I am sorry if it's asked before but there is a point which I don't understand with the logic of this mod.

"Force Wait for Minimum Time" option enables submit button after minimum time has passed, but don't spambots also benefit this option? With disabling submit button they won't complete their registration and when it's available they will complete it. So they will get over the criteria and become a member. Am I wrong? Or do bots leave the page when they can't find the submit button?

Bot's don't use the page the same way a user does. While a human user looks at the page in a browser, fills in the fields, and might have to wait for the button to appear, a bot doesn't use a browser and doesn't have to use the submit button, it's just a program that can send data that looks just like a form being submitted from a browser.

It would be possible for a more sophisticated bot to see that the submit button isn't enabled and wait for it, or to just look and see how long to delay based on the timer in the javascript, but fortunately they don't seem to work that way. I think the reason this mod works is because it's not a standard feature of vbulletin. If it were, then someone might have already programmed a bot to get around it.

Thank you for clarification, Kevin.

Also there is a false field that exists with this mod, that humans can't see but bots do. And the bots are programmed to fill in false fields that aren't standard fields, with gibberish. This mod catches alot of bots right there.I've pointed this out before - programming around this mod is very tricky and self defeating for a botnet admin. First of all there's no way to guess the settings site to site. There's minimum and maximum time, false fields and all. So, let's say you have 2 million attempts a day with your botnet, what do you program the delay for?

Every second you are adding takes attempts away. And no one is going to trouble themselves to program this, site to site. They would simply move on to easier targets that don't have these checks.

Yeah, we have had this discussion before, and I guess we'll have to agree to disagree. Well, I will agree that they're not going to bother with a relative few sites when most of them don't have this protection, because that's the point I was making.

I'm an old guy who's been a programmer (both professionally and for fun) all my life, and I don't see this as being a major problem. But I have to admit that I have no experience with spambots, much less seeing the code of any of them, so maybe there's something I don't understand. What kind of experience do you have with them?

ETA: Oh, I should have mentioned, this mod doesn't actually have false fields. That is something that someone mentioned way back on the first page, I think, but I never did add it. But when you talk about programming bots, that seems like a more difficult problem than the time delay.

I've been specifically, a spam fighter and a botnet fighter for over ten years. I specialize in it. I am a long time XRumer license holder and keep up with every facet of its development. It has no way to program delays and adding that won't be happening, for the reasons I've mentioned. They talk about it in their dev areas. It's simply too problematic and counter productive, time is the essence of mass botnet spamming. Hardened targets mostly just get ignored since XRumer also has no alerts for you if you're not getting registered. (Who would be reading 10s of 1000s of these a day, anyway?) Especially with the option your mod has, telling them thanks for registering but no account was created.

Perhaps it's my misunderstanding, but what's this plugin you have in it, then?

The code there looks like you're adding a false field?

Well, like I said above, I can certainly see that it's not worth the trouble. But again, my point is that if it were a standard feature on every site then it *would* be worth the trouble, and someone would develop software to get around it. If you think of one program running, then a delay of 30 seconds or so per site seems like a big problem. But if you think of multiple threads or processes, or at least being flexible about the order in which things are done, I don't see it as a deal breaker.

But like I said, we'll have to agree to disagree, since the only way to settle it would be for me to develop a spambot, and I'm not going to do that.


I can see where you'd think that from the name of that plugin, but that refers to the hidden form fields used for the timing check. But it might serve the same purpose, since they contain values that have to be submitted with the form and can't be faked. One thing this mod does do (that's probably overkill) is that it generates a hash of the start time, the session id, and a secret string, and puts that in a hidden field. I thought this was an improvement over just putting the starting time, since a smart bot could adjust that to make the submission time seem longer.

Nothing is a standard feature on EVERY site. But I think you mean, every vBulletin site. There's not even a million of those, is there? Compared to the trillion or so sites on the web?

Softer targets get the bots Pal. It's the name of the game and the nature of the beast.

To those that have used this mod for a while can you share your experience as to which settings seem to work the best?

I use 25 seconds as the Minimum Elapsed Time, 2 seconds for Maximum Elapsed Time, for "Action" I use Stealth, no redirect and no error message, and Force Wait for Minimum Time = Yes.

BUT... I also use this in conjunction with the other anti-spam mods Ozzy and I recommend, here:

The Era of Big Spam is Over