Odd pattern in BitcoinMonitor

[HostFat]

That's what a CAPTCHA is and they do not work for anything that monetizes reasonably well. There are lots of people in the third world whose time is so cheap it's essentially free. You have to exploit the scarcity of something that is not human time - like phone numbers.

Is there a way to know if a Google account has a confirmed phone number?
You ( and Google ) could add something like this

[1713445912]

1713445912

[1713445912]

1713445912

[1713445912]

1713445912

[Jered Kenna (TradeHill)]

That's what a CAPTCHA is and they do not work for anything that monetizes reasonably well. There are lots of people in the third world whose time is so cheap it's essentially free. You have to exploit the scarcity of something that is not human time - like phone numbers.

I'm with you on this but there is a point it's not worth it anymore.
5 minutes of Tetris + google login.
That comes out to lets say .50 to .60btc an hour.
I'm not saying you can't find someone to work that cheap, you probably can.
I'm saying you could probably make more having them do something else ie mturk etc.

[manifold]

@faucet admin:
First of all: Thank you for your service. I got 0.05 BTC from you and that helped me started to get into the network. I earned about 0.30 BTC from pooled mining, and donated the 0.05 BTC already back to you (first 0.01, then 0.04).

Second, it's sad that their is always someone trying to destroy... I hope you can find out how to shut those thiefs out.


PS: How can he get so many google accounts, isn't there an sms confirmation?

[gigabytecoin]

They are using a different IP address, different google account, and are even changing the browser ID string on every request-- here are three entries from the request log, for example:

What is wrong with some people? Seriously... someone with the technical skills to automate this can't think of something more worthwhile to do than to steal pennies?

It's really unfortunate, because the Faucet is probably the most important promotional tool that Bitcoin has. So what's next? manual approval of every Faucet transaction? maybe a group of trusted forum members could do this, so that there is always someone online? would be pretty tedious though, I guess.

Pay someone .01 of the .05  to sit there clicking "confirm"

That is probably by far the most intellectual idea. It's a smart idea to have someone online at all times, I'm sure there's someone Gavin can trust.

How is a human going to determine that these are unique requests any better than a script, though?

[bitcoinex]

@faucet admin:
First of all: Thank you for your service. I got 0.05 BTC from you and that helped me started to get into the network. I earned about 0.30 BTC from pooled mining, and donated the 0.05 BTC already back to you (first 0.01, then 0.04).

Second, it's sad that their is always someone trying to destroy... I hope you can find out how to shut those thiefs out.


PS: How can he get so many google accounts, isn't there an sms confirmation?

This may be old logins, created before google was introduced SMS verification. they can be bought on the black market

[nanotube]

RE: paying somebody to monitor the faucet:  good idea, although I like the idea of some kind of "community watch" more.  And monitoring the Faucet is an all-day-and-night, all-the-time kind of job.  And if the scammers are willing to try to drain the faucet slowly then they could create accounts with more realistic-looking names and would be able to sneak by the monitors...

yes, ultimately where 'free money' is concerned, human monitors will not solve the problem. no matter how low you set the reward, there are people whose time is worth nothing, and they'd thus be willing to spend it getting something > nothing.

RE: just using testnet coins:  I worry about people starting to trade testnet coins, giving them real value.  Giving lots of newbies who don't really understand bitcoin testnet coins seems like a really good way to make that happen!

Nothing wrong with testnet coins having value. they had value before the testnet was reset, and they'll have value again at some point, right up until testnet is reset again (if it is).

RE: proof-of-work before getting coins:  Interesting idea!  Some JavaScript in-the-browser proof-of-work that required keeping the 'get some' page open for a minute or six might make the cost to the scammers high enough that the bitcoin reward wouldn't be worth it.

it can always be scripted to run the PoW calc outside the browser, then submit the result. seems like that would be only a temporary solution - long enough to last until the cheaters write code.

[ffe]

Add a delay to the payout which is a function of the number of payouts in the last hour. Set it to not kick in unless payouts are much more frequent than usual.

[Raoul Duke]

I can't offer you solutions, but i can offer the best spam bot to test against the faucet, but i tell you in advance that using external accounts to give away coins will be hard to stop the dudes. The same bot can make thousands of accounts in any site, decapthing solution included...

I can tell you some things that stops most bots: javascript/ajax or flash stuff...

Hope i helped in some way. And if you need help to test your anti-fraud measures I won't mind to spend some hours trying to bypass them. 

[dishwara]

The best thing, give the free coin 14-20 hours after the newbie ask with gmail account.
This gives time to know how many free coin request came & even time to verify many things.
It won't bother newbies as all knows any transaction used to take place 1-10 days with banks & now with internet transaction even paypal takes 10 minutes-1,2 days WITH fees.
So, newbies, really newbies wont worry much. & it will make stealer insane, coz he won't get immediately.  


Edited.

[Rena]

That seems like the best way. Each request doesn't result in an immediate transaction but instead just enters into a queue. You look at the queue and see if the requests look suspicious before approving them manually. Designed right it wouldn't be foolproof, but it could be handled entirely by one person - they'd just have a list like IP, account name, time, and a checkbox (and select/deselect all buttons), say 100 items per page, and could just approve or deny them en masse.
There is risk of denying a legitimate request that happens to be in the middle of a ton of spam, but just add a note to the page explaining this risk. People shouldn't be too upset that someone who's giving away free money might miss their request. :p

For those suggesting Javascript games and such, you should know that the browser is no more than a user interface. Whatever you achieve in the game, the browser has to report back to the server - a bot can just tell the server anything it wants. So the only secure mechanism is to make it work similar to mining, where the client - be it a browser or a bot - has to do several minutes' worth of computation to figure out a valid response to send to the server, and each response is only valid once.

It's worth noting though that in my experience, browsers and OSes of all types suck at limiting CPU usage by Javascript, and a script doing heavy computation like that can bog down the entire machine. So it's not a really user-friendly solution... :/

[Anonymous]

Post in http://free.witcoin.com and if another human likes it you get voted up.

free bitcoins - if you entertain us that is 

If a bot can come up with something I like then all power to it for making me laugh or causing a reaction.

Hint: you wont get voted up for submitting a million viagra ads.

[dishwara]

Post in http://free.witcoin.com and if another human likes it you get voted up.

free bitcoins - if you entertain us that is 

If a bot can come up with something I like then all power to it for making me laugh or causing a reaction.

Hint: you wont get voted up for submitting a million viagra ads.

I really don't understand what you saying.
You mocking up me or rena or telling some thing else?

[tt7777]

I don't think lowering the amount of Bitcoins given out via the faucet will help; have you ever considered that whoever is doing this just doesn't like Bitcoin, or wants to see it fail, perhaps? I don't think someone with enough skill to pull this off would do it for (what is essentially) pennies.   

Just a thought... 

[BitterTea]

Post in http://free.witcoin.com and if another human likes it you get voted up.

free bitcoins - if you entertain us that is 

If a bot can come up with something I like then all power to it for making me laugh or causing a reaction.

Hint: you wont get voted up for submitting a million viagra ads.

I really don't understand what you saying.
You mocking up me or rena or telling some thing else?

He's saying that Witcoin is a better way for newbies to get coins than the Faucet. It's like Reddit, except votes cost small fractions of a Bitcoin, and the person who posted the comments gets some large fraction of the money collected by voting.

[Mike Hearn]

Except that you need some coins to post on Witcoin, if I recall correctly. Catch 22.

I think it's probably worth trying to defend the Faucet as long as possible, but unless the min tx fee is dropped as BTC/USD keeps rising the Faucet will be attacked by more and more sophisticated fraudsters who are trying to get free money. Consider that a successful attack can drain $50+ and that's a heck of a lot in many third world countries.

[Gavin Andresen]

Thanks for the suggestions and comments, everybody; I think a combination of dropping the faucet reward again (I'll start bundling up faucet payments into 'sendmany' transactions, so the transaction fees are lower) and "community watch program" will work.

The 'community watch' will be a web page that anybody can see that shows the last 100 IP addresses that got payments along with an obfuscated version of the email address (I'll obfuscate by randomly turning an email address like 'gavinandresen@gmail.com' into 'gavniadresen23@gmail.com').  And I'll recruit some trusted people and give them access to a master faucet shut-off switch if it starts getting abused again.

[Nick]

http://img6.imagebanana.com/img/f7t8ftmv/oddbitcoin.PNG
There are multiple transactions showing up which have a combined size of 94600 BTC.
Is this a double-spending attempt or does someone actually have multiple chunks of 94600 BTC?

[Jered Kenna (TradeHill)]

There are multiple transactions showing up which have a combined size of 94600 BTC.
Is this a double-spending attempt or does someone actually have multiple chunks of 94600 BTC?

There are single accounts out there with more than that so it could be legit.
If I remember correctly one account (the highest) has 250k in it.

[manifold]

The best thing, give the free coin 14-20 hours after the newbie ask with gmail account.
This gives time to know how many free coin request came & even time to verify many things.
It won't bother newbies as all knows any transaction used to take place 1-10 days with banks & now with internet transaction even paypal takes 10 minutes-1,2 days WITH fees.
So, newbies, really newbies wont worry much. & it will make stealer insane, coz he won't get immediately.  


Edited.

Yes I think that is a good strategy too. And if you (or the community sees) obviously fake google accounts they don't get anything.

[Insti]

Except that you need some coins to post on Witcoin, if I recall correctly. Catch 22.

There is a free section you can post on for free now.
Catch 22 resolved.