FaucetBOX.com Discussion

[BitBustah]

Check in my signature, follow the instructions and within minutes the problem was solved thanks to user LosingAlpha Smiley"

Anything that is javascript can be easily bypassed.


Now that you mention it and I think of it: One could write the timestamp to a session variable when the user visits the landing page and check the seconds between that timestamp and the time the claim is being "processed". There's no way to cheat on that.

[1714955385]

1714955385

[1714955385]

1714955385

[BrannigansLaw]

Check in my signature, follow the instructions and within minutes the problem was solved thanks to user LosingAlpha Smiley"

Anything that is javascript can be easily bypassed.


Now that you mention it and I think of it: One could write the timestamp to a session variable when the user visits the landing page and check the seconds between that timestamp and the time the claim is being "processed". There's no way to cheat on that.

exactly isn't antibot links js? I've not used it but I have my own antibot links which are JS as well as a maths question also JS and yeah they skip right past them. So couldn't you return a checkbox in send() function which must be clicked first to send? Not JS.

[BitBustah]

So couldn't you return a checkbox in send() function which must be clicked first to send? Not JS.

In your form you could do something like:

<input name="antibotcheckbox" type="checkbox" id="antibotcheckbox" value="aintnobot">

And in the index.php file you could do something like:

if ($_POST['antibotcheckbox'] == "aintnorobot") {
    $ret = $fb->send($address, $reward);
} else {
    $ret = array(
    "success" => false,
    "message" => "Checkbox failure.",
    "html" => "You have to check the checkbox to prove you are not a bot."
    );
}

A scammer could easily read that "anticheckbox" variable and send it by default. It would be better if you used sessions and create a variable name for the input variable. Then the code would always be different.

<input name="this_value_random_each_time" type="checkbox" id="antibotcheckbox" value="aintnobot">

I could check it out for you but I'm really busy atm...

[minifrij]

Now that you mention it and I think of it: One could write the timestamp to a session variable when the user visits the landing page and check the seconds between that timestamp and the time the claim is being "processed". There's no way to cheat on that.

I actually suggested that previously with a small example of code to show what I'm talking about. Is this similar to what you mean?

exactly isn't antibot links js? I've not used it but I have my own antibot links which are JS as well as a maths question also JS and yeah they skip right past them. So couldn't you return a checkbox in send() function which must be clicked first to send? Not JS.

Any HTML checkbox could also be automatically selected by just adding 'selected' into the tag. Anything that the user can see (Javascript, HTML etc) and is in plain text is very easy to manipulate if you make it obvious; you shouldn't rely on things like that to stop bots. You should use PHP (or another server side language) verification which the user cannot see or edit to stop bots.

Also, to follow on from what BitBustah said:

A scammer could easily read that "anticheckbox" variable and send it by default. It would be better if you used sessions and create a variable name for the input variable. Then the code would always be different.

You should also add several checkboxes into your page with other variable names, else they could just check the first checkbox they see and get it right.

[BitBustah]

I actually suggested that previously with a small example of code to show what I'm talking about. Is this similar to what you mean?

Exactly. Sorry for not seeing it. Good snippet btw

You should also add several checkboxes into your page with other variable names, else they could just check the first checkbox they see and get it right.

True. The use of a variable input name would prevent that.

[BitcoinFuture99]

bots deals with form not javascript and css so the best way to cheat with bots is to make some hidden input in form with the address field same as of the main faucet. And change the actual Address field to some thing else with changing other variables required in other files

make this hidden field hide in css, and make the input field condition not to be filled. Bots will pretend this field to be actual field and filling it but condition will not make it possible to be successful. By hiding it, loyal users will not see this filed and filling the actual field

[BitBustah]

The input field for the wallet address already uses a random input field name. It seems to me that adding a checkbox (and thus second random input field name) would not increase the security against bots.

<input class="inpfield" type="text" name="<?php echo $data["address_input_name"]; ?>" value="<?php echo $data["address"]; ?>" size="60">

Kazuldur, what do you think?

[BitcoinFuture99]

The input field for the wallet address already uses a random input field name. It seems to me that adding a checkbox (and thus second random input field name) would not increase the security against bots.

<input class="inpfield" type="text" name="<?php echo $data["address_input_name"]; ?>" value="<?php echo $data["address"]; ?>" size="60">

Kazuldur, what do you think?

Then we need to study those bots and test it himself to know how they find these fields. Also if we can make two such kind of fields with one field to be true


Also the main One common Bot browse the full website with ads but these form fields are filled without visitors to see our faucet ads.

[Kazuldur]

Just to sum up last few posts about bots/abusers and to show my view on it:

1. adding random things to session won't help much. There's already random name of the address input and bots can handle it, so it won't be a problem for them to also handle something new.
2. calculating the time between visiting the landing page and making a claim won't help, bots will just add some delay (and they can even make it a little bit random, so you won't be able to tell a difference from real person)
3. trying to detect mouse movement etc and sending this info through AJAX won't help, bots can just spoof the request
4. there already is a hidden field AND a hidden checkbox in Faucet in a Box script, but it only helped for a week or so until bots were modified to avoid that field. We could also make names of these hidden fields random, but then bots will be able to just traverse the DOM tree to find the real ones. And if you make a few visible fields and somehow tell the user which one is valid, bots will be able to read it too.
5. any javascript-based "protections" aren't worth anything. That includes most anti-bot links, though I've seen one implementation that also used a backend code and could help (but that isn't significantly different from just another captcha, so again, a short-term solution)

I believe that there's no point anymore in this cat and mouse game. Anything that can be done by a browser and a user sooner or later will be done by bots, it's just a matter of time it takes to code it. And to be honest it's usually asymmetric, where it takes longer to implement the protection than it takes to implement handling of it in a bot.
Also what I believe is that automated bots aren't really a problem. "Captcha rotators", scripts that shows a captcha to user and automatically change proxies are worse, as from my experience are more common.

However there's only one solution, both to automated bots and these nasty rotators: detect networks used by abusers and ban them. Make sure you have protections in place that will prevent your faucets from going dry in case of attack and will allow you to react and stop abusers, at least until they change networks again.

At FaucetBOX.com we're currently focusing on:
1. improving NastyHosts.com using various blocklists and metadata
2. adding features that will help to quickly react to an attack and will prevent losing too much coins.

[BitBustah]

detect networks used by abusers and ban them.

Hail. I totally agree. But it takes time and work. There's no easy solution.

[BitcoinFuture99]

At FaucetBOX.com we're currently focusing on:
1. improving NastyHosts.com using various blocklists and metadata
2. adding features that will help to quickly react to an attack and will prevent losing too much coins.

Good to hear that. Some thing good

[misterbit]

Is there a way to get random captcha? for example that funcaptcha are rotating and are you human?

[BrannigansLaw]

Is there a way to get random captcha? for example that funcaptcha are rotating and are you human?

I thought this but then worried perhaps it then wouldn't matter which captcha was completed.

[Kazuldur]

Is there a way to get random captcha? for example that funcaptcha are rotating and are you human?

I thought this but then worried perhaps it then wouldn't matter which captcha was completed.

Even if it would matter which captcha was completed (you can implement something like that easily), it wouldn't help against bots. It's trivial for a script to check which captcha it has to solve.

[misterbit]

Do you know if there are bots jumping funcaptcha?

[FaucetRank.com]

Do you know if there are bots jumping funcaptcha?

nope I didn't hear such matter that funcaptcha can be avoided.

[misterbit]

Do you know if there are bots jumping funcaptcha?

nope I didn't hear such matter that funcaptcha can be avoided.

OK thanks

[ryandanielt]

Do you know if there are bots jumping funcaptcha?

nope I didn't hear such matter that funcaptcha can be avoided.

OK thanks

Just thought I would share because I can guarantee that I am not the only person that will get hit, there is a user running a very large and successful BotNet that is designed to bypass captchas and drain faucets. I was hit today and luckily enough I was able to catch it in time, person got away with 0.5 + BTC. The user is using a subnet of ip's and I mean hundreds of ip's all from Vietnam with an ASN ID of AS7552 Viettel Corporation.

I got it reported to my Proxy/Bot protection provider pretty fast and they managed to mitigate the attack pretty quickly by indexing all IP's as bots.

Sad part is the BTC was still lost because my timing was not fast enough but thankfully that was all they got.


Hope this helps to prevent further attacks by this person on any other faucets!

[BitBustah]

please syare ip ranges, thanks

[NeedIfFindIt]

Is there a way to get random captcha? for example that funcaptcha are rotating and are you human?

I've seen such script in action, but it was buggy like hell.

Even without bugs the truth is that the bot will reload the page until he gets the captcha he wants 

It is way better to change it manually on a daily basis and stop using the captchas that don't stop bots at all.

The other idea is if you are uncertain if the user is using proxy or not ... just send him 1~2MB of incompressible data in the html before the faucet form. Most open proxies are slow and the connection may timeout or the bot may hang  But don't do it to every user since your host will kick your ...