark H.]

Same here. I didn't have to change a thing when I upgraded from 2.3.5 to 2.3.6.

[SonixStudio]

My board does not show the recaptcha code. It also is validatating the code entered, so the user has no idea whats going on. In their eyes they don't understand why it's asking for a code that they cannot see.


My 2.3.4 to 2.3.6 conversion went well, except this is happening.

My 2.3.6 new install is working fine.

[bfarber]

Note that the only change between 2.3.5 and 2.3.6 was reCAPTCHA support - if you weren't being spammed and didn't want or can't use reCAPTCHA, you did not need to upgrade at all.

It was necessary to effect stronger spam prevention controls due to the massive rise in spam suddenly a few weeks ago. Sometimes, when implementing something, you have a 99% success rate. When you have a 99% success rate, while certainly understandable that it is not appealing to the 1% that are having trouble, that is still a pretty big success rate nevertheless.

IPB requires a whole host of php functions. fsockopen is a default function that is enabled on a default installation. We see servers that have opendir, readdir and closedir disabled, and IPB cannot install on those servers. We simply cannot list every PHP function that IPB uses on our website - we have to expect that all standard PHP functions will be enabled, and we only list the versions of PHP, rather than the individual functions IPB uses, that are required.

[cargelock]

Note that the only change between 2.3.5 and 2.3.6 was reCAPTCHA support - if you weren't being spammed and didn't want or can't use reCAPTCHA, you did not need to upgrade at all.

Where exactly is that outlined? If I log into my adminCP and I see "upgrade 2.3.6 available" I consider it to be an upgrade, not a patch. I would also consider it to be safe for install, not an optional extra that may or may not work on any given server. I don't recall seeing anywhere that this upgrade was "optional", least any hint that a php function may break your registrations.

You also mention open_basedir and safe mode, but from what I see in the IPB code, at least there is some form of error management if either is evident. During the upgrade process it could have easily checked that the user required cpatcha and for the existence of fsockopen().

Like I stated though, I do understand the need for spamming prevention, but I also think things could have been laid out better to people who don't need or want it, rather than saying retrospectively that I need not have applied that upgrade.

[SonixStudio]

Note that the only change between 2.3.5 and 2.3.6 was reCAPTCHA support - if you weren't being spammed and didn't want or can't use reCAPTCHA, you did not need to upgrade at all.

It was necessary to effect stronger spam prevention controls due to the massive rise in spam suddenly a few weeks ago. Sometimes, when implementing something, you have a 99% success rate. When you have a 99% success rate, while certainly understandable that it is not appealing to the 1% that are having trouble, that is still a pretty big success rate nevertheless.

IPB requires a whole host of php functions. fsockopen is a default function that is not enabled on a default installation. We see servers that have opendir, readdir and closedir disabled, and IPB cannot install on those servers. We simply cannot list every PHP function that IPB uses on our website - we have to expect that all standard PHP functions will be enabled, and we only list the versions of PHP, rather than the individual functions IPB uses, that are required.

I was having spamming issues, hence the upgrade.

Can you explain my position? Obviously PHP configuration is setup properly, because 1 board is working and the other is not. I am at a loss as how to get it working again and I haven't had any new signups since Oct. 13, the day of the upgrade.

[sunrisecc]

Where exactly is that outlined? If I log into my adminCP and I see "upgrade 2.3.6 available" I consider it to be an upgrade, not a patch. I would also consider it to be safe for install, not an optional extra that may or may not work on any given server. I don't recall seeing anywhere that this upgrade was "optional", least any hint that a php function may break your registrations.

http://forums.invisionpower.com/index.php?showtopic=277539

[bfarber]

I was having spamming issues, hence the upgrade.

Can you explain my position? Obviously PHP configuration is setup properly, because 1 board is working and the other is not. I am at a loss as how to get it working again and I haven't had any new signups since Oct. 13, the day of the upgrade.

If you are having trouble, you should submit a ticket. Our support technicians can surely drill down and find the problem.

[cargelock]

http://forums.invisionpower.com/index.php?showtopic=277539

Sorry, but no where in that post does it say you don't need it, neither does it say that in the download section. All it says there is what it is and what it does.

[sunrisecc]

All updates are optional.

Did you read https://www.invisionpower.com/index.php?app...ounce&id=27 ?

Did you bother to research any of the many topics concerning the spamming?

I suppose not. <_<

[bfarber]

It comes down to this - at various points, people with unique setups can experience issues with *any* software. We apologize that you ran into a problem with the upgrade - honestly, really, we didn't intend to break anything on your site. ;)

When an issue occurs you can submit a ticket and we will ensure a solution is found, if at all possible (and in this case, surely the issue would have been corrected). We can't help that a software released to so many people *occasionally* runs into a problem, with millions of possible server configurations possible, but we do support our product fully. Again, if you have a problem, submit a ticket (as you did) and we will resolve it.

[KVentz]

The registration code did not match the one displayed, a new code has been generated, please try again".

Same problem, but only with internal captcha. Switched to reCaptcha.

[Jason H]

Same problem, but only with internal captcha. Switched to reCaptcha.

Ugh.. That one is a legit problem.

The new normal captcha is case sensitive.. And, at least to me, it's pretty dang difficult to read.. I can only get about 75% success with it.

I'd also download the package again, and replace the /ips_kernel/class_captcha_plugin/default.php file.. That was updated, and there's a bug report about that somewhere... Doing that will bring it up to about 75% success.. The rest.. It's being able to tell the difference between an upper and lower case S.. Very difficult sometimes.

I've actually gone in and edited that file to remove the letter S, K, X, and various others that you can't flat-out tell whether they're upper or lower case to make it easier.. The problem is.. You make it too easy.. The spammers come back.

[Mattador]

I've two question:

The Recaptcha System in ipb 3.0 HAVE the possibility to translate for explain to user how use it?? Because many people have problem with it becouse not know how work...

Now The Recaptcha is only in english (and other language but not mine), and i want translate in another language example italian... IPB 3 have this possibility??


Second question:

Ipb 3.0 Will have an internal Captcha system, that not have problem with readable difficult because are case sensitive??

Thanx.

[Luke]

I know that with the fopen functions if you try to open a remote file if allow_url_fopen is turned off, it will not allow you to access another server. This is quite frequently turned off on various server configurations. I'm not sure if fsockopen is affected by this though. But with fopen, the work-around I have is simply using curl by default if it's available on the installation. Pretty much every server I've seen where fopen is limited to local files, curl is available for use.

Every software I've ever seen that uses fsockopen has a fail safe. Like with some of the PayPal IPN softwares, they fall back to file_get_contents (wrapper of fopen) if it doesn't work. Seems to me like this function is not available more often than you know.

So why not do this:

1) Check if curl is available, and if so use it (should be a simple "function_exists" check).
2) Check to see if allow_url_fopen is turned on, and if so use fopen (should be a simple ini_get check)
3) See if fsockopen is available, and if so use it.

Another problem you should be aware of is proxies. It's quite odd, but certain hosts like GoDaddy use some sort of odd proxy setup. Using curl, and possibly fsockopen, you have to have special settings to connect through this proxy, otherwise you will not get out. And this gets tricky because you have to set the proxy server location. Of course you would need to test a host with this configuration.

I'm not saying that you should support proxy setups, but at the very least you should use fallbacks. And if curl is available, it's safe to say it'll work.

[Mattador]

Someone of staff can answer to my post wrote before??? Thnks..

[bfarber]

I've two question:

The Recaptcha System in ipb 3.0 HAVE the possibility to translate for explain to user how use it?? Because many people have problem with it becouse not know how work...

Now The Recaptcha is only in english (and other language but not mine), and i want translate in another language example italian... IPB 3 have this possibility??

Second question:

Ipb 3.0 Will have an internal Captcha system, that not have problem with readable difficult because are case sensitive??

Thanx.

reCAPTCHA controls the text and languages - unfortunately if your language is not an option in the dropdown, reCAPTCHA doesn't support it and there's nothing we can do to change that at the moment.

They presently support

• English
• Dutch
• French
• Turkish
• Spanish
• German
• Portuguese
• Russian
  

They do allow you to do custom theming to use other languages, but that would have to be a modification.

[Richad]

wow looks like I stepped into the same trap. Ever since upgrade two things happened:
1. Registrations virtually dropped to 0
2. Security and Privacy Setting page has become inaccessible

I submitted a ticket but I honestly dont know what can be done about this as I have tried many different things.

[bfarber]

If you have any support issues, submitting a ticket is the best option. Our techs will resolve it, one way or another.