Spam-Bee fail

Creating and modifying plugins.
Post Reply
User avatar
yellowled
Regular
Posts: 7083
Joined: Fri Jan 13, 2006 12:46 pm
Location: Eutin, Germany
Contact:

Spam-Bee fail

Post by yellowled » Mon Aug 26, 2013 2:40 pm

In my blog, the spam block chain of command is Spam Bee, Spam Bayes, Spam Block. I use Spam Bee with honeypot and hidden captcha.

Just now, someone who definitely did not have JS disabled, failed because of the hidden captcha. I was tracking his attempts to comment because he failed earlier and I had no explanation why. This is what I found in the spam_bee.log for said attempt to comment, and the part in bold does look a bit strange to me:
[2013-08-26 14:27:12] - [MODERATE: BEE HiddenCaptcha [ 8 != � ]] - [#46, Name
Hohum. Looks like an encoding issue of some sort. My blog is running on UTF-8, but maybe there's something wrong with the part of the Spam Bee plugin which generates the hidden captcha? I assume this is done using JS, so maybe a JS file isn't encoded properly or something?

I realize this is probably hard to debug for anyone but Grischa, but any help would be appreciated.

YL
amazon Wishlist - Serendipity-Podcast (German only, sorry)

User avatar
Timbalu
Regular
Posts: 4598
Joined: Sun May 02, 2004 3:04 pm

Re: Spam-Bee fail

Post by Timbalu » Mon Aug 26, 2013 7:00 pm

Is that comment 'rejected' or set to be auto 'moderate' by spamblock and is there in the comment section?
I assume 'hiddenCaptchas' is set to 'moderate?!
Is that the default 'math' or a 'custom' Question & Answer?
Is 'useRegularExpressions' ON or OFF?
Which anwser did the one give?
Anything special on his side (Browser, OS)?

I assume it should be a number answer.
You could try to set an

Code: Select all

echo 'ANSWER: ' . $answer;
right before https://github.com/s9y/additional_plugi ... e.php#L432
and let him try again. The echo should be found somewhere on the page after submit.

This main error reason is based to his FORM POSTed answer, since not using JS, so nothing hidden IMHO.

But the logs ' � ' presence might be, if using file logging, which then isn't utf8 (which sound silly actually expecting a number there...). But this is not the errors main reason. What kind of Log is it?
Regards,
Ian

Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian

User avatar
yellowled
Regular
Posts: 7083
Joined: Fri Jan 13, 2006 12:46 pm
Location: Eutin, Germany
Contact:

Re: Spam-Bee fail

Post by yellowled » Mon Aug 26, 2013 7:50 pm

Timbalu wrote:Is that comment 'rejected' or set to be auto 'moderate' by spamblock and is there in the comment section? I assume 'hiddenCaptchas' is set to 'moderate?! Is that the default 'math' or a 'custom' Question & Answer? Is 'useRegularExpressions' ON or OFF? Which anwser did the one give?Anything special on his side (Browser, OS)?
Comment is moderated and can be approved in the Comments section. Hidden captcha is set to moderate, it's the default math question, no regexp.

User-Agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0"

The answer in this case is not entered manually, but given automagically by some piece of JS in the plugin, I think? The commentator did not have JS decativated.
Timbalu wrote:But the logs ' � ' presence might be, if using file logging, which then isn't utf8 (which sound silly actually expecting a number there...). But this is not the errors main reason. What kind of Log is it?
Standard text log by spam bee.

Code: Select all

 file -bi spam_bee.log
text/plain; charset=utf-8
YL
amazon Wishlist - Serendipity-Podcast (German only, sorry)

User avatar
Timbalu
Regular
Posts: 4598
Joined: Sun May 02, 2004 3:04 pm

Re: Spam-Bee fail

Post by Timbalu » Mon Aug 26, 2013 8:25 pm

yellowled wrote:The answer in this case is not entered manually, but given automagically by some piece of JS in the plugin, I think? The commentator did not have JS decativated.
Sure? I think its like this. If not using JS you get a form field, to put your answer in. The logs � is, where the CAPTCHA answer (manual by no JS; auto by with JS) is awaited.

The other option is a hidden spam honeypot. A "Honeypot" is a hidden comment form field that should be left empty but as most SPAM bots do fill any field found it is an easy way to detect automatic commenting. This has nothing to do with above, IMO.

I would try to check that echo.
Regards,
Ian

Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian

User avatar
yellowled
Regular
Posts: 7083
Joined: Fri Jan 13, 2006 12:46 pm
Location: Eutin, Germany
Contact:

Re: Spam-Bee fail

Post by yellowled » Mon Aug 26, 2013 10:26 pm

Timbalu wrote:Sure?
Yes.

YL
amazon Wishlist - Serendipity-Podcast (German only, sorry)

User avatar
yellowled
Regular
Posts: 7083
Joined: Fri Jan 13, 2006 12:46 pm
Location: Eutin, Germany
Contact:

Re: Spam-Bee fail

Post by yellowled » Mon Aug 26, 2013 10:33 pm

There are two hidden fields in the source code of the comment form

* #comment_phone_input is the HoneyPot, an input field which is empty and not supposed to be filled at all (which some spam bots do anyway)
* #bee_captcha is the hidden captcha, which is supposed to be filled with the solution of a math question

The plugin includes a file called serendipity_event_spamblock_bee.js, which contains (among others) a function called fillCaptcha().

YL
amazon Wishlist - Serendipity-Podcast (German only, sorry)

User avatar
Timbalu
Regular
Posts: 4598
Joined: Sun May 02, 2004 3:04 pm

Re: Spam-Bee fail

Post by Timbalu » Tue Aug 27, 2013 10:06 am

(My sure question was about you saying "not entered manually")

BUT we are talking about non-JS usage. How could you use a javascript, when not enabled?

Yes, the second one is the one in question. That is why I talked about getting a manual and non-hidden input to put the answer in. This is the same like in every other Captcha "plugin". This is:

Code: Select all

<div id="serendipity_comment_beecaptcha" class="form_field">
<label for="bee_captcha">What is zero plus four?</label>
<input class="" type="text" id="bee_captcha" name="serendipity[beecaptcha]" value="" placeholder=""/>
</div>
which is set hidden and answered automatically with JS enabled but viewable with manual answer for non-JS users.

The message and � error for the log is created on that already mentioned line 432 in function checkComment() based on ['POST']['beecaptcha'].
Line 419 checks if answer vs correct answer is correct and sets $isCorrect to true/false.
So between the line 391 $answer = ['POST']['beecaptcha'] and line 432 must be something wrong (which I personally don't think (*)) or the sent input value is wrong.

This is why the echo could help us (maybe move it even more up, best have it twice on L421 and L427).

This sent input value is where we differ, while you say it is set JS based wrong and I say its manually set wrong (incl. sth. weird ~browser/user/keyboard/something unusual~) in this case.

(*) There is a tiny chance that generateNumberString() may produce that �, but this wouldn't explain why L419 is already false.
Regards,
Ian

Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian

User avatar
yellowled
Regular
Posts: 7083
Joined: Fri Jan 13, 2006 12:46 pm
Location: Eutin, Germany
Contact:

Re: Spam-Bee fail

Post by yellowled » Tue Aug 27, 2013 10:25 am

Timbalu wrote:BUT we are talking about non-JS usage. How could you use a javascript, when not enabled?
You are. I'm still thinking “error in the plugin's JS”. :)

Because the commentator did definitely not solve the hidden captcha himself, he wasn't even aware there was a hidden captcha. I explained to him via Twitter why his comment (which I had explicitly asked him to post again to investigate the issue) wasn't showing up immediately, so I do know for a fact that he did not enter the result of the math question manually, period.

YL
amazon Wishlist - Serendipity-Podcast (German only, sorry)

User avatar
Timbalu
Regular
Posts: 4598
Joined: Sun May 02, 2004 3:04 pm

Re: Spam-Bee fail

Post by Timbalu » Tue Aug 27, 2013 10:43 am

Well then... I refered to you saying: " someone who definitely did not have JS disabled".
And I really see my fault now! I missed that double not, which did not turn to be "JS enabled" in my mind! :oops: So please forget all that.
Regards,
Ian

Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian

User avatar
yellowled
Regular
Posts: 7083
Joined: Fri Jan 13, 2006 12:46 pm
Location: Eutin, Germany
Contact:

Re: Spam-Bee fail

Post by yellowled » Tue Aug 27, 2013 12:12 pm

Sorry for the confusion. :)

I already pinged Grischa on Twitter to have a look at this, maybe he will chime in on this. I will leave on logging for all spam plugins for the time being so we may have data to look at, but I honestly don't see a good chance to debug this properly … :(

YL
amazon Wishlist - Serendipity-Podcast (German only, sorry)

User avatar
onli
Regular
Posts: 2264
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: Spam-Bee fail

Post by onli » Tue Aug 27, 2013 1:46 pm

More as a note: Yes, grischas help would be useful here. I don't really understand how he solved this - his php-code uses UTF-8, but the answer gets encoded with rawurlencode, but the js uses escape/unescape (which are both not suited for utf-8). Possible he combines in a clever way to solve all the encodings, but I don't see it.

Did you already try to set "Methode für Abfrage der Antwort" to json? That should change partly how the escaping is done.

User avatar
yellowled
Regular
Posts: 7083
Joined: Fri Jan 13, 2006 12:46 pm
Location: Eutin, Germany
Contact:

Re: Spam-Bee fail

Post by yellowled » Tue Aug 27, 2013 8:12 pm

onli wrote:Did you already try to set "Methode für Abfrage der Antwort" to json? That should change partly how the escaping is done.
No, I didn't.

I probably should add that this does not happen on every attempt to comment (by said commentator). So it's no really easy to reproduce, it seems to be kind of random.

Also, this isn't that big of an issue since comments which would reproduce this behaviour would get to the moderation queue. But I seem to remember Dirk reporting similar issues, which kind of hints to this being a general bug in the plugin.

But I'm not sure we're going to be able to debug this without Grischa. :?

YL
amazon Wishlist - Serendipity-Podcast (German only, sorry)

MarioH
Regular
Posts: 234
Joined: Mon Jul 20, 2009 10:53 pm
Contact:

Re: Spam-Bee fail

Post by MarioH » Sat Aug 31, 2013 5:35 pm

Hi,

just have a similar problem with a comment here.

The Spambee-Log says: BEE HiddenCaptcha [ 2 != ]

The user who did the comment is using Firefox 23 and has JS enabled.

Regards
Mario

Post Reply