FaucetBOX.com Discussion

[CodeR70]

yep bots are bad.

I think faucetbox faucets mite be something that will die off soon because of bots and not being able to make profit I think we are going to see more signup and register faucets is the best way to avoid and catch bots out before they take you money.

Or one could code/develop his own script or one could heavily modify the faucetinabox script.

I'm actually considering that using the FIB api which seems to be pretty straight forward and simple. I'm also wondering about a custom script which includes some kind of signup mechanism but I think that would stop honest user from coming due to the extra "work" for a few satoshis. Although you probably have to up the rewards a little.

Here is the thing, if I make it open-source, would you have the same problems again? I'm convinced open-source, in the long run, makes software more secure due to the amount of "eyes" going over the source code. On the other hand, which might be an issue here with FIB, real smart scammers/bot-coders have access to the code as well.

As said before, I'm pretty new here so I'm sure it was already discussed. Of course, I don't mind to put in efforts by reviewing FIBs source code and and share my thoughts.

Cheers guys and galls

[BitBustah]

I think, in general, that some faucet owners are "blabbing" too much about their anti-bot measurements here on the forum. It's almost like saying (almost asking) "come try to scam me now".


I have considered selling my mods/custom scripts but I don't do it for 2 reasons:
- As soon as I sell a few copies, the scripts will be resold online for less money so I won't earn what I deserve
- Scammers will get their hands on the script: Eventually no faucet will benefit from it.



 

[Kazuldur]

The thing is there's no real bot protection that I'm aware of. Everything is basically security by obscurity, which only works as long as it's custom and only used by a few faucets, because people making bots don't have enough motivation to investigate and bypass given protection.

So open-sourcing your script won't be a problem directly, but if many other people start using it too, then it may hit you.

[CodeR70]

Everything is basically security by obscurity

Tbh, I don't believe in that. There are many open-source projects that are more secure because it's open. Bitcoin itself is open and the concept itself makes it secure.

BTW, I absolutely agree with you and most here that its gonna be incredible hard, or even impossible, to make a faucet script that is protected against bots and scammers. That's is also my dilemma (and mentioned by others) if this should be open or not.

But here is an analogy I would like to make. If people want to steal your bike, they probably will be able to do so, even if you put multiple locks on it. Does it mean I should park my bike without a lock? Of course not. Or worse, should I not own a bike at all? With cryptography it's the same not. It's not so much if a person or an organisation is able to crack a code, it's a matter of how much effort, energy, cost, etc. And obviously the level of current technology.

Anyway, I'm rambling.... sorry for that :-)

Cheers

PS: FIB is not open-source AFAIK. We are just able to read the source code and mod it although the last is formally not even allowed.

[Kazuldur]

Everything is basically security by obscurity

Tbh, I don't believe in that. There are many open-source projects that are more secure because it's open. Bitcoin itself is open and the concept itself makes it secure.

English is not my native language, so I think I was misunderstood . When I said "Everything is basically security by obscurity", I referred just to bot protections. Do you disagree with that too? I would love to see a protection that's not easily bypassed and isn't just another CAPTCHA.

BTW, I absolutely agree with you and most here that its gonna be incredible hard, or even impossible, to make a faucet script that is protected against bots and scammers. That's is also my dilemma (and mentioned by others) if this should be open or not.

As I said, I believe that the best bet is just to make a custom script that won't be used by tens of faucets. No one (I hope) will bother to write a bot for a script that's used just by a couple of sites.

Going open source will help you with "hard" security vulnerabilities like SQL Injection or logic errors. But can also make your script popular and popularity is something that I think is a danger here.

PS: FIB is not open-source AFAIK. We are just able to read the source code and mod it although the last is formally not even allowed.

Well, we should probably change that license. Our only concern is preventing reselling the script. I'll see if we can do that in next release.

[CodeR70]

English is not my native language, so I think I was misunderstood Smiley. When I said "Everything is basically security by obscurity", I referred just to bot protections. Do you disagree with that too? I would love to see a protection that's not easily bypassed and isn't just another CAPTCHA.

[...snip...]

Well, we should probably change that license. Our only concern is preventing reselling the script. I'll see if we can do that in next release.

Sorry about the misunderstanding. I was generalising it too much and I do agree with you that bot protection is probably impossible (hence my bike analogy in one of my posts). If people think it's worth the effort then they will try, even with closed source.

About the license, I totally understand. It's always tricky and these days you have to be high grade layer to understand all licensing issues. Maybe this helps a little:

- https://opensource.org/licenses
- https://creativecommons.org

My understanding is that the last one is formally not open source but I like the simplicity of it.

[sunchaser]

Hello eveyryone, I would like to know if the faucetbox api handles negative amounts in case I need to process a charge back against a member that is cheating.

Thanks

[Kazuldur]

Hello eveyryone, I would like to know if the faucetbox api handles negative amounts in case I need to process a charge back against a member that is cheating.

Thanks

Chargin back is not possible. If you sent coins to the users it's too late, you can't revert that.

[bit7coin]

Okey,thanks.

[Kazuldur]

We're seeing a sudden spike of traffic. I'm not sure whether it's an attack or not, but expect small disruptions. I'm working on minimizing the issues.

[datalore]

Tips to stop the bots (do it for 02 days before criticizing)

01 - block bit.makejar.com (and their wallets)
02 - block ifaucet.net (and their wallets)
03 - block 188.166.12.134

Note that 90% of bots are gone and only become real people.

[Kazuldur]

Tips to stop the bots (do it for 02 days before criticizing)

01 - block bit.makejar.com (and their wallets)
02 - block ifaucet.net (and their wallets)
03 - block 188.166.12.134

Note that 90% of bots are gone and only become real people.

Why do you think that traffic from ifaucet.net and bit.makejar.com are bots?

[datalore]

This IP (188.166.12.134) is the site bit.makejar.com. Right here in bitcointalk I discovered that ip are bots. If you search you will find this topic. I blocked the IP 188.166.12.134 and bots disappeared. I tested for two days and had no problems with bots.

To be sure I unlocked the ip 188.166.12.134 for 12 hours. In 12 hours the bots came back and I lost 0,43BTC. Blocked again. Today is locked and the problems have decreased dramatically.

Take the test and draw your own conclusions. I'm just trying to help.

[datalore]

Analysis of this IP (188.166.12.134)

https://www.hybrid-analysis.com/sample/5650dcea8070cb3b9a19d79d12068996c4123685ec71ac33d8d592e613abf7fa?environmentId=2

and:

https://bitcointalk.org/index.php?topic=1357480.0;all



and

[Kazuldur]

This is an address of DigitalOcean VPS, related also too steep.rocks. I'll add this network to NastyHosts.

However I still don't see any connection between this address and ifaucet.net and bit.makejar.com rotators. Why do you think these rotators are related to bots?

[larryofbtc]

This is an address of DigitalOcean VPS, related also too steep.rocks. I'll add this network to NastyHosts.

However I still don't see any connection between this address and ifaucet.net and bit.makejar.com rotators. Why do you think these rotators are related to bots?

Does anyone else have issues with this IP address

[ragi]

Does anyone else have issues with this IP address

Yes. 188.163.0.0/16 to 188.166.0.0/16 are in my .htaccess deny list

EDIT: bit.makejar.com and ifaucet.net are faucet rotators. Do not block them if you don't know what are you doing.

[BitBustah]

The DigitalOcean IP addresses are used by bots. Blocked them ages ago. 

[Kazuldur]

The DigitalOcean IP addresses are used by bots. Blocked them ages ago.  

Where did you get the list of all DigitalOcean networks? I was trying to find them for NastyHosts, but found nothing up-to-date.

[BitBustah]

The DigitalOcean IP addresses are used by bots. Blocked them ages ago.  

Where did you get the list of all DigitalOcean networks? I was trying to find them for NastyHosts, but found nothing up-to-date.

https://apps.db.ripe.net/search/full-text.html

Then you type "DigitalOcean" and you will get all the RIPE IP ranges for the company.


Edit: This is just RIPE. They can have other IP addresses (ARIN, APNIC, ...).