〖ⓉⓊⓉⓄⓇⒾⒶⓁ〗 Stop Bots + Proxies From Using Your Faucet

[Gifted]

If your using a xapo script or it might  work in faucetbox here is a way to let them go to your page but not able to collect as a proxy,

Code:

//We do not allow proxy here
 if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1))
{ 
  $view['main']['result_html'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-danger"><p>Sorry Proxy not allowed !!</p></div></div>';
    $message                     = "Proxy";
    goto error; 
  }
  $q = $sql->prepare("select * from users where LOWER(username) = LOWER(?) or ip = ? order by claimed_at desc");
  $q->execute(array($username,$ip));
  $row = $q->fetch();

[1715639271]

1715639271

[1715639271]

1715639271

[1715639271]

1715639271

[1715639271]

1715639271

[vodaljepa]

If your using a xapo script or it might  work in faucetbox here is a way to let them go to your page but not able to collect as a proxy,

Code:

//We do not allow proxy here
 if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1))
{ 
  $view['main']['result_html'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-danger"><p>Sorry Proxy not allowed !!</p></div></div>';
    $message                     = "Proxy";
    goto error; 
  }
  $q = $sql->prepare("select * from users where LOWER(username) = LOWER(?) or ip = ? order by claimed_at desc");
  $q->execute(array($username,$ip));
  $row = $q->fetch();

What about VPNs? or VPS?

[minifrij]

If your using a xapo script or it might  work in faucetbox here is a way to let them go to your page but not able to collect as a proxy,
snip

This would likely work somewhat, however would throw some false-positives for anyone with Port 80 on their network open (E.G running a web server, using a public WiFi network and other things all may have Port 80 open), not to mention this port can simply be remapped if needed meaning attackers can bypass this anyway. You can even check if it is open on your network here, if it is this script will block you.

What about VPNs? or VPS?

OpenVPN automatically uses Port 80, however this can be remapped to a different Port as the page describes allowing it to pass. My AWS VPS currently has Port 80 closed, meaning this script would let me pass using it.

[alfaboy23]

If your using a xapo script or it might  work in faucetbox here is a way to let them go to your page but not able to collect as a proxy,

Code:

//We do not allow proxy here
 if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1))
{ 
  $view['main']['result_html'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-danger"><p>Sorry Proxy not allowed !!</p></div></div>';
    $message                     = "Proxy";
    goto error; 
  }
  $q = $sql->prepare("select * from users where LOWER(username) = LOWER(?) or ip = ? order by claimed_at desc");
  $q->execute(array($username,$ip));
  $row = $q->fetch();

I also tried this script and the one from the OP, but it's both not working, I test my site with several proxy apps and sites and I can still access my site.

The most effective way is via the .htaccess file.

The problem is, it is also blocking my local IP.

[botdetector]

Hi to all
As we all know, detecting proxy is one of the basic strategy. The better one is to analize what user is doing on the website. After analysis we are able to decite whether is a real user or a bot. My small team has wrote early beta of the service allows the recognize the bot.

If you are interested in, please write to me

also please take a look at:
https://bitcointalk.org/index.php?topic=1501132.0

best!

[datalore]

not updates???

[wetrust]

there is anyway to stop proxy users from earn only i mean how to make them enter and see the index or main page but disable the reward botton or redirect them to error page when they hit on get reward
any genus way here  

[Gifted]

there is anyway to stop proxy users from earn only i mean how to make them enter and see the index or main page but disable the reward botton or redirect them to error page when they hit on get reward
any genus way here  

Yes there is... in function you can put a if code for proxy die code

[Gifted]

best thing to do is use Step Four

[wetrust]

best thing to do is use Step Four

yes i did that step and step 2 also both work great
but it would be great if all proxy users can access main page but not get reward
i think this better for CPM ads ?

[Gifted]

best thing to do is use Step Four

yes i did that step and step 2 also both work great
but it would be great if all proxy users can access main page but not get reward
i think this better for CPM ads ?

i will look into this and get back to you using better code then the one i posted

[Gifted]

so yes i have figured out how to do that for you using an xapo faucet... i will check it with faucetbox
Alfaboy you might want to use this

Code:

//Checks that the username is not empty
  if (!isset($_POST['username'])||$_POST['username']=="") {
    $view['main']['result_html'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-danger"><p>Missing email address!</p></div></div>';
    $message                     = "Missing email address";
    goto error;
  }

  $username = $_POST['username'];
   //Checks if the user has written something in the captcha box

  $captchaChallange = $_POST['adcopy_challenge'];
  $captchaResponse  = $_POST['adcopy_response'];

  if (empty($captchaChallange) || empty($captchaResponse)) {

    $view['main']['result_html'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-danger"><p>Missing captcha, try again!</p></div></div>';
    $message                     = "Missing captcha";
    goto error;
  }


  $response = @file('http://verify.solvemedia.com/papi/verify?privatekey=' . $settings['solvemedia_verification_key'] . '&challenge=' . rawurlencode($captchaChallange) . '&response=' . rawurlencode($captchaResponse) . '&remoteip=' . $ip);

  if (!isset($response[0]) || trim($response[0]) === 'false'){
    $view['main']['result_html'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-danger"><p>Wrong captcha!</p></div></div>';
    $message                     = "Wrong captcha";
  }
//We do not allow proxy here
 if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1))
die("It would apprear you're using a proxy, so please, go fuck yourself!");

function checkProxy($ip){
		$contactEmail="EMAIL";
		$timeout=3; 
		$banOnProability=0.99;
		
		$ch = curl_init();
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
		curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
		curl_setopt($ch, CURLOPT_URL, "http://check.getipintel.net/check.php?ip=$ip");
		$response=curl_exec($ch);
		
		curl_close($ch);
		
		
		if ($response > $banOnProability) {
				return true;
		} else {
			if ($response < 0 || strcmp($response, "") == 0 ) {
				//The server returned an error, you might want to do something
				//like write to a log file or email yourself
				//This could be true due to an invalid input or you've exceeded
				//the number of allowed queries. Figure out why this is happening
				//because you aren't protected by the system anymore
				//Leaving this section blank is dangerous because you assume
				//that you're still protected, which is incorrect
				//and you might think GetIPIntel isn't accurate anymore
				//which is also incorrect.
				//failure to implement error handling is bad for the both of us
			}
				return false;
		}
}
$ip=$_SERVER['REMOTE_ADDR'];
if (checkProxy($ip)) {
	echo "It would apprear you're using a proxy, so please, go fuck yourself! <br />";
}
  //timer check

[Gifted]

best thing to do is use Step Four

yes i did that step and step 2 also both work great
but it would be great if all proxy users can access main page but not get reward
i think this better for CPM ads ?

Try this !! Just replace the index.php with this on in the main root http://bitcoinfaucetrelay.com/wp-content/uploads/2016/06/faucetbox-fix.zip

[Gifted]

best thing to do is use Step Four

yes i did that step and step 2 also both work great
but it would be great if all proxy users can access main page but not get reward
i think this better for CPM ads ?

Try this !! Just replace the index.php with this on in the main root http://bitcoinfaucetrelay.com/wp-content/uploads/2016/06/faucetbox-fix.zip

bump for security update  i made for faucetbox bots attacking

[Swagtoshi]

What does that script do exactly?

[Swagtoshi]

How do bot get past the captchas exactly?

[minifrij]

What does that script do exactly?

Which script do you mean? The first one in the thread?

How do bot get past the captchas exactly?

They use an API which sends the captcha's image to a server (for a small fee) where another person then solves it for a reward.

[Swagtoshi]

I was wondering what gifted's index.php script did.

[vodaljepa]

I was wondering what gifted's index.php script did.

Probably steals your coins

[minifrij]

I was wondering what gifted's index.php script did.

The new index.php script added this code at lines 1575 - 1614:

Code:

<?php
//We do not allow proxy here		
if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1))		
	die("It would apprear you're using a proxy, so please, go fuck yourself!");		
			
function checkProxy($ip){		
	$contactEmail="Goldkey0070@gmail.com";		
	$timeout=3; 		
	$banOnProability=0.99;		
					
	$ch = curl_init();		
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);		
	curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);		
	curl_setopt($ch, CURLOPT_URL, "http://check.getipintel.net/check.php?ip=$ip");		
	$response=curl_exec($ch);					
	curl_close($ch);		
									
	if ($response > $banOnProability) {		
		return true;		
	} else {		
		if ($response < 0 || strcmp($response, "") == 0 ) {		
			//There's a lot of comment here that I removed, look it up on the index.php file if you're interested in what it says		
		}		
		return false;		
	}		
}		

$ip=$_SERVER['REMOTE_ADDR'];		
if (checkProxy($ip)) {		
	echo "It would apprear you're using a proxy, so please, go fuck yourself! <br />";		
}
?>

Basically, here is what it does:

Code:

if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1))		
	die("It would apprear you're using a proxy, so please, go fuck yourself!");

If port 80 is open on the user's computer, then display the message in the die("") and kill the rest of the script. I've explained previously why doing this can cause a lot of false positives, you can read it here:

...

This would likely work somewhat, however would throw some false-positives for anyone with Port 80 on their network open (E.G running a web server, using a public WiFi network and other things all may have Port 80 open), not to mention this port can simply be remapped if needed meaning attackers can bypass this anyway. You can even check if it is open on your network here, if it is this script will block you.
...
OpenVPN automatically uses Port 80, however this can be remapped to a different Port as the page describes allowing it to pass. My AWS VPS currently has Port 80 closed, meaning this script would let me pass using it.

It would probably work for some bots, however it is not completely foolproof and may stop real users accessing your faucet.

Code:

function checkProxy($ip){		
	$contactEmail="Goldkey0070@gmail.com";		
	$timeout=3; 		
	$banOnProability=0.99;	

Create a function which will be called later and create three variables inside of it. These variables are:

• Some random e-mail address, not too sure what that is for (as it is not used anywhere else in the script).
• The amount of seconds for PHP to try to access the URL. If the URL can't be found in this amount of seconds (3) then the connection will die.
• If the URL returns higher than this number, then the user is banned - This should be explained more in the next few chunks of code. (It should also be spelled probability)

Code:

$ch = curl_init();		
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);		
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);		
curl_setopt($ch, CURLOPT_URL, "http://check.getipintel.net/check.php?ip=$ip");		
$response=curl_exec($ch);					
curl_close($ch);

This basically gets the content from the page http://check.getipintel.net/check.php?ip=USERSIP with the timeout set previously. GetIPIntel is a service that scores IP addresses on how 'bad' they are (E.G if they are a proxy or bot). However, this API is only free for a certain amount of requests per day (500 / 15 per minute), so if your faucet gets a lot of unique users this could do very little for you.

Code:

if ($response > $banOnProability) {		
	return true;		
} else {		
	if ($response < 0 || strcmp($response, "") == 0 ) {		
		//snip		
	}		
	return false;		
}	

This code checks if the return from GetIPIntel is greater than the variable banOnProability. If it is, then the function returns true and marks the user to be blocked. Otherwise, the function returns false and lets them pass.
The if ($response < 0 || strcmp($response, "") == 0 ) {    is used to find if the response was empty and if the server is having any problems, though the code doesn't do anything in this so it is somewhat useless (unless you want to edit it yourself).

Code:

$ip=$_SERVER['REMOTE_ADDR'];		
if (checkProxy($ip)) {		
	echo "It would apprear you're using a proxy, so please, go fuck yourself! <br />";		
}

Finally, this piece of code gets the user's IP, checks it against GetIPIntel and if the function returns true, it says the exact same is if port 80 were open.
This is a more reliable method of detecting bots and other attackers than seeing if a port is open, however (unless you're winning to pay) it is only functional for 500 users per day.

There are no other changes to the original code as far as I can see, feel free to check it yourself using a difference checking tool. It should also be noted that this script only works with FaucetInABox version r63, as r64 changes the code in index.php significantly I believe.