Anti-Spam Options - Spambot Stopper - Prevent Spambots from Registering

What is it?
----------------------------
This mod rejects registrations where the form is filled out in less than a minimum time. You can configure one of the following actions to be taken when an automated registration is detected:

- Show a "No Permissions" page
- Display the "Successful Registration" message but without creating an account
- Redirect the user to any URL you choose
- Reload the registration page with an error message of your choosing

You can also provide a list of email addresses to be notified each time a registration is blocked.

Added for version 1.1.1: Time delay enforcer, maximum time option, time limits to cut down on email notifications, posting to a thread.

In the future, I'd like to add some simple logging and statistics, and a summary type of email notification (because people seem to quickly get tired of the single emails).

Note: I coded this myself from scratch, but I would like to acknowledge a couple of previous mods that used this same idea, by users Calorie and noppid, and maybe others. In any case, I believe this one adds some features that the others don't have.

Other advantages: no ads or links, no abuse of update notifications, no disappearing features, no threats to delete the mod (it will never be deleted, at least by me). Also, translations are allowed.

Installation:
----------------------------
1) If you have "Is Bot", "Stop the Registration Bots", "Spammers Suck!", or another mod that works on registration time, note any admincp settings for that mod then uninstall it.

2) Import the product XML file from the Product Manager.

3) Go to Settings > Options > Spambot Stopper Options and configure the desired settings.

4) IMPORTANT: try to register a new user to make sure that there are no problems with humans registering. If you want, you can also temporarily set the minimum time to a higher value (like 60 seconds) and test to see if the spammer rejection is working.



History:
----------------------------
1.1.1 (Feb 16, 2013)

• Added timer for enforcing minimum time
• Added maximum registration time limit
• Added time limits for email notifications
• Added posting notificatiosn to a thread

1.0.1 (Feb 01, 2013)

• Fixed bug
• Added check for fake timestamps

1.0 (Jan 31, 2013)

• Initial Release

[keyness]

I am sorry if it's asked before but there is a point which I don't understand with the logic of this mod.

"Force Wait for Minimum Time" option enables submit button after minimum time has passed, but don't spambots also benefit this option? With disabling submit button they won't complete their registration and when it's available they will complete it. So they will get over the criteria and become a member. Am I wrong? Or do bots leave the page when they can't find the submit button?

[kh99]

Quote:

Originally Posted by keyness

I am sorry if it's asked before but there is a point which I don't understand with the logic of this mod.

"Force Wait for Minimum Time" option enables submit button after minimum time has passed, but don't spambots also benefit this option? With disabling submit button they won't complete their registration and when it's available they will complete it. So they will get over the criteria and become a member. Am I wrong? Or do bots leave the page when they can't find the submit button?

Bot's don't use the page the same way a user does. While a human user looks at the page in a browser, fills in the fields, and might have to wait for the button to appear, a bot doesn't use a browser and doesn't have to use the submit button, it's just a program that can send data that looks just like a form being submitted from a browser.

It would be possible for a more sophisticated bot to see that the submit button isn't enabled and wait for it, or to just look and see how long to delay based on the timer in the javascript, but fortunately they don't seem to work that way. I think the reason this mod works is because it's not a standard feature of vbulletin. If it were, then someone might have already programmed a bot to get around it.

[keyness]

Quote:

Originally Posted by kh99

Bot's don't use the page the same way a user does. While a human user looks at the page in a browser, fills in the fields, and might have to wait for the button to appear, a bot doesn't use a browser and doesn't have to use the submit button, it's just a program that can send data that looks just like a form being submitted from a browser.

It would be possible for a more sophisticated bot to see that the submit button isn't enabled and wait for it, or to just look and see how long to delay based on the timer in the javascript, but fortunately they don't seem to work that way. I think the reason this mod works is because it's not a standard feature of vbulletin. If it were, then someone might have already programmed a bot to get around it.

Thank you for clarification, Kevin.

[Max Taxable]

Quote:

Originally Posted by keyness

I am sorry if it's asked before but there is a point which I don't understand with the logic of this mod.

"Force Wait for Minimum Time" option enables submit button after minimum time has passed, but don't spambots also benefit this option? With disabling submit button they won't complete their registration and when it's available they will complete it. So they will get over the criteria and become a member. Am I wrong? Or do bots leave the page when they can't find the submit button?

Also there is a false field that exists with this mod, that humans can't see but bots do. And the bots are programmed to fill in false fields that aren't standard fields, with gibberish. This mod catches alot of bots right there.

Quote:

I think the reason this mod works is because it's not a standard feature of vbulletin. If it were, then someone might have already programmed a bot to get around it.

I've pointed this out before - programming around this mod is very tricky and self defeating for a botnet admin. First of all there's no way to guess the settings site to site. There's minimum and maximum time, false fields and all. So, let's say you have 2 million attempts a day with your botnet, what do you program the delay for?

Every second you are adding takes attempts away. And no one is going to trouble themselves to program this, site to site. They would simply move on to easier targets that don't have these checks.

[kh99]

Quote:

Originally Posted by Max Taxable

I've pointed this out before - programming around this mod is very tricky and self defeating for a botnet admin. First of all there's no way to guess the settings site to site. There's minimum and maximum time, false fields and all. So, let's say you have 2 million attempts a day with your botnet, what do you program the delay for?

Every second you are adding takes attempts away. And no one is going to trouble themselves to program this, site to site. They would simply move on to easier targets that don't have these checks.

Yeah, we have had this discussion before, and I guess we'll have to agree to disagree. Well, I will agree that they're not going to bother with a relative few sites when most of them don't have this protection, because that's the point I was making.

I'm an old guy who's been a programmer (both professionally and for fun) all my life, and I don't see this as being a major problem. But I have to admit that I have no experience with spambots, much less seeing the code of any of them, so maybe there's something I don't understand. What kind of experience do you have with them?

ETA: Oh, I should have mentioned, this mod doesn't actually have false fields. That is something that someone mentioned way back on the first page, I think, but I never did add it. But when you talk about programming bots, that seems like a more difficult problem than the time delay.

[Max Taxable]

Quote:

Originally Posted by kh99

I'm an old guy who's been a programmer (both professionally and for fun) all my life, and I don't see this as being a major problem. But I have to admit that I have no experience with spambots, much less seeing the code of any of them, so maybe there's something I don't understand. What kind of experience do you have with them?

I've been specifically, a spam fighter and a botnet fighter for over ten years. I specialize in it. I am a long time XRumer license holder and keep up with every facet of its development. It has no way to program delays and adding that won't be happening, for the reasons I've mentioned. They talk about it in their dev areas. It's simply too problematic and counter productive, time is the essence of mass botnet spamming. Hardened targets mostly just get ignored since XRumer also has no alerts for you if you're not getting registered. (Who would be reading 10s of 1000s of these a day, anyway?) Especially with the option your mod has, telling them thanks for registering but no account was created.

Quote:

ETA: Oh, I should have mentioned, this mod doesn't actually have false fields. That is something that someone mentioned way back on the first page, I think, but I never did add it. But when you talk about programming bots, that seems like a more difficult problem than the time delay.

Perhaps it's my misunderstanding, but what's this plugin you have in it, then?

PHP Code:

Time Check - Add Form Hidden Fields  register_form_complete 


The code there looks like you're adding a false field?

[kh99]

Well, like I said above, I can certainly see that it's not worth the trouble. But again, my point is that if it were a standard feature on every site then it *would* be worth the trouble, and someone would develop software to get around it. If you think of one program running, then a delay of 30 seconds or so per site seems like a big problem. But if you think of multiple threads or processes, or at least being flexible about the order in which things are done, I don't see it as a deal breaker.

But like I said, we'll have to agree to disagree, since the only way to settle it would be for me to develop a spambot, and I'm not going to do that.

Quote:

Originally Posted by Max Taxable

Perhaps it's my misunderstanding, but what's this plugin you have in it, then?

PHP Code:

Time Check - Add Form Hidden Fields  register_form_complete 


The code there looks like you're adding a false field?

I can see where you'd think that from the name of that plugin, but that refers to the hidden form fields used for the timing check. But it might serve the same purpose, since they contain values that have to be submitted with the form and can't be faked. One thing this mod does do (that's probably overkill) is that it generates a hash of the start time, the session id, and a secret string, and puts that in a hidden field. I thought this was an improvement over just putting the starting time, since a smart bot could adjust that to make the submission time seem longer.

[Max Taxable]

Quote:

Originally Posted by kh99

Well, like I said above, I can certainly see that it's not worth the trouble. But again, my point is that if it were a standard feature on every site then it *would* be worth the trouble, and someone would develop software to get around it.

Nothing is a standard feature on EVERY site. But I think you mean, every vBulletin site. There's not even a million of those, is there? Compared to the trillion or so sites on the web?

Softer targets get the bots Pal. It's the name of the game and the nature of the beast.

[burntire]

To those that have used this mod for a while can you share your experience as to which settings seem to work the best?

[Max Taxable]

Quote:

Originally Posted by burntire

To those that have used this mod for a while can you share your experience as to which settings seem to work the best?

I use 25 seconds as the Minimum Elapsed Time, 2 seconds for Maximum Elapsed Time, for "Action" I use Stealth, no redirect and no error message, and Force Wait for Minimum Time = Yes.

BUT... I also use this in conjunction with the other anti-spam mods Ozzy and I recommend, here:

The Era of Big Spam is Over