So is this mod working for you now?

Yes ist working :)

greetings

I have just installed this on VB4.2.2 PL2 and it is a GODSEND. It blocked no less that 1662 spambot attempts overnight.

Yes, this is why it is one of the mods I recommend. :)

Yes, I've installed all your recommendations ;)

What would be good is if there was an option to automatically submit all attempts under say... 5 seconds to Stop-Forum-Spam too...

Meh, I don't care for that mod myself. :)

Why not? If you prefer not to say in public, feel free to PM.

I just don't like anything off site controlling anything on my site. I prefer to control it in house. :)

Awesome mod. I have been moderating all new registrations for my site, which is a pain and requires a level of judgment (sometimes misjudgment). I installed this mod and it started catching them right away. Thanks!

P.S. I saw this in ozzy47's signature in another thread, so thanks for promoting it.

Glad it has helped you. :)

I am sorry if it's asked before but there is a point which I don't understand with the logic of this mod.

"Force Wait for Minimum Time" option enables submit button after minimum time has passed, but don't spambots also benefit this option? With disabling submit button they won't complete their registration and when it's available they will complete it. So they will get over the criteria and become a member. Am I wrong? Or do bots leave the page when they can't find the submit button?

Bot's don't use the page the same way a user does. While a human user looks at the page in a browser, fills in the fields, and might have to wait for the button to appear, a bot doesn't use a browser and doesn't have to use the submit button, it's just a program that can send data that looks just like a form being submitted from a browser.

It would be possible for a more sophisticated bot to see that the submit button isn't enabled and wait for it, or to just look and see how long to delay based on the timer in the javascript, but fortunately they don't seem to work that way. I think the reason this mod works is because it's not a standard feature of vbulletin. If it were, then someone might have already programmed a bot to get around it.

Thank you for clarification, Kevin.

Also there is a false field that exists with this mod, that humans can't see but bots do. And the bots are programmed to fill in false fields that aren't standard fields, with gibberish. This mod catches alot of bots right there.I've pointed this out before - programming around this mod is very tricky and self defeating for a botnet admin. First of all there's no way to guess the settings site to site. There's minimum and maximum time, false fields and all. So, let's say you have 2 million attempts a day with your botnet, what do you program the delay for?

Every second you are adding takes attempts away. And no one is going to trouble themselves to program this, site to site. They would simply move on to easier targets that don't have these checks.

Yeah, we have had this discussion before, and I guess we'll have to agree to disagree. Well, I will agree that they're not going to bother with a relative few sites when most of them don't have this protection, because that's the point I was making.

I'm an old guy who's been a programmer (both professionally and for fun) all my life, and I don't see this as being a major problem. But I have to admit that I have no experience with spambots, much less seeing the code of any of them, so maybe there's something I don't understand. What kind of experience do you have with them?

ETA: Oh, I should have mentioned, this mod doesn't actually have false fields. That is something that someone mentioned way back on the first page, I think, but I never did add it. But when you talk about programming bots, that seems like a more difficult problem than the time delay.

I've been specifically, a spam fighter and a botnet fighter for over ten years. I specialize in it. I am a long time XRumer license holder and keep up with every facet of its development. It has no way to program delays and adding that won't be happening, for the reasons I've mentioned. They talk about it in their dev areas. It's simply too problematic and counter productive, time is the essence of mass botnet spamming. Hardened targets mostly just get ignored since XRumer also has no alerts for you if you're not getting registered. (Who would be reading 10s of 1000s of these a day, anyway?) Especially with the option your mod has, telling them thanks for registering but no account was created.

Perhaps it's my misunderstanding, but what's this plugin you have in it, then?

The code there looks like you're adding a false field?

Well, like I said above, I can certainly see that it's not worth the trouble. But again, my point is that if it were a standard feature on every site then it *would* be worth the trouble, and someone would develop software to get around it. If you think of one program running, then a delay of 30 seconds or so per site seems like a big problem. But if you think of multiple threads or processes, or at least being flexible about the order in which things are done, I don't see it as a deal breaker.

But like I said, we'll have to agree to disagree, since the only way to settle it would be for me to develop a spambot, and I'm not going to do that.


I can see where you'd think that from the name of that plugin, but that refers to the hidden form fields used for the timing check. But it might serve the same purpose, since they contain values that have to be submitted with the form and can't be faked. One thing this mod does do (that's probably overkill) is that it generates a hash of the start time, the session id, and a secret string, and puts that in a hidden field. I thought this was an improvement over just putting the starting time, since a smart bot could adjust that to make the submission time seem longer.

Nothing is a standard feature on EVERY site. But I think you mean, every vBulletin site. There's not even a million of those, is there? Compared to the trillion or so sites on the web?

Softer targets get the bots Pal. It's the name of the game and the nature of the beast.

To those that have used this mod for a while can you share your experience as to which settings seem to work the best?

I use 25 seconds as the Minimum Elapsed Time, 2 seconds for Maximum Elapsed Time, for "Action" I use Stealth, no redirect and no error message, and Force Wait for Minimum Time = Yes.

BUT... I also use this in conjunction with the other anti-spam mods Ozzy and I recommend, here:

The Era of Big Spam is Over

Thanks Max

This isn't working on my forum.

To test, I set the minimum time to 60 and tested it out. It still allowed me to register?

I have BoP's rename register.php mod installed, does this conflict?

Cheers

That's way too long. Set at 25.

The best way to test this is not to try it yourself. Set the registration value to something like suggested, 25 seconds, make sure your email notification is setup, and wait to see the results.

To quote the author of this modification:

So that's exactly what I did. I also tested it myself at 25 seconds and still allowed me to register.

Well, maybe I should have been more clear. If you set it to 60 to test, then you would have to register in less than 60 seconds to get rejected. (ET: ...and you'd set it back to something lower once you've run your test). But assuming you did that, then I'm not sure what's wrong. I've had a few people talk about having the same issue and I don't think any of them ever came back to say what the issue was (or maybe they never fixed it).

If you have any other registration mods, you might try disabling them temporarily to see if that works. Oh, and I've been told that it doesn't work using the mobile interface, and since I've never worked with that I don't know how to fix that.

You're telling me you were able to register in under 25 seconds?

In any event, the best way to test is to still wait to see what shows up in your logs. As a human, you should be able to register. That's the whole point. The bots who register in seconds are the one's who should be blocked. And you won't really see that until you have logs to look at.

We're assuming you have it enabled. Hate to ask, but Mods being "off" does happen.:D

You were able to register AND a account was created?

Yes and yes.

I am, yes. I timed myself from the moment I landed on the registration page. 19 seconds in total and account was created and I was able to log in.

Topcat I suspect you might have a hook conflict going on with this. Do you mind posting a list of all your plugins and Mods installed?

Such conflict, could it also keep the auto template edits from being accomplished, Kevin?

I put min. 45 second
a maximum 6 minutes

I think that like this is really good. ;)

45 seconds is way to long, I would stick with something around 25.

Hey Kevin, how come sometimes the mod reports this for the timer in the post it makes, - Missing or invalid check value ?

I don't know, I don't think anyone mentioned that before. I'll look at it when I get a chance.

Ok cool, lemme know what ya find out.

I have been seeing those as well.

Any chance the E-mail could display the country the IP originates? Would be a quick visual on the ones that do make it through.

Excellent mod. Very simple to install and configure.

Marked as installed.

Is there a way to get the time the Bot used into the notification? I believe that is another important piece of information, if nothing else to find out if spambot learned to deal with it (at some point in the future this will most likely happen)

It's a little embarrassing, but it's been a while since I've used this myself with notifications turned on, but IIRC the time should be in the email or thread notification. I'm not sure what you mean by "learned to deal with". Do you mean knowing whether you have the cutoff time set correctly? If I understand what others have said here, normally all bots take a very short time.