I'm not convinced, I reckon they must have added some functionality because our HV questions are quite obscure things like:

what number is green on a roulette wheel?

Which I can't believe a bot would be able to answer without being programmed... there are other questions as well that are equally as 'confusing' for a bot (how many legs does a cow have with one leg short comes to mind hehe :)).

And yet somehow, they were getting through.

That's all over now, however.

I installed this a few hours ago and am very happy. The bot accounts were coming in fast and furious, despite a pool of 10 topic-specific questions. I had to resort to manually moderating every new account in an attempt to weed out the spam before giving them access.

I enabled the email function so I can get a feeling of how it is working, and it has denied access to 42 attempts in 5 hours. I might turn off new member moderation.

I'm glad you got it worked out, but I have a question for you: when you go to the admicp options, under Human Verification Options, did you have the "Register" box checked?

A bot can't answer but a spamming program can try the 100 most popular Q&A answers and I'm sure 2 is a super common answer.

Avoid answers that are:
Any number under 20
Any basic color
etc...

Yes, I have Register, Contact Us, and Recover Lost Password checked.

In the past 20 hours, there have been 135 blocked attempts. The majority of the times are still below 2 seconds, but a couple were edging up towards the 15-second mark.

This morning, I increased the time difference to 30 seconds. A few minutes ago, one blocked attempt had a time difference of 16 seconds:

I hope some of the bots are not catching on and intentionally adding a delay to the process in an attempt to get past the time limit. Am I giving them/it too much credit?

As much as I like the email notices, I am going to see if I can modify the code to add a PHP function that writes the information to a log file. I have never programmed in PHP, but I used to be good at C several decades ago.

The entire point of using bots is speed. I would be a little surprised if botnet admins started programming long delays between filling out the form and clicking submit. It sort of defeats the purpose of using bots.

It would have to be a pretty long delay - page load times are a factor in this, and sometimes with some of the really bad proxies these bots are on, page load time can be really slow. Add to that, there is no way for the botnet admin to determine what your time differential setting is.

I'll be curious to see if your 30 second setting catches any humans, I fear it might. Please update us with that. Increasing the time is far preferable to reducing it - reducing it only helps the bots.

Agreed. After posting, I realized that we are likely being hammered by armies of bots instead of one persistent bot, so the likelihood that one would be determined is probably small.

Perhaps not a bot, but a frustrated person not paid by the hour might take a keen interest in probing the defenses. However, as stated earlier, time is money and we are but one of millions of potential victims.

I'll likely adjust the time downward when I see more reporting times. As with any countermeasure, there must be a balance between preventing an unwanted event and not allowing a wanted event. Unfortunately, it is unlikely that I will know if a human was denied registration (unless they use the "Contact Us" process to complain), but I will certainly know if the bots breach the walls.

This can be determined by looking at the bot reports, you can usually tell by the username choice and the email address used if it's spammy... Or a human.

I have no doubt that as the time based test becomes more popular, botnet admins and botnet software designers will try to do a workaround. Problem is, they won't be all that aware of all the variables involved. Your individual setting, variable page load times - they would almost have to program in a 60 second delay in their bots, REALLY going against the whole reason to use bots to start with.

It will be interesting to see what the response is, if their ever is one. Spam fighting is a constant and ever changing war, heh.

I disagree. The point of using bots is automation.

You set the bot to run and you go one about your day. Whether it takes 5 minutes or 5 hours is of no real concern to the person spamming links across forums.

Yes it will take longer when the bots start adapting, but they will because there is still much money to be made with spamming links.

While the time-lock method is a good method it is still going to be better to have some sort of captcha type challenge easy for humans but impossible for bots, long term, IMO.

That said no reason not to install the bot-time-check for now.

- My 2 cents.