XF 2.0 "We detected that your site is verifying reCAPTCHA passed solutions less than 50% of the time."

[DragonByte Tech]

Logged in to my reCAPTCHA admin control panel today to see about bumping up the security since we've had a few too many spammers recently, and was presented with that lovely message in a big red banner.

According to this: https://tehnoblog.org/google-no-captcha-recaptcha-first-experience-results-review/:

This happens if you have issues with response verification at later stage e.g. your own website fails to properly process returned response from Google, when reCaptcha response test actually pass. This can happen for various reasons. For example, when you use reCaptcha on your server as a top layer to verify users coming from dirty IPs known for spamming activities. In our case it was caused by small analytics script which was sending response to the server before captcha was fully processed on the server, causing our server to respond with premature 403 Access Forbidden status, and eventually blocking all such users from access, even when they passed the actual captcha test. We solved it by removing the offending js code, replacing it with our simple internal statistics tracking of failed and passed captchas, instead.

There's never been any server error logs.


Fillip

 

[Mike]

I'd be curious if this is still happening, though equally, it could actually be that there were a lot of failures at that time (for example, due to bots).

 

[DragonByte Tech]

The message still displays:



Here's the analytics they let me download:

Date, no CAPTCHAs, Passed CAPTCHAs including noCAPTCHAs, Failed CAPTCHAs, Total Sessions, Passed Sessions, Average Response Time (seconds)
2018-09-28,0,0,0,20,0,0.00
2018-09-29,0,5,10,10,5,73.14
2018-09-30,5,20,45,45,20,105.06
2018-10-01,5,30,45,70,30,67.94
2018-10-02,5,10,0,30,10,29.06
2018-10-03,0,5,15,35,5,120.58
2018-10-04,0,5,5,50,5,12.02
2018-10-05,0,10,15,25,10,55.29
2018-10-06,5,15,0,25,15,23.78
2018-10-07,0,5,10,10,5,83.61
2018-10-08,10,15,5,30,15,73.99
2018-10-09,10,20,30,35,20,96.41
2018-10-10,5,10,45,45,10,79.60
2018-10-11,0,15,45,40,15,60.99
2018-10-12,5,15,15,30,15,53.56
2018-10-13,5,20,0,30,20,20.96
2018-10-14,0,5,15,25,5,68.24
2018-10-15,10,25,20,45,25,50.47
2018-10-16,5,20,85,70,20,50.12
2018-10-17,0,15,35,25,15,68.29
2018-10-18,0,15,25,40,15,57.37
2018-10-19,0,15,45,30,15,115.06
2018-10-20,0,15,25,35,15,92.89
2018-10-21,0,0,30,25,0,0.00
2018-10-22,0,15,40,20,15,115.11
2018-10-23,0,0,0,25,0,0.00
2018-10-24,0,5,40,35,5,132.90
2018-10-25,0,15,25,50,15,45.03
2018-10-26,5,25,45,65,25,106.95
2018-10-27,0,5,0,25,5,171.79
2018-10-28,0,5,5,15,5,88.36
2018-10-29,0,20,55,30,20,85.83
2018-10-30,15,15,0,25,15,9.19
2018-10-31,5,10,10,35,10,12.77
2018-11-01,5,45,120,60,45,106.61
2018-11-02,0,10,35,55,10,118.43
2018-11-03,10,35,55,65,35,77.96
2018-11-04,5,25,55,60,25,52.95
2018-11-05,0,5,85,40,5,3.39
2018-11-06,0,0,5,45,0,0.00
2018-11-07,5,15,30,85,15,64.39
2018-11-08,5,10,5,25,10,33.50
2018-11-09,5,15,35,55,15,29.37
2018-11-10,0,25,60,35,25,123.91
2018-11-11,0,0,25,20,0,0.00
2018-11-12,0,20,60,40,20,125.65

We've not had any messages on Twitter saying the registration doesn't work, and I did clean out a rather yuge bigly list of old spam bots. There was a point when we were on vB4 when Human Verification randomly turned itself off and a couple thousand bots registered, so maybe the bot networks have always had our forum's scent?


Fillip

 

[Mike]

Is this using an invisible captcha?

Our stats here aren't dissimilar in ratio, though no message for us and similarly, no messages about registration issues. Of course, we do know for a fact that we have a lot of spammers trying to register here, so I think this might just indicate that there are a lot of spam attempts in general.

 

[DragonByte Tech]

Is this using an invisible captcha?

It is, yeah. The OP was written before we switched to Invisible Captcha, the only reason why I heard about it was because I was looking into switching after finding out XF2 supports Invisible Captcha.

I think the difference may be that while you have a lot of spam bots registering, you also probably have a lot of legitimate users registering. Perhaps Google isn't too fussed about a high failure rate if you also have a high success rate?

If 20 requests succeed and 60 requests fail, that's a low enough sample size that maybe it's the implementation. If 200 requests succeed and 600 requests fail, that's probably not the implementation, that's probably just a lot of spam.

Of course I could be entirely wrong, but it sounds logical to me at least


Fillip