Tips to stop the bots (do it for 02 days before criticizing)
01 - block bit.makejar.com (and their wallets)
02 - block ifaucet.net (and their wallets)
03 - block 188.166.12.134
Note that 90% of bots are gone and only become real people.
Why do you think that traffic from ifaucet.net and bit.makejar.com are bots? |
|
|
|
|
We're seeing a sudden spike of traffic. I'm not sure whether it's an attack or not, but expect small disruptions. I'm working on minimizing the issues.
|
|
|
|
Hello eveyryone, I would like to know if the faucetbox api handles negative amounts in case I need to process a charge back against a member that is cheating.
Thanks
Chargin back is not possible. If you sent coins to the users it's too late, you can't revert that. |
|
|
|
Everything is basically security by obscurity Tbh, I don't believe in that. There are many open-source projects that are more secure because it's open. Bitcoin itself is open and the concept itself makes it secure. English is not my native language, so I think I was misunderstood  . When I said "Everything is basically security by obscurity", I referred just to bot protections. Do you disagree with that too? I would love to see a protection that's not easily bypassed and isn't just another CAPTCHA. BTW, I absolutely agree with you and most here that its gonna be incredible hard, or even impossible, to make a faucet script that is protected against bots and scammers. That's is also my dilemma (and mentioned by others) if this should be open or not.
As I said, I believe that the best bet is just to make a custom script that won't be used by tens of faucets. No one (I hope) will bother to write a bot for a script that's used just by a couple of sites. Going open source will help you with "hard" security vulnerabilities like SQL Injection or logic errors. But can also make your script popular and popularity is something that I think is a danger here. PS: FIB is not open-source AFAIK. We are just able to read the source code and mod it although the last is formally not even allowed.
Well, we should probably change that license. Our only concern is preventing reselling the script. I'll see if we can do that in next release. |
|
|
|
|
The thing is there's no real bot protection that I'm aware of. Everything is basically security by obscurity, which only works as long as it's custom and only used by a few faucets, because people making bots don't have enough motivation to investigate and bypass given protection.
So open-sourcing your script won't be a problem directly, but if many other people start using it too, then it may hit you.
|
|
|
|
Finally figured it out but I sure hope the script will be changed to include this in the future.
For a few days I noticed a high amount of payouts on my faucet from a specific ref address. Currently there are 700+ addresses related to this ref address. Each address has an auto payout of 0.5 bitcoin (via address checker). Obviously, I did ban the ref address but this only rejects ref payouts to that address. I did some private modding on the script so all sessions that include that ref address are no longer paying out. That is all that are processed with the /?r=ADDRESS url or even the addresses for which the ref address was registered.
I'm pretty new to the whole faucet concept and the FIB script. Not sure if the developer is reading this, if so, please include the above checks (optionally or not) in your next script version. If you know that a ref address is used by a scammer/bot then most likely addresses that are using the ref address are also from a scammer/bot.
Hope it all makes sense. If not then feel free to ask of course.
What stops the scammer/bot from changing his ref address as soon as he sees that you blocked him? |
|
|
|
The disclaimer would allow people to make a decision about whether or not they want to risk their bitcoins. Since we know that the faucetinabox script is under heavy bot pressure, it is the right thing to do. I do realize that this is open source and that you have to think outside of that box when you design something to be hardened. This project is php driven. All input fields can have a randomly generated id with only the server side knowing which IDs are valid and which are honeypots. Randomly moving the fields will also help.
We already do random ids for the address field, it doesn't work. That's because most bots are using browser-based extensions, so it doesn't matter what id a honeypot have and how random it's position is, because bot can just directly "ask" browser if the input is visible or not. There's really nothing more you can do in Faucet in a BOX that can't be bypassed by a bot. All it takes is 5 minutes to update the bot to handle things like random position, random names and 10 minutes to bypass things like checking mouse movement and keyboard inputs. Diversity and - as you said - thinking outside the box is the only protection until CAPTCHA providers get better. And the problem with bots isn't that high if you don't submit your faucet to our list. Looks like most bots are lazy and only crawl https://faucetbox.com/list when looking for victims... |
|
|
|
Just a simple question - if the newly installed faucet just showing a blank page, usual cpanel hosting.
Set $display_errors = true; in your config.php file. Does it show any errors now? Also make sure you're using PHP 5.4 or newer. |
|
|
|
By putting some random visible field and changing it daily with different questions. Instead of honeypot Some what like captcha. Can this reduce bots or not. Along side actual captcha.
I think bot maker will have to edit bot each time to claim
No, bot can identify this automatically, just like a human can. I don't know if you noticed it, but the name of a address field in Faucet in a BOX is randomized. That means that bots already have to analyze the page and guess which field is the address input. If they can do that already, then it's no issue at all for them to also identify a honeypot and ignore it. |
|
|
|
I already suggested faucet box owner to provide some thing to owner to check before the faucet box payouts to users to supervise if there is any bot attack from some IPs addresses to avoid sending payout to those.
But from reply of faucet box owner made me realise that actually users are important for faucet box not the owner.
More bots = more money in the faucets = more 2.5% commission for Faucetbox.com We're not that short-sighted . Bots were discussed many and many times here already. It's easy to say that security of our script suck, but hey, that's a market for you right here right now. Make something better and start selling it. The real problem is that it's the CAPTCHA job to keep bots out. When CAPTCHA fails there's not much we can do. You can say that naming honeypot field as "honeypot" is wrong, but that doesn't change anything. Even if it would be a random field name every time, bots can work this around. It's just a matter of what's profitable for them. Your custom faucets may not be affected by bots, but that's not because your security is much better. It's just that your faucets are different and it's not profitable for bots to implement support for things you do differently. But if we change something in Faucet in a BOX, hundreds of faucets have that change and then it's worth for bots to invest some time in working around this. We truly believe that the best way is: 1. encouraging people to do their own scripts. Not only diversity will help with bots, but also it will make it more pleasant to users. 2. automatic identification of networks with services like http://getipintel.net/ . We're working on making NastyHosts.com competitive here (right now it only stops a small fraction of bots, mainly Tor and AWS) If you want to verify users by email, by phone number or you want to manually review each payout, no problem, you can easily implement that in your script and make it better for everyone. EDIT: As for reviewing IP addresses by FaucetBOX.com team, we tried that via NastyHosts.com. Unfortunately thousands of addresses per hour is too much for a manual review. |
|
|
|
Hello, Kazuldur.
I have found this honeypot code into /templates/default/index.php:
<input type="checkbox" name="honeypot" style="position: absolute; left: -999px">
Is it working? What function is handling with this honeypot?
https://bitcointalk.org/index.php?topic=1094930.msg12422131#msg12422131It works, but it doesn't block immediately, it only reports this information to NastyHosts.com and then we use this data to identify networks that bots use. |
|
|
|
i am facing too much problem today in faucetbox
What problems do you have? |
|
|
|
What errors do you see?
EDIT: I don't see any errors in logs and our performance graph doesn't show any issues. Does it happen to others too?
This is what I am getting, and my error log is becoming HUGE because of it. Everything was fine 2 days ago. EDIT: The faucet is working, and it sends payments and everything These aren't errors from FaucetBOX.com API. These errors indicate problems with connecting to the DNS nameserver your hosting is using, because: 1. there are errors about problems with connecting not only to FaucetBOX.com, but also to reCaptcha 2. the error is "Couldn't resolve host name", which means that it couldn't even translate faucetbox.com domain into IP address. Due to the way DNS works, it's not something that we are responsible for directly, so the problem must be somewhere on your side. |
|
|
|
Something is wrong with the API. It goes down every 2/3 minutes for a bit.
What errors do you see? EDIT: I don't see any errors in logs and our performance graph doesn't show any issues. Does it happen to others too? |
|
|
|
Same code? Lol I redid that without looking at your code.  Well, the file is named a little bit different and we insert an invisible DOM element instead of defining a variable and we only disable button instead of replacing whole page, but the principle is the same |
|
|
|
Hi, I saw some rotators around like this one Yoyobtcrotator.cf/index.htmlfrom which you can claim reward even if your ad-blocker is on.I 'm using faucetbox anti ad-blocker but nothing happens.You can claim easily & its a totally loss of faucet owners. So today i use meta tag to block my site using as an iframe but its not a solution.I will lose many visitors.Any suggestions to use and trigger anti ad-block script in rotators? This works with a lot of adblockers (not all I guess). It shows a message but can easily be changed to hide the reward button. Between the <head> tags: <script type="text/javascript" src="showads.js"></script> Under the <body> tag: <script type="text/javascript">
if( window.canRunAds === undefined ){
document.writeln('Please disable your adblocker!');
}
</script> The showads.js file is just a text file with this code: That's exactly what builtin Faucet in a Box anti ad-blocker does. |
|
|
|
hi, when it will be available for ether faucet? We don't plan it for a few more months at least. |
|
|
|
Hi, freegeoip.net is no longer going to work stable. My question is what alternative can be used? I use geolocation to pay users.
I believe CloudFlare can provide user's location in a custom HTTP header. Not only it will be stable, it'll also be much faster (as you won't need extra http request to external service). If this doesn't work for you, you can use the other geo-location service I mentioned a page back in this way: $countryCode = json_decode(file_get_contents('http://geoip.nekudo.com/api/' . getIP()))->country->code;
I'm not sure but Remote addr won't work with cloudflare. I had the problem and it worked with x-forwarded for. Remote address return the ip of the cloudflare server. You may look here's example uses getIP() which can handle that (and does that securely). The problem here isn't getting the IP itself, but getting the geographical location of user. |
|
|
|
Hi, freegeoip.net is no longer going to work stable. My question is what alternative can be used? I use geolocation to pay users.
I believe CloudFlare can provide user's location in a custom HTTP header. Not only it will be stable, it'll also be much faster (as you won't need extra http request to external service). |
|
|
|
Which off the captcha system providers are good to avoid the bots ?Are you planning to add any other company of captcha more hard to bots to make the claim auto?
Do you suggest any captcha service? Sadly we didn't find any that we'd consider safer than what we currently offer. since, you don't reply to my PM, i am here posting the same in public,
1) I am running 3 faucets from single faucetbox account.
I would like to know the individual total payout stats of every faucets by monthly basis, so we can calculate our profits. Currently it's not showing correctly.
Stats should be shown like Date 1 to Date 30/31 (end of the month) for all individual faucets.
2) Can you move one of the faucet to newer faucetbox account without losing old userbase and stats?
1. that's something we're working on, however it requires deep changes in our system, so it will take a while. You can always implement something like that in your faucet script. 2. I don't see how userbase is related to faucetbox account. No, we can't move faucet without losing stats. I am waiting for my withdraw its almost more then 3 days today site is also down any update about this ?
What's your address? I received my bitcoins but LTC and Dash both still not waiting for some your intention in these both coins thanks Sorry for delays, all coins should be transfered today. Faucetbox was good until it added "This faucet exceeded it's safety limits!" Everytime I see that message and think of the time has been wasted, I want to punch a hole through my screen.
Unfortunately that's a problem FaucetBOX.com has to face when trying to find the sweet spot between interest of users, faucet owners and overall performance. We're working on showing this information before the captcha, so you'd immediately know that there's no point in solving it. For now I just recommend avoiding faucets that abuse that feature. It's something that faucet owners should set high enough to never be triggered on daily basis. If you see that more than once or twice on a single faucet, you should probably stop using it. |
|
|
|
|
Show Posts
